Update clients of PolicyBuilder to support architectures other than x86_64.

PiperOrigin-RevId: 500181306
Change-Id: Ibf3e5e3ac6214394f2d9ab10cf30de6d8396988d
This commit is contained in:
Sandboxed API Team 2023-01-06 08:24:34 -08:00 committed by Copybara-Service
parent 1871b173c4
commit f086c39f42
7 changed files with 83 additions and 93 deletions

View File

@ -43,26 +43,24 @@ class CurlSapiSandbox : public curl::CurlSandbox {
.AllowSafeFcntl()
.AllowWrite()
.AllowAccess()
.AllowSyscalls({
__NR_accept,
__NR_bind,
__NR_connect,
__NR_getpeername,
__NR_getsockname,
__NR_getsockopt,
__NR_ioctl,
__NR_listen,
__NR_madvise,
__NR_poll,
__NR_recvfrom,
__NR_recvmsg,
__NR_rt_sigaction,
__NR_sendmmsg,
__NR_sendto,
__NR_setsockopt,
__NR_socket,
__NR_sysinfo,
})
.AllowSyscall(__NR_accept)
.AllowSyscall(__NR_bind)
.AllowSyscall(__NR_connect)
.AllowSyscall(__NR_getpeername)
.AllowSyscall(__NR_getsockname)
.AllowSyscall(__NR_getsockopt)
.AllowSyscall(__NR_ioctl)
.AllowSyscall(__NR_listen)
.AllowSyscall(__NR_madvise)
.AllowPoll()
.AllowSyscall(__NR_recvfrom)
.AllowSyscall(__NR_recvmsg)
.AllowSyscall(__NR_rt_sigaction)
.AllowSyscall(__NR_sendmmsg)
.AllowSyscall(__NR_sendto)
.AllowSyscall(__NR_setsockopt)
.AllowSyscall(__NR_socket)
.AllowSyscall(__NR_sysinfo)
.AddDirectory("/lib")
.AllowUnrestrictedNetworking()
.BuildOrDie();

View File

@ -37,18 +37,16 @@ class GdalSapiSandbox : public GDALSandbox {
.AllowExit()
.AllowStat()
.AllowOpen()
.AllowSyscalls({
__NR_futex,
__NR_close,
__NR_recvmsg,
__NR_getdents64,
__NR_lseek,
__NR_getpid,
__NR_sysinfo,
__NR_prlimit64,
__NR_ftruncate,
__NR_unlink,
})
.AllowSyscall(__NR_futex)
.AllowSyscall(__NR_close)
.AllowSyscall(__NR_recvmsg)
.AllowSyscall(__NR_getdents64)
.AllowSyscall(__NR_lseek)
.AllowSyscall(__NR_getpid)
.AllowSyscall(__NR_sysinfo)
.AllowSyscall(__NR_prlimit64)
.AllowSyscall(__NR_ftruncate)
.AllowUnlink()
.AddFile(file_path_)
.BuildOrDie();
}

View File

@ -42,16 +42,14 @@ class GdalSapiSandbox : public GdalSandbox {
.AllowWrite()
.AllowExit()
.AllowOpen()
.AllowSyscalls({
__NR_futex,
__NR_getdents64, // DriverRegisterAll()
__NR_lseek, // GDALCreate()
__NR_getpid, // GDALCreate()
__NR_sysinfo, // VSI_TIFFOpen_common()
__NR_prlimit64, // CPLGetUsablePhysicalRAM()
__NR_ftruncate, // GTiffDataset::FillEmptyTiles()
__NR_unlink, // GDALDriver::Delete()
})
.AllowSyscall(__NR_futex)
.AllowSyscall(__NR_getdents64) // DriverRegisterAll()
.AllowSyscall(__NR_lseek) // GDALCreate()
.AllowSyscall(__NR_getpid) // GDALCreate()
.AllowSyscall(__NR_sysinfo) // VSI_TIFFOpen_common()
.AllowSyscall(__NR_prlimit64) // CPLGetUsablePhysicalRAM()
.AllowSyscall(__NR_ftruncate) // GTiffDataset::FillEmptyTiles()
.AllowUnlink() // GDALDriver::Delete()
.AddFile(proj_db_path_) // proj.db is required for some projections
.AddDirectory(out_directory_path_, /*is_ro=*/false)
.BuildOrDie();

