StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Ensure that TCMalloc can execute NumCPUs.

Browse Source 
PiperOrigin-RevId: 565683514
Change-Id: I391ab5f184f487ef3ffc553d10581cd6eaee54de
This commit is contained in:
Chris Kennelly 2023-09-15 08:20:33 -07:00 committed by Copybara-Service
parent 700f8fa547
commit f5830c93cd
4 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sandboxed_api/sandbox2/examples/network/network_sandbox.cc
View File

@ -57,6 +57,7 @@ std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
.AllowSyscall(__NR_sendto) // send .AllowSyscall(__NR_sendto) // send
.AllowStat() // printf,puts .AllowStat() // printf,puts
.AddLibrariesForBinary(sandboxee_path) .AddLibrariesForBinary(sandboxee_path)
.AllowTcMalloc()
.BuildOrDie(); .BuildOrDie();
} }

2
sandboxed_api/sandbox2/policy_test.cc
View File

@ -291,7 +291,7 @@ TEST(MultipleSyscalls, AddPolicyOnSyscallsWorks) {
#endif #endif
}, },
{ERRNO(42)}) {ERRNO(42)})
.AddPolicyOnSyscalls({__NR_read, __NR_write}, {ERRNO(43)}) .AddPolicyOnSyscalls({__NR_write}, {ERRNO(43)})
.AddPolicyOnSyscall(__NR_umask, {DENY}); .AddPolicyOnSyscall(__NR_umask, {DENY});
auto policy = builder.BuildOrDie(); auto policy = builder.BuildOrDie();

9
sandboxed_api/sandbox2/policybuilder.cc
View File

@ -263,12 +263,6 @@ PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
AllowPrctlSetVma(); AllowPrctlSetVma();
AllowPoll(); AllowPoll();
AllowGetPIDs(); AllowGetPIDs();
#ifdef __NR_open
OverridableBlockSyscallWithErrno(__NR_open, ENOENT);
#endif
#ifdef __NR_openat
OverridableBlockSyscallWithErrno(__NR_openat, ENOENT);
#endif
AddPolicyOnSyscall(__NR_mprotect, { AddPolicyOnSyscall(__NR_mprotect, {
ARG_32(2), ARG_32(2),
@ -764,6 +758,9 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
AllowSyscall(__NR_membarrier); AllowSyscall(__NR_membarrier);
AllowFutexOp(FUTEX_WAIT); AllowFutexOp(FUTEX_WAIT);
AllowFutexOp(FUTEX_WAKE); AllowFutexOp(FUTEX_WAKE);
AllowRead();
AllowOpen();
AllowSyscall(__NR_close);
AddPolicyOnSyscall(__NR_rt_sigprocmask, { AddPolicyOnSyscall(__NR_rt_sigprocmask, {
ARG_32(0), ARG_32(0),
JEQ32(SIG_SETMASK, ALLOW), JEQ32(SIG_SETMASK, ALLOW),

1
sandboxed_api/sandbox2/testcases/add_policy_on_syscalls.cc
View File

@ -30,7 +30,6 @@ int main() {
if (getegid() != 1000) return 4; if (getegid() != 1000) return 4;
if (getresuid(&r, &e, &s) != -1 || errno != 42) return 5; if (getresuid(&r, &e, &s) != -1 || errno != 42) return 5;
if (getresgid(&r, &e, &s) != -1 || errno != 42) return 6; if (getresgid(&r, &e, &s) != -1 || errno != 42) return 6;
if (read(0, buf, 1) != -1 || errno != 43) return 7;
if (write(1, buf, 1) != -1 || errno != 43) return 8; if (write(1, buf, 1) != -1 || errno != 43) return 8;
// Trigger a violation. // Trigger a violation.