mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Introduce AllowRestartableSequencesWithProcFiles() and tidy up.
1. In many cases, sandboxes need to allow /proc/stat and /proc/cpuinfo so that get_nprocs(3) will work; otherwise, per-CPU logic can't determine how many CPUs there are. Unfortunately, some of those sandboxes also disable namespaces. The solution is to provide two functions: AllowRestartableSequencesWithProcFiles(), which allows syscalls and files; and AllowRestartableSequences(), which allows syscalls only. Sandboxes should usually call the former; sandboxes that disable namespaces should instead call the latter and are responsible for allowing the files via the deprecated Fs mechanism. 2. Make the mmap(2) policy evaluate prot AND flags, not prot OR flags. 3. Order the code and the comments identically for better readability. PiperOrigin-RevId: 386414028 Change-Id: I016b1854ed1da9c9bcff7b351c5e0041093b8193
This commit is contained in:
parent
9c21744460
commit
bb6ae1d4ab
|
@ -433,31 +433,47 @@ PolicyBuilder& PolicyBuilder::AllowGetIDs() {
|
|||
});
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
|
||||
PolicyBuilder& PolicyBuilder::AllowRestartableSequencesWithProcFiles(
|
||||
CpuFenceMode cpu_fence_mode) {
|
||||
AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
|
||||
return {
|
||||
ARG_32(2), // prot
|
||||
JEQ32(PROT_READ | PROT_WRITE, ALLOW),
|
||||
|
||||
ARG_32(3), // flags
|
||||
JEQ32(MAP_PRIVATE | MAP_ANONYMOUS, ALLOW),
|
||||
};
|
||||
});
|
||||
AllowRestartableSequences(cpu_fence_mode);
|
||||
AddFile("/proc/cpuinfo");
|
||||
AddFile("/proc/stat");
|
||||
if (cpu_fence_mode == kAllowSlowFences) {
|
||||
AddFile("/proc/self/cpuset");
|
||||
AllowSyscalls({__NR_sched_getaffinity, __NR_sched_setaffinity});
|
||||
}
|
||||
return *this;
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
|
||||
CpuFenceMode cpu_fence_mode) {
|
||||
#ifdef __NR_rseq
|
||||
AllowSyscall(__NR_rseq);
|
||||
#endif
|
||||
AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
|
||||
return {
|
||||
ARG_32(2), // prot
|
||||
JNE32(PROT_READ | PROT_WRITE, JUMP(&labels, mmap_end)),
|
||||
|
||||
ARG_32(3), // flags
|
||||
JNE32(MAP_PRIVATE | MAP_ANONYMOUS, JUMP(&labels, mmap_end)),
|
||||
|
||||
ALLOW,
|
||||
LABEL(&labels, mmap_end),
|
||||
};
|
||||
});
|
||||
AllowSyscall(__NR_getcpu);
|
||||
AllowSyscall(__NR_membarrier);
|
||||
AllowFutexOp(FUTEX_WAIT);
|
||||
AllowFutexOp(FUTEX_WAKE);
|
||||
AddPolicyOnSyscall(__NR_rt_sigprocmask, {
|
||||
ARG_32(0),
|
||||
JEQ32(SIG_SETMASK, ALLOW),
|
||||
});
|
||||
return AllowSyscalls({__NR_membarrier, __NR_getcpu});
|
||||
if (cpu_fence_mode == kAllowSlowFences) {
|
||||
AllowSyscall(__NR_sched_getaffinity);
|
||||
AllowSyscall(__NR_sched_setaffinity);
|
||||
}
|
||||
return *this;
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
|
||||
|
|
|
@ -121,23 +121,38 @@ class PolicyBuilder final {
|
|||
// - exit_group
|
||||
PolicyBuilder& AllowExit();
|
||||
|
||||
// Appends code to allow restartable sequences.
|
||||
// Appends code to allow restartable sequences and necessary /proc files.
|
||||
// Allows these syscalls:
|
||||
// - rseq
|
||||
// - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
|
||||
// - getcpu,
|
||||
// - mmap(..., PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, ...)
|
||||
// - getcpu
|
||||
// - membarrier
|
||||
// - futex(WAIT) and futex(WAKE)
|
||||
// - sigmask(SET_MASK)
|
||||
// - futex(WAIT)
|
||||
// - futex(WAKE)
|
||||
// - rt_sigprocmask(SIG_SETMASK)
|
||||
// Allows these files:
|
||||
// - "/proc/cpuinfo"
|
||||
// - "/proc/stat"
|
||||
//
|
||||
// If `cpu_fence_mode` is `kAllowSlowFences`, allow for slow cpu fences which
|
||||
// will enable namespaces and these syscalls and files:
|
||||
// If `cpu_fence_mode` is `kAllowSlowFences`, also permits slow CPU fences.
|
||||
// Allows these syscalls:
|
||||
// - sched_getaffinity
|
||||
// - sched_setaffinity
|
||||
// Allows these files:
|
||||
// - "/proc/self/cpuset"
|
||||
//
|
||||
// If `allow_slow_fences` is false, RSEQ functions may not be enabled if
|
||||
// fast CPU fences are not available.
|
||||
// If `cpu_fence_mode` is `kRequireFastFences`, RSEQ functionality may not
|
||||
// be enabled if fast CPU fences are not available.
|
||||
//
|
||||
// This function enables namespaces! If your policy disables namespaces,
|
||||
// the conflict will cause an error when the policy is built. You should
|
||||
// call AllowRestartableSequences() instead; see below for instructions.
|
||||
PolicyBuilder& AllowRestartableSequencesWithProcFiles(
|
||||
CpuFenceMode cpu_fence_mode);
|
||||
|
||||
// Appends code to allow restartable sequences.
|
||||
// See above for the allowed syscalls and, more importantly, for the files
|
||||
// that you are responsible for allowing via the deprecated `Fs` mechanism.
|
||||
PolicyBuilder& AllowRestartableSequences(CpuFenceMode cpu_fence_mode);
|
||||
|
||||
// Appends code to allow the scudo version of malloc, free and
|
||||
|
|
Loading…
Reference in New Issue
Block a user