Allow prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...) with tcmalloc

PiperOrigin-RevId: 540905937 Change-Id: I9275b193ff42b4741925c3cf825841ca9a4071db
2024-03-22 13:11:30 +08:00 · 2023-06-16 09:33:25 -07:00 · 2023-06-16 09:33:25 -07:00 · cf43c0f02c
commit cf43c0f02c
parent 93c1423b15
2 changed files with 20 additions and 0 deletions
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -241,6 +241,7 @@ PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
  AllowSyscalls(
      {__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier});
  AllowLimitedMadvise();
+  AllowPrctlSetVma();

  AddPolicyOnSyscall(__NR_mprotect, {
                                        ARG_32(2),
@ -866,6 +867,20 @@ PolicyBuilder& PolicyBuilder::AllowPrctlSetName() {
  return *this;
 }

+PolicyBuilder& PolicyBuilder::AllowPrctlSetVma() {
+  AddPolicyOnSyscall(__NR_prctl,
+                     [](bpf_labels& labels) -> std::vector<sock_filter> {
+                       return {
+                           ARG_32(0),
+                           JNE32(PR_SET_VMA, JUMP(&labels, prctlsetvma_end)),
+                           ARG_32(1),
+                           JEQ32(PR_SET_VMA_ANON_NAME, ALLOW),
+                           LABEL(&labels, prctlsetvma_end),
+                       };
+                     });
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowFutexOp(int op) {
  return AddPolicyOnSyscall(
      __NR_futex, {
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -512,6 +512,11 @@ class PolicyBuilder final {
  // - prctl(PR_SET_NAME, ...)
  PolicyBuilder& AllowPrctlSetName();

+  // Appends code to allow setting a name for an anonymous memory region.
+  // Allows the following
+  // - prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...)
+  PolicyBuilder& AllowPrctlSetVma();
+
  // Enables the syscalls necessary to start a statically linked binary
  //
  // NOTE: This will call BlockSyscallWithErrno(__NR_readlink, ENOENT). If you