Add policy helper to allow restartable sequences

PiperOrigin-RevId: 360266444 Change-Id: I0a3d2d071972bf7d6e7114a428c6954ed4bcef5c
2024-03-22 13:11:30 +08:00 · 2021-03-01 13:39:13 -08:00 · 2021-03-01 13:39:13 -08:00 · b30d56e871
commit b30d56e871
parent 9979faf752
2 changed files with 47 additions and 5 deletions
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -425,6 +425,31 @@ PolicyBuilder& PolicyBuilder::AllowGetIDs() {
  });
 }

+PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
+  AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
+    return {
+        ARG_32(2),  // prot
+        JEQ32(PROT_READ | PROT_WRITE, ALLOW),
+
+        ARG_32(3),  // flags
+        JEQ32(MAP_PRIVATE | MAP_ANONYMOUS, ALLOW),
+    };
+  });
+
+  AddFile("/proc/self/cpuset");
+#ifdef __NR_rseq
+  AllowSyscall(__NR_rseq);
+#endif
+  AllowFutexOp(FUTEX_WAIT);
+  AllowFutexOp(FUTEX_WAKE);
+  AddPolicyOnSyscall(__NR_rt_sigprocmask, {
+                                              ARG_32(0),
+                                              JEQ32(SIG_SETMASK, ALLOW),
+                                          });
+  return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity,
+                        __NR_sched_setaffinity});
+}
+
 PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
  return AllowSyscalls({
      __NR_getpid,
@ -785,11 +810,14 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
  auto fixed_outside = std::move(fixed_outside_or).value();

  if (absl::StartsWith(fixed_outside, "/proc/self")) {
-    SetError(absl::InvalidArgumentError(
-        absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
-                     "whole /proc instead. You tried to mount ",
-                     outside)));
-    return *this;
+    // exception: /proc/self/cpuset
+    if (outside != "/proc/self/cpuset") {
+      SetError(absl::InvalidArgumentError(
+          absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
+                       "whole /proc instead. You tried to mount ",
+                       outside)));
+      return *this;
+    }
  }

  if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -112,6 +112,20 @@ class PolicyBuilder final {
  // - exit_group
  PolicyBuilder& AllowExit();

+  // Appends code to allow restartable sequences.
+  // Allows these syscalls:
+  // - rseq
+  // - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
+  // - getcpu,
+  // - membarrier
+  // - sched_getaffinity
+  // - sched_setaffinity
+  // - futex(WAIT) and futex(WAKE)
+  // - sigmask(SET_MASK)
+  // Allows these files (which will enable namespaces):
+  // - "/proc/self/cpuset"
+  PolicyBuilder& AllowRestartableSequences();
+
  // Appends code to allow the scudo version of malloc, free and
  // friends. This should be used in conjunction with namespaces. If scudo
  // options are passed to the sandboxee through an environment variable, access