Allow mprotect(_, _, PROT_READ) for all static binaries

Newer toolchains/libcs will use this syscall on x86-64 as well.

PiperOrigin-RevId: 428705078
Change-Id: I705efe37db9ebdd922036b39e4fb3c22dc749a1a
This commit is contained in:
Christian Blichmann 2022-02-15 00:13:56 -08:00 committed by Copybara-Service
parent 38eea151a6
commit e8cadf8f7d

View File

@ -653,12 +653,10 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
BlockSyscallWithErrno(__NR_readlink, ENOENT); BlockSyscallWithErrno(__NR_readlink, ENOENT);
#endif #endif
if constexpr (sapi::host_cpu::IsArm()) {
AddPolicyOnSyscall(__NR_mprotect, { AddPolicyOnSyscall(__NR_mprotect, {
ARG_32(2), ARG_32(2),
JEQ32(PROT_READ, ALLOW), JEQ32(PROT_READ, ALLOW),
}); });
}
return *this; return *this;
} }
@ -884,7 +882,7 @@ PolicyBuilder& PolicyBuilder::AddFile(absl::string_view path, bool is_ro) {
PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside, PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
absl::string_view inside, bool is_ro) { absl::string_view inside, bool is_ro) {
EnableNamespaces(); EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
auto valid_outside = ValidateAbsolutePath(outside); auto valid_outside = ValidateAbsolutePath(outside);
if (!valid_outside.ok()) { if (!valid_outside.ok()) {
@ -912,7 +910,7 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
PolicyBuilder& PolicyBuilder::AddLibrariesForBinary( PolicyBuilder& PolicyBuilder::AddLibrariesForBinary(
absl::string_view path, absl::string_view ld_library_path) { absl::string_view path, absl::string_view ld_library_path) {
EnableNamespaces(); EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
auto valid_path = ValidatePath(path); auto valid_path = ValidatePath(path);
if (!valid_path.ok()) { if (!valid_path.ok()) {
@ -941,7 +939,7 @@ PolicyBuilder& PolicyBuilder::AddDirectory(absl::string_view path, bool is_ro) {
PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside, PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
absl::string_view inside, absl::string_view inside,
bool is_ro) { bool is_ro) {
EnableNamespaces(); EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
auto valid_outside = ValidateAbsolutePath(outside); auto valid_outside = ValidateAbsolutePath(outside);
if (!valid_outside.ok()) { if (!valid_outside.ok()) {
@ -969,7 +967,7 @@ PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
} }
PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) { PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) {
EnableNamespaces(); EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
if (auto status = mounts_.AddTmpfs(inside, size); !status.ok()) { if (auto status = mounts_.AddTmpfs(inside, size); !status.ok()) {
SetError(absl::InternalError(absl::StrCat("Could not mount tmpfs ", inside, SetError(absl::InternalError(absl::StrCat("Could not mount tmpfs ", inside,
@ -979,14 +977,14 @@ PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) {
} }
PolicyBuilder& PolicyBuilder::AllowUnrestrictedNetworking() { PolicyBuilder& PolicyBuilder::AllowUnrestrictedNetworking() {
EnableNamespaces(); EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
allow_unrestricted_networking_ = true; allow_unrestricted_networking_ = true;
return *this; return *this;
} }
PolicyBuilder& PolicyBuilder::SetHostname(absl::string_view hostname) { PolicyBuilder& PolicyBuilder::SetHostname(absl::string_view hostname) {
EnableNamespaces(); EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
hostname_ = std::string(hostname); hostname_ = std::string(hostname);
return *this; return *this;
@ -1089,7 +1087,7 @@ PolicyBuilder& PolicyBuilder::AddNetworkProxyHandlerPolicy() {
} }
PolicyBuilder& PolicyBuilder::SetRootWritable() { PolicyBuilder& PolicyBuilder::SetRootWritable() {
EnableNamespaces(); EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
mounts_.SetRootWritable(); mounts_.SetRootWritable();
return *this; return *this;