mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Add policy helper to allow restartable sequences
PiperOrigin-RevId: 360266444 Change-Id: I0a3d2d071972bf7d6e7114a428c6954ed4bcef5c
This commit is contained in:
parent
9979faf752
commit
b30d56e871
|
@ -425,6 +425,31 @@ PolicyBuilder& PolicyBuilder::AllowGetIDs() {
|
|||
});
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
|
||||
AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
|
||||
return {
|
||||
ARG_32(2), // prot
|
||||
JEQ32(PROT_READ | PROT_WRITE, ALLOW),
|
||||
|
||||
ARG_32(3), // flags
|
||||
JEQ32(MAP_PRIVATE | MAP_ANONYMOUS, ALLOW),
|
||||
};
|
||||
});
|
||||
|
||||
AddFile("/proc/self/cpuset");
|
||||
#ifdef __NR_rseq
|
||||
AllowSyscall(__NR_rseq);
|
||||
#endif
|
||||
AllowFutexOp(FUTEX_WAIT);
|
||||
AllowFutexOp(FUTEX_WAKE);
|
||||
AddPolicyOnSyscall(__NR_rt_sigprocmask, {
|
||||
ARG_32(0),
|
||||
JEQ32(SIG_SETMASK, ALLOW),
|
||||
});
|
||||
return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity,
|
||||
__NR_sched_setaffinity});
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
|
||||
return AllowSyscalls({
|
||||
__NR_getpid,
|
||||
|
@ -785,11 +810,14 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
|
|||
auto fixed_outside = std::move(fixed_outside_or).value();
|
||||
|
||||
if (absl::StartsWith(fixed_outside, "/proc/self")) {
|
||||
SetError(absl::InvalidArgumentError(
|
||||
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
|
||||
"whole /proc instead. You tried to mount ",
|
||||
outside)));
|
||||
return *this;
|
||||
// exception: /proc/self/cpuset
|
||||
if (outside != "/proc/self/cpuset") {
|
||||
SetError(absl::InvalidArgumentError(
|
||||
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
|
||||
"whole /proc instead. You tried to mount ",
|
||||
outside)));
|
||||
return *this;
|
||||
}
|
||||
}
|
||||
|
||||
if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
|
||||
|
|
|
@ -112,6 +112,20 @@ class PolicyBuilder final {
|
|||
// - exit_group
|
||||
PolicyBuilder& AllowExit();
|
||||
|
||||
// Appends code to allow restartable sequences.
|
||||
// Allows these syscalls:
|
||||
// - rseq
|
||||
// - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
|
||||
// - getcpu,
|
||||
// - membarrier
|
||||
// - sched_getaffinity
|
||||
// - sched_setaffinity
|
||||
// - futex(WAIT) and futex(WAKE)
|
||||
// - sigmask(SET_MASK)
|
||||
// Allows these files (which will enable namespaces):
|
||||
// - "/proc/self/cpuset"
|
||||
PolicyBuilder& AllowRestartableSequences();
|
||||
|
||||
// Appends code to allow the scudo version of malloc, free and
|
||||
// friends. This should be used in conjunction with namespaces. If scudo
|
||||
// options are passed to the sandboxee through an environment variable, access
|
||||
|
|
Loading…
Reference in New Issue
Block a user