diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index ce4734e..fc37685 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -425,6 +425,31 @@ PolicyBuilder& PolicyBuilder::AllowGetIDs() { }); } +PolicyBuilder& PolicyBuilder::AllowRestartableSequences() { + AddPolicyOnMmap([](bpf_labels& labels) -> std::vector { + return { + ARG_32(2), // prot + JEQ32(PROT_READ | PROT_WRITE, ALLOW), + + ARG_32(3), // flags + JEQ32(MAP_PRIVATE | MAP_ANONYMOUS, ALLOW), + }; + }); + + AddFile("/proc/self/cpuset"); +#ifdef __NR_rseq + AllowSyscall(__NR_rseq); +#endif + AllowFutexOp(FUTEX_WAIT); + AllowFutexOp(FUTEX_WAKE); + AddPolicyOnSyscall(__NR_rt_sigprocmask, { + ARG_32(0), + JEQ32(SIG_SETMASK, ALLOW), + }); + return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity, + __NR_sched_setaffinity}); +} + PolicyBuilder& PolicyBuilder::AllowGetPIDs() { return AllowSyscalls({ __NR_getpid, @@ -785,11 +810,14 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside, auto fixed_outside = std::move(fixed_outside_or).value(); if (absl::StartsWith(fixed_outside, "/proc/self")) { - SetError(absl::InvalidArgumentError( - absl::StrCat("Cannot add /proc/self mounts, you need to mount the " - "whole /proc instead. You tried to mount ", - outside))); - return *this; + // exception: /proc/self/cpuset + if (outside != "/proc/self/cpuset") { + SetError(absl::InvalidArgumentError( + absl::StrCat("Cannot add /proc/self mounts, you need to mount the " + "whole /proc instead. You tried to mount ", + outside))); + return *this; + } } if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro); diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 8c919d6..44bce4b 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -112,6 +112,20 @@ class PolicyBuilder final { // - exit_group PolicyBuilder& AllowExit(); + // Appends code to allow restartable sequences. + // Allows these syscalls: + // - rseq + // - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS) + // - getcpu, + // - membarrier + // - sched_getaffinity + // - sched_setaffinity + // - futex(WAIT) and futex(WAKE) + // - sigmask(SET_MASK) + // Allows these files (which will enable namespaces): + // - "/proc/self/cpuset" + PolicyBuilder& AllowRestartableSequences(); + // Appends code to allow the scudo version of malloc, free and // friends. This should be used in conjunction with namespaces. If scudo // options are passed to the sandboxee through an environment variable, access