diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index e916ba1..fb84763 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -325,7 +325,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() { }); // Sanitizers read from /proc. For example: // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1155 - AddDirectory("/proc"); + AddDirectoryIfNamespaced("/proc"); // Sanitizers need pid for reports. For example: // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L740 AllowGetPIDs(); @@ -679,18 +679,6 @@ PolicyBuilder& PolicyBuilder::AllowGetIDs() { }); } -PolicyBuilder& PolicyBuilder::AllowRestartableSequencesWithProcFiles( - CpuFenceMode cpu_fence_mode) { - AllowRestartableSequences(cpu_fence_mode); - AddFile("/proc/cpuinfo"); - AddFile("/proc/stat"); - AddDirectory("/sys/devices/system/cpu"); - if (cpu_fence_mode == kAllowSlowFences) { - AddFile("/proc/self/cpuset"); - } - return *this; -} - PolicyBuilder& PolicyBuilder::AllowRestartableSequences( CpuFenceMode cpu_fence_mode) { #ifdef __NR_rseq @@ -720,6 +708,12 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences( AllowSyscall(__NR_sched_getaffinity); AllowSyscall(__NR_sched_setaffinity); } + AddFileIfNamespaced("/proc/cpuinfo"); + AddFileIfNamespaced("/proc/stat"); + AddDirectoryIfNamespaced("/sys/devices/system/cpu"); + if (cpu_fence_mode == kAllowSlowFences) { + AddFileIfNamespaced("/proc/self/cpuset"); + } return *this; } @@ -1250,7 +1244,17 @@ PolicyBuilder& PolicyBuilder::AddFile(absl::string_view path, bool is_ro) { PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside, absl::string_view inside, bool is_ro) { EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations) + return AddFileAtIfNamespaced(outside, inside, is_ro); +} +PolicyBuilder& PolicyBuilder::AddFileIfNamespaced(absl::string_view path, + bool is_ro) { + return AddFileAtIfNamespaced(path, path, is_ro); +} + +PolicyBuilder& PolicyBuilder::AddFileAtIfNamespaced(absl::string_view outside, + absl::string_view inside, + bool is_ro) { auto valid_outside = ValidateAbsolutePath(outside); if (!valid_outside.ok()) { SetError(valid_outside.status()); @@ -1314,7 +1318,16 @@ PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside, absl::string_view inside, bool is_ro) { EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations) + return AddDirectoryAtIfNamespaced(outside, inside, is_ro); +} +PolicyBuilder& PolicyBuilder::AddDirectoryIfNamespaced(absl::string_view path, + bool is_ro) { + return AddDirectoryAtIfNamespaced(path, path, is_ro); +} + +PolicyBuilder& PolicyBuilder::AddDirectoryAtIfNamespaced( + absl::string_view outside, absl::string_view inside, bool is_ro) { auto valid_outside = ValidateAbsolutePath(outside); if (!valid_outside.ok()) { SetError(valid_outside.status()); diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index f867c45..1ca868f 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -201,17 +201,12 @@ class PolicyBuilder final { // // If `cpu_fence_mode` is `kRequireFastFences`, RSEQ functionality may not // be enabled if fast CPU fences are not available. - // - // This function enables namespaces! If your policy disables namespaces, - // the conflict will cause an error when the policy is built. You should - // call AllowRestartableSequences() instead; see below for instructions. - PolicyBuilder& AllowRestartableSequencesWithProcFiles( - CpuFenceMode cpu_fence_mode); - - // Appends code to allow restartable sequences. - // See above for the allowed syscalls and, more importantly, for the files - // that you are responsible for allowing via the deprecated `Fs` mechanism. PolicyBuilder& AllowRestartableSequences(CpuFenceMode cpu_fence_mode); + ABSL_DEPRECATED("Use AllowRestartableSequences() instead") + PolicyBuilder& AllowRestartableSequencesWithProcFiles( + CpuFenceMode cpu_fence_mode) { + return this->AllowRestartableSequences(cpu_fence_mode); + } // Appends code to allow the scudo version of malloc, free and // friends. This should be used in conjunction with namespaces. If scudo @@ -738,6 +733,19 @@ class PolicyBuilder final { absl::string_view path); static absl::StatusOr ValidatePath(absl::string_view path); + // Similar to AddFile(At)/AddDirectory(At) but it won't force use of + // namespaces - files will only be added to the namespace if it is not + // disabled by the time of TryBuild(). + PolicyBuilder& AddFileIfNamespaced(absl::string_view path, bool is_ro = true); + PolicyBuilder& AddFileAtIfNamespaced(absl::string_view outside, + absl::string_view inside, + bool is_ro = true); + PolicyBuilder& AddDirectoryIfNamespaced(absl::string_view path, + bool is_ro = true); + PolicyBuilder& AddDirectoryAtIfNamespaced(absl::string_view outside, + absl::string_view inside, + bool is_ro = true); + // Allows a limited version of madvise PolicyBuilder& AllowLimitedMadvise();