mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Allow mprotect(_, _, PROT_READ)
for all static binaries
Newer toolchains/libcs will use this syscall on x86-64 as well. PiperOrigin-RevId: 428705078 Change-Id: I705efe37db9ebdd922036b39e4fb3c22dc749a1a
This commit is contained in:
parent
38eea151a6
commit
e8cadf8f7d
|
@ -653,12 +653,10 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
|
||||||
BlockSyscallWithErrno(__NR_readlink, ENOENT);
|
BlockSyscallWithErrno(__NR_readlink, ENOENT);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if constexpr (sapi::host_cpu::IsArm()) {
|
|
||||||
AddPolicyOnSyscall(__NR_mprotect, {
|
AddPolicyOnSyscall(__NR_mprotect, {
|
||||||
ARG_32(2),
|
ARG_32(2),
|
||||||
JEQ32(PROT_READ, ALLOW),
|
JEQ32(PROT_READ, ALLOW),
|
||||||
});
|
});
|
||||||
}
|
|
||||||
|
|
||||||
return *this;
|
return *this;
|
||||||
}
|
}
|
||||||
|
@ -884,7 +882,7 @@ PolicyBuilder& PolicyBuilder::AddFile(absl::string_view path, bool is_ro) {
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
|
PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
|
||||||
absl::string_view inside, bool is_ro) {
|
absl::string_view inside, bool is_ro) {
|
||||||
EnableNamespaces();
|
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
||||||
|
|
||||||
auto valid_outside = ValidateAbsolutePath(outside);
|
auto valid_outside = ValidateAbsolutePath(outside);
|
||||||
if (!valid_outside.ok()) {
|
if (!valid_outside.ok()) {
|
||||||
|
@ -912,7 +910,7 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AddLibrariesForBinary(
|
PolicyBuilder& PolicyBuilder::AddLibrariesForBinary(
|
||||||
absl::string_view path, absl::string_view ld_library_path) {
|
absl::string_view path, absl::string_view ld_library_path) {
|
||||||
EnableNamespaces();
|
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
||||||
|
|
||||||
auto valid_path = ValidatePath(path);
|
auto valid_path = ValidatePath(path);
|
||||||
if (!valid_path.ok()) {
|
if (!valid_path.ok()) {
|
||||||
|
@ -941,7 +939,7 @@ PolicyBuilder& PolicyBuilder::AddDirectory(absl::string_view path, bool is_ro) {
|
||||||
PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
|
PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
|
||||||
absl::string_view inside,
|
absl::string_view inside,
|
||||||
bool is_ro) {
|
bool is_ro) {
|
||||||
EnableNamespaces();
|
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
||||||
|
|
||||||
auto valid_outside = ValidateAbsolutePath(outside);
|
auto valid_outside = ValidateAbsolutePath(outside);
|
||||||
if (!valid_outside.ok()) {
|
if (!valid_outside.ok()) {
|
||||||
|
@ -969,7 +967,7 @@ PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) {
|
PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) {
|
||||||
EnableNamespaces();
|
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
||||||
|
|
||||||
if (auto status = mounts_.AddTmpfs(inside, size); !status.ok()) {
|
if (auto status = mounts_.AddTmpfs(inside, size); !status.ok()) {
|
||||||
SetError(absl::InternalError(absl::StrCat("Could not mount tmpfs ", inside,
|
SetError(absl::InternalError(absl::StrCat("Could not mount tmpfs ", inside,
|
||||||
|
@ -979,14 +977,14 @@ PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) {
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowUnrestrictedNetworking() {
|
PolicyBuilder& PolicyBuilder::AllowUnrestrictedNetworking() {
|
||||||
EnableNamespaces();
|
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
||||||
allow_unrestricted_networking_ = true;
|
allow_unrestricted_networking_ = true;
|
||||||
|
|
||||||
return *this;
|
return *this;
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::SetHostname(absl::string_view hostname) {
|
PolicyBuilder& PolicyBuilder::SetHostname(absl::string_view hostname) {
|
||||||
EnableNamespaces();
|
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
||||||
hostname_ = std::string(hostname);
|
hostname_ = std::string(hostname);
|
||||||
|
|
||||||
return *this;
|
return *this;
|
||||||
|
@ -1089,7 +1087,7 @@ PolicyBuilder& PolicyBuilder::AddNetworkProxyHandlerPolicy() {
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::SetRootWritable() {
|
PolicyBuilder& PolicyBuilder::SetRootWritable() {
|
||||||
EnableNamespaces();
|
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
||||||
mounts_.SetRootWritable();
|
mounts_.SetRootWritable();
|
||||||
|
|
||||||
return *this;
|
return *this;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user