aboutsummaryrefslogtreecommitdiff
path: root/sandboxed_api/sandbox2/policybuilder.cc
diff options
context:
space:
mode:
Diffstat (limited to 'sandboxed_api/sandbox2/policybuilder.cc')
-rw-r--r--sandboxed_api/sandbox2/policybuilder.cc38
1 files changed, 32 insertions, 6 deletions
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index 80b42d8..6fbda54 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -60,6 +60,7 @@
#include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/syscall.h"
+#include "sandboxed_api/sandbox2/trace_all_syscalls.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/sandbox2/violation.pb.h"
#include "sandboxed_api/util/path.h"
@@ -70,6 +71,9 @@
#include <asm/termbits.h> // On PPC, TCGETS macro needs termios
#endif
+#ifndef MAP_FIXED_NOREPLACE
+#define MAP_FIXED_NOREPLACE 0x100000
+#endif
#ifndef PR_SET_VMA
#define PR_SET_VMA 0x53564d41
#endif
@@ -285,6 +289,7 @@ PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
LABEL(&labels, prot_none),
ARG_32(3), // flags
JEQ32(MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE, ALLOW),
+ JEQ32(MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED_NOREPLACE, ALLOW),
JEQ32(MAP_ANONYMOUS | MAP_PRIVATE, ALLOW),
LABEL(&labels, mmap_end),
@@ -329,7 +334,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
// example:
// https://github.com/llvm/llvm-project/blob/596d534ac3524052df210be8d3c01a33b2260a42/compiler-rt/lib/asan/asan_allocator.cpp#L980
// https://github.com/llvm/llvm-project/blob/62ec4ac90738a5f2d209ed28c822223e58aaaeb7/compiler-rt/lib/sanitizer_common/sanitizer_allocator_secondary.h#L98
- AllowMmap();
+ AllowMmapWithoutExec();
AllowSyscall(__NR_munmap);
AllowSyscall(__NR_sched_yield);
@@ -359,7 +364,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
OverridableBlockSyscallWithErrno(__NR_ioctl, EPERM);
// https://github.com/llvm/llvm-project/blob/9aa39481d9eb718e872993791547053a3c1f16d5/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cpp#L150
// https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_getattr_np.c;h=de7edfa0928224eb8375e2fe894d6677570fbb3b;hb=HEAD#l188
- OverridableBlockSyscallWithErrno(__NR_sched_getaffinity, EPERM);
+ AllowSyscall(__NR_sched_getaffinity);
// https://github.com/llvm/llvm-project/blob/02c2b472b510ff55679844c087b66e7837e13dc2/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L434
#ifdef __NR_readlink
OverridableBlockSyscallWithErrno(__NR_readlink, ENOENT);
@@ -415,6 +420,14 @@ PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() {
});
}
+PolicyBuilder& PolicyBuilder::AllowMmapWithoutExec() {
+ return AddPolicyOnMmap({
+ ARG_32(2),
+ BPF_JUMP(BPF_JMP | BPF_JSET | BPF_K, PROT_EXEC, 1, 0),
+ ALLOW,
+ });
+}
+
PolicyBuilder& PolicyBuilder::AllowMmap() {
return AllowSyscalls(kMmapSyscalls);
}
@@ -760,11 +773,13 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
AllowFutexOp(FUTEX_WAKE);
AllowRead();
AllowOpen();
+ AllowPoll();
AllowSyscall(__NR_close);
AddPolicyOnSyscall(__NR_rt_sigprocmask, {
ARG_32(0),
JEQ32(SIG_SETMASK, ALLOW),
});
+ AllowPrctlSetVma();
if (cpu_fence_mode == kAllowSlowFences) {
AllowSyscall(__NR_sched_getaffinity);
AllowSyscall(__NR_sched_setaffinity);
@@ -796,6 +811,9 @@ PolicyBuilder& PolicyBuilder::AllowGetPGIDs() {
}
PolicyBuilder& PolicyBuilder::AllowGetRlimit() {
+#ifdef __NR_prlimit64
+ AddPolicyOnSyscall(__NR_prlimit64, {ARG(2), JEQ64(0, 0, ALLOW)});
+#endif
return AllowSyscalls({
#ifdef __NR_getrlimit
__NR_getrlimit,
@@ -808,6 +826,9 @@ PolicyBuilder& PolicyBuilder::AllowGetRlimit() {
PolicyBuilder& PolicyBuilder::AllowSetRlimit() {
return AllowSyscalls({
+#ifdef __NR_prlimit64
+ __NR_prlimit64,
+#endif
#ifdef __NR_setrlimit
__NR_setrlimit,
#endif
@@ -856,7 +877,7 @@ PolicyBuilder& PolicyBuilder::AllowLogForwarding() {
ARG_32(0),
JEQ32(SIG_BLOCK, ALLOW),
});
- AllowSyscall(__NR_prlimit64);
+ AllowGetRlimit();
// For LOG(FATAL)
return AddPolicyOnSyscall(__NR_kill,
@@ -990,14 +1011,14 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
OverridableBlockSyscallWithErrno(__NR_readlink, ENOENT);
#endif
-#ifdef __NR_prlimit64
- OverridableBlockSyscallWithErrno(__NR_prlimit64, EPERM);
-#endif
+ AllowGetRlimit();
AddPolicyOnSyscall(__NR_mprotect, {
ARG_32(2),
JEQ32(PROT_READ, ALLOW),
});
+ OverridableBlockSyscallWithErrno(__NR_sigaltstack, ENOSYS);
+
return *this;
}
@@ -1224,6 +1245,11 @@ PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) {
return *this;
}
+PolicyBuilder& PolicyBuilder::DefaultAction(TraceAllSyscalls) {
+ default_action_ = SANDBOX2_TRACE;
+ return *this;
+}
+
absl::StatusOr<std::string> PolicyBuilder::ValidateAbsolutePath(
absl::string_view path) {
if (!file::IsAbsolutePath(path)) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-10 06:12:55 +0000