mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Handle prlimit64
in Allow*RLimit
PiperOrigin-RevId: 598794581 Change-Id: If7898294aab1cf77f9b8007e4a9dc8bd74449f9b
This commit is contained in:
parent
9a06f3ac0c
commit
fbfc2b9eac
|
@ -805,6 +805,9 @@ PolicyBuilder& PolicyBuilder::AllowGetPGIDs() {
|
|||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowGetRlimit() {
|
||||
#ifdef __NR_prlimit64
|
||||
AddPolicyOnSyscall(__NR_prlimit64, {ARG(2), JEQ64(0, 0, ALLOW)});
|
||||
#endif
|
||||
return AllowSyscalls({
|
||||
#ifdef __NR_getrlimit
|
||||
__NR_getrlimit,
|
||||
|
@ -817,6 +820,9 @@ PolicyBuilder& PolicyBuilder::AllowGetRlimit() {
|
|||
|
||||
PolicyBuilder& PolicyBuilder::AllowSetRlimit() {
|
||||
return AllowSyscalls({
|
||||
#ifdef __NR_prlimit64
|
||||
__NR_prlimit64,
|
||||
#endif
|
||||
#ifdef __NR_setrlimit
|
||||
__NR_setrlimit,
|
||||
#endif
|
||||
|
@ -865,7 +871,7 @@ PolicyBuilder& PolicyBuilder::AllowLogForwarding() {
|
|||
ARG_32(0),
|
||||
JEQ32(SIG_BLOCK, ALLOW),
|
||||
});
|
||||
AllowSyscall(__NR_prlimit64);
|
||||
AllowGetRlimit();
|
||||
|
||||
// For LOG(FATAL)
|
||||
return AddPolicyOnSyscall(__NR_kill,
|
||||
|
@ -999,9 +1005,7 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
|
|||
OverridableBlockSyscallWithErrno(__NR_readlink, ENOENT);
|
||||
#endif
|
||||
|
||||
#ifdef __NR_prlimit64
|
||||
OverridableBlockSyscallWithErrno(__NR_prlimit64, EPERM);
|
||||
#endif
|
||||
AllowGetRlimit();
|
||||
AddPolicyOnSyscall(__NR_mprotect, {
|
||||
ARG_32(2),
|
||||
JEQ32(PROT_READ, ALLOW),
|
||||
|
|
Loading…
Reference in New Issue
Block a user