Skip to content

Commit

Permalink
Introduce AllowMprotectWithoutExec
Browse files Browse the repository at this point in the history
PiperOrigin-RevId: 626049693
Change-Id: Ic101fe89814a8972c684df56ffac1585af1fae76
  • Loading branch information
Liblor authored and copybara-github committed Apr 18, 2024
1 parent b8f8eff commit 943d8bb
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
13 changes: 13 additions & 0 deletions sandboxed_api/sandbox2/policybuilder.cc
Original file line number Diff line number Diff line change
Expand Up @@ -476,6 +476,19 @@ PolicyBuilder& PolicyBuilder::AllowMmapWithoutExec() {
});
}

PolicyBuilder& PolicyBuilder::AllowMprotectWithoutExec() {
if (allowed_complex_.mprotect_without_exec) {
return *this;
}
allowed_complex_.mprotect_without_exec = true;
return AddPolicyOnSyscall(
__NR_mprotect, {
ARG_32(2),
BPF_JUMP(BPF_JMP | BPF_JSET | BPF_K, PROT_EXEC, 1, 0),
ALLOW,
});
}

PolicyBuilder& PolicyBuilder::AllowMmap() {
return AllowSyscalls(kMmapSyscalls);
}
Expand Down
4 changes: 4 additions & 0 deletions sandboxed_api/sandbox2/policybuilder.h
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,9 @@ class PolicyBuilder final {
// Appends code to allow mmap calls that don't specify PROT_EXEC.
PolicyBuilder& AllowMmapWithoutExec();

// Appends code to allow mprotect calls that don't specify PROT_EXEC.
PolicyBuilder& AllowMprotectWithoutExec();

// Appends code to allow mlock and munlock calls.
PolicyBuilder& AllowMlock();

Expand Down Expand Up @@ -832,6 +835,7 @@ class PolicyBuilder final {
bool limited_madvise = false;
bool madvise_populate = false;
bool mmap_without_exec = false;
bool mprotect_without_exec = false;
bool safe_fcntl = false;
bool tcgets = false;
bool slow_fences = false;
Expand Down

0 comments on commit 943d8bb

Please sign in to comment.