New wrappers:
- `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`)
- `AllowInotifyInit` (`inotify_init`, `inotify_init1`)
- `AllowSelect` (`select`, `pselect6`)
- `AllowDup` (`dup`, `dup2`, `dup3`)
- `AllowPipe` (`pipe`, `pipe2`)
- `AllowChmod` (`chmod`, `fchmod`, `fchmodat`)
- `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`)
- `AllowReadlink` (`readlink`, `readlinkat`)
- `AllowLink` (`link`, `linkat`)
- `AllowSymlink` (`symlink`, `symlinkat`)
- `AllowMkdir` (`mkdir`, `mkdirat`)
- `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`)
- `AllowAlarm` (`alarm`, `setitimer`)
- `AllowGetPGIDs` (`getpgid`, `getpgrp`)
- `AllowPoll` (`poll`, `ppoll`)
Updated wrappers:
- `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms.
- `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident.
- `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms.
PiperOrigin-RevId: 495045432
Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
Follow-up changes might be required to fully fix up the contrib sandboxes.
PiperOrigin-RevId: 482475998
Change-Id: Iff631eb838a024b2f047a1be61bb27e35a8ff2f4
munmap is widely used by sanitizer, but it
probably works for Asan/Msan because it's enabled
by unrelated Allow* call.
Move mprotect to shared part as well. It will be
needed for compress_stack_depot.
PiperOrigin-RevId: 431989551
Change-Id: I7695a2de81d8d0b2112d3308778b2e9a9c7cb596
- Allow to specify multiple syscalls with `BlockSyscallsWithErrno()`
- Add functions to allow `unlink()` and `rename()` in all their spellings
PiperOrigin-RevId: 414987303
Change-Id: Ic0e680b785e8e3a3498f20e6a7403737e63fe876
Generate syscall jump table without using bpf_helper.
Check that any jump in the user provided policy is within the provided policy.
PiperOrigin-RevId: 409362089
Change-Id: I31493e52cf868e4b184ff79fcb26beeb75f49773
Note: This change allows `MAP_NORESERVE` generally, not just for MSAN. This follows
what we do for `AllowTcMalloc()/AllowSystemMalloc()`
PiperOrigin-RevId: 402231980
Change-Id: Ifa1c6b9f61f636dd6db231dde3765c3b4a40911b
For OSS, this change should be mostly a no-op. Visible edits are due to
changed order of code and/or includes.
PiperOrigin-RevId: 394177395
Change-Id: I1d32f9fd175579e8f05c051b1307953b249d139d
This mainly a debugging facility.
It makes diagnosing problems where sandboxed process just randomly exits whereas unsandboxed one runs to completion due to differences in the setup/environment much easier.
PiperOrigin-RevId: 391005548
Change-Id: Ia19fe6632748da93c1f4291bb55e895f50a4e2b0
1. In many cases, sandboxes need to allow /proc/stat and /proc/cpuinfo so that
get_nprocs(3) will work; otherwise, per-CPU logic can't determine how many CPUs
there are. Unfortunately, some of those sandboxes also disable namespaces. The
solution is to provide two functions: AllowRestartableSequencesWithProcFiles(),
which allows syscalls and files; and AllowRestartableSequences(), which allows
syscalls only. Sandboxes should usually call the former; sandboxes that disable
namespaces should instead call the latter and are responsible for allowing the
files via the deprecated Fs mechanism.
2. Make the mmap(2) policy evaluate prot AND flags, not prot OR flags.
3. Order the code and the comments identically for better readability.
PiperOrigin-RevId: 386414028
Change-Id: I016b1854ed1da9c9bcff7b351c5e0041093b8193
