Introduce AddFile(At)IfNamespaced/AddDirectory(At)IfNamespaced

Use the new interface in AllowRestartableSequences. PiperOrigin-RevId: 548619728 Change-Id: I1f8aeb9a1cb412c50391d65a3cd148f77b46bd6f
2024-03-22 13:11:30 +08:00 · 2023-07-17 01:58:05 -07:00 · 2023-07-17 01:58:05 -07:00 · f0e85cea13
commit f0e85cea13
parent 39026f7678
2 changed files with 44 additions and 23 deletions
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -325,7 +325,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
                                     });
    // Sanitizers read from /proc. For example:
    // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1155
-    AddDirectory("/proc");
+    AddDirectoryIfNamespaced("/proc");
    // Sanitizers need pid for reports. For example:
    // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L740
    AllowGetPIDs();
@ -679,18 +679,6 @@ PolicyBuilder& PolicyBuilder::AllowGetIDs() {
  });
 }

-PolicyBuilder& PolicyBuilder::AllowRestartableSequencesWithProcFiles(
-    CpuFenceMode cpu_fence_mode) {
-  AllowRestartableSequences(cpu_fence_mode);
-  AddFile("/proc/cpuinfo");
-  AddFile("/proc/stat");
-  AddDirectory("/sys/devices/system/cpu");
-  if (cpu_fence_mode == kAllowSlowFences) {
-    AddFile("/proc/self/cpuset");
-  }
-  return *this;
-}
-
 PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
    CpuFenceMode cpu_fence_mode) {
 #ifdef __NR_rseq
@ -720,6 +708,12 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
    AllowSyscall(__NR_sched_getaffinity);
    AllowSyscall(__NR_sched_setaffinity);
  }
+  AddFileIfNamespaced("/proc/cpuinfo");
+  AddFileIfNamespaced("/proc/stat");
+  AddDirectoryIfNamespaced("/sys/devices/system/cpu");
+  if (cpu_fence_mode == kAllowSlowFences) {
+    AddFileIfNamespaced("/proc/self/cpuset");
+  }
  return *this;
 }

@ -1250,7 +1244,17 @@ PolicyBuilder& PolicyBuilder::AddFile(absl::string_view path, bool is_ro) {
 PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
                                        absl::string_view inside, bool is_ro) {
  EnableNamespaces();  // NOLINT(clang-diagnostic-deprecated-declarations)
+  return AddFileAtIfNamespaced(outside, inside, is_ro);
+}

+PolicyBuilder& PolicyBuilder::AddFileIfNamespaced(absl::string_view path,
+                                                  bool is_ro) {
+  return AddFileAtIfNamespaced(path, path, is_ro);
+}
+
+PolicyBuilder& PolicyBuilder::AddFileAtIfNamespaced(absl::string_view outside,
+                                                    absl::string_view inside,
+                                                    bool is_ro) {
  auto valid_outside = ValidateAbsolutePath(outside);
  if (!valid_outside.ok()) {
    SetError(valid_outside.status());
@ -1314,7 +1318,16 @@ PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
                                             absl::string_view inside,
                                             bool is_ro) {
  EnableNamespaces();  // NOLINT(clang-diagnostic-deprecated-declarations)
+  return AddDirectoryAtIfNamespaced(outside, inside, is_ro);
+}

+PolicyBuilder& PolicyBuilder::AddDirectoryIfNamespaced(absl::string_view path,
+                                                       bool is_ro) {
+  return AddDirectoryAtIfNamespaced(path, path, is_ro);
+}
+
+PolicyBuilder& PolicyBuilder::AddDirectoryAtIfNamespaced(
+    absl::string_view outside, absl::string_view inside, bool is_ro) {
  auto valid_outside = ValidateAbsolutePath(outside);
  if (!valid_outside.ok()) {
    SetError(valid_outside.status());
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -201,17 +201,12 @@ class PolicyBuilder final {
  //
  // If `cpu_fence_mode` is `kRequireFastFences`, RSEQ functionality may not
  // be enabled if fast CPU fences are not available.
-  //
-  // This function enables namespaces! If your policy disables namespaces,
-  // the conflict will cause an error when the policy is built. You should
-  // call AllowRestartableSequences() instead; see below for instructions.
-  PolicyBuilder& AllowRestartableSequencesWithProcFiles(
-      CpuFenceMode cpu_fence_mode);
-
-  // Appends code to allow restartable sequences.
-  // See above for the allowed syscalls and, more importantly, for the files
-  // that you are responsible for allowing via the deprecated `Fs` mechanism.
  PolicyBuilder& AllowRestartableSequences(CpuFenceMode cpu_fence_mode);
+  ABSL_DEPRECATED("Use AllowRestartableSequences() instead")
+  PolicyBuilder& AllowRestartableSequencesWithProcFiles(
+      CpuFenceMode cpu_fence_mode) {
+    return this->AllowRestartableSequences(cpu_fence_mode);
+  }

  // Appends code to allow the scudo version of malloc, free and
  // friends. This should be used in conjunction with namespaces. If scudo
@ -738,6 +733,19 @@ class PolicyBuilder final {
      absl::string_view path);
  static absl::StatusOr<std::string> ValidatePath(absl::string_view path);

+  // Similar to AddFile(At)/AddDirectory(At) but it won't force use of
+  // namespaces - files will only be added to the namespace if it is not
+  // disabled by the time of TryBuild().
+  PolicyBuilder& AddFileIfNamespaced(absl::string_view path, bool is_ro = true);
+  PolicyBuilder& AddFileAtIfNamespaced(absl::string_view outside,
+                                       absl::string_view inside,
+                                       bool is_ro = true);
+  PolicyBuilder& AddDirectoryIfNamespaced(absl::string_view path,
+                                          bool is_ro = true);
+  PolicyBuilder& AddDirectoryAtIfNamespaced(absl::string_view outside,
+                                            absl::string_view inside,
+                                            bool is_ro = true);
+
  // Allows a limited version of madvise
  PolicyBuilder& AllowLimitedMadvise();