View File

@ -46,22 +46,20 @@ class SapiLibarchiveSandboxCreate : public LibarchiveSandbox {
.AllowSafeFcntl()
.AllowStat()
.AllowExit()
.AllowSyscalls({
__NR_futex,
__NR_lseek,
__NR_close,
__NR_gettid,
__NR_umask,
__NR_utimensat,
__NR_unlink,
__NR_mkdir,
__NR_fstatfs,
__NR_socket,
__NR_connect,
__NR_flistxattr,
__NR_recvmsg,
__NR_getdents64,
})
.AllowSyscall(__NR_futex)
.AllowSyscall(__NR_lseek)
.AllowSyscall(__NR_close)
.AllowSyscall(__NR_gettid)
.AllowSyscall(__NR_umask)
.AllowSyscall(__NR_utimensat)
.AllowUnlink()
.AllowMkdir()
.AllowSyscall(__NR_fstatfs)
.AllowSyscall(__NR_socket)
.AllowSyscall(__NR_connect)
.AllowSyscall(__NR_flistxattr)
.AllowSyscall(__NR_recvmsg)
.AllowSyscall(__NR_getdents64)
// Allow ioctl only for FS_IOC_GETFLAGS.
.AddPolicyOnSyscall(__NR_ioctl,
{ARG(1), JEQ(FS_IOC_GETFLAGS, ALLOW)});
@ -118,16 +116,14 @@ class SapiLibarchiveSandboxExtract : public LibarchiveSandbox {
.AllowSafeFcntl()
.AllowStat()
.AllowExit()
.AllowSyscalls({
__NR_futex,
__NR_lseek,
__NR_close,
__NR_gettid,
__NR_umask,
__NR_utimensat,
__NR_unlink,
__NR_mkdir,
})
.AllowSyscall(__NR_futex)
.AllowSyscall(__NR_lseek)
.AllowSyscall(__NR_close)
.AllowSyscall(__NR_gettid)
.AllowSyscall(__NR_umask)
.AllowSyscall(__NR_utimensat)
.AllowUnlink()
.AllowMkdir()
.AddFile(archive_path_);
if (do_extract_) {

View File

@ -32,8 +32,9 @@ class UVSapiIdleBasicSandbox : public uv::UVSandbox {
.AllowDynamicStartup()
.AllowExit()
.AllowFutexOp(FUTEX_WAKE_PRIVATE)
.AllowSyscalls({__NR_epoll_create1, __NR_epoll_ctl, __NR_epoll_wait,
__NR_eventfd2, __NR_pipe2})
.AllowEpoll()
.AllowSyscall(__NR_eventfd2)
.AllowPipe()
.AllowWrite()
.BuildOrDie();
}

View File

@ -39,8 +39,10 @@ class UVSapiUVCatSandbox : public uv::UVSandbox {
.AllowFutexOp(FUTEX_WAIT_PRIVATE)
.AllowMmap()
.AllowOpen()
.AllowSyscalls({__NR_epoll_create1, __NR_epoll_ctl, __NR_epoll_wait,
__NR_eventfd2, __NR_pipe2, __NR_prlimit64})
.AllowEpoll()
.AllowSyscall(__NR_eventfd2)
.AllowPipe()
.AllowSyscall(__NR_prlimit64)
.AllowWrite()
.BuildOrDie();
}

View File

@ -70,29 +70,26 @@ void InitDefaultPolicyBuilder(sandbox2::PolicyBuilder* builder) {
.AllowHandleSignals()
.AllowSystemMalloc()
.AllowSafeFcntl()
.AllowSyscalls({
__NR_recvmsg,
__NR_sendmsg,
__NR_futex,
__NR_close,
__NR_lseek,
__NR_getpid,
__NR_getppid,
__NR_gettid,
__NR_clock_nanosleep,
__NR_nanosleep,
__NR_uname,
__NR_getrandom,
__NR_kill,
__NR_tgkill,
__NR_tkill,
#ifdef __NR_readlink
__NR_readlink,
#endif
.AllowSyscall(__NR_recvmsg)
.AllowSyscall(__NR_sendmsg)
.AllowSyscall(__NR_futex)
.AllowSyscall(__NR_close)
.AllowSyscall(__NR_lseek)
.AllowSyscall(__NR_getpid)
.AllowSyscall(__NR_getppid)
.AllowSyscall(__NR_gettid)
.AllowSleep()
.AllowSyscall(__NR_uname)
.AllowSyscall(__NR_getrandom)
.AllowSyscall(__NR_kill)
.AllowSyscall(__NR_tgkill)
.AllowSyscall(__NR_tkill)
.AllowReadlink();
#ifdef __NR_arch_prctl // x86-64 only
__NR_arch_prctl,
builder->AllowSyscall(__NR_arch_prctl);
#endif
});
if constexpr (sanitizers::IsAny()) {
LOG(WARNING) << "Allowing additional calls to support the LLVM "
<< "(ASAN/MSAN/TSAN) sanitizer";