From 943d8bb9dde2934bff88fda7a06dc7cda7989747 Mon Sep 17 00:00:00 2001 From: Loris Reiff Date: Thu, 18 Apr 2024 08:55:59 -0700 Subject: [PATCH] Introduce `AllowMprotectWithoutExec` PiperOrigin-RevId: 626049693 Change-Id: Ic101fe89814a8972c684df56ffac1585af1fae76 --- sandboxed_api/sandbox2/policybuilder.cc | 13 +++++++++++++ sandboxed_api/sandbox2/policybuilder.h | 4 ++++ 2 files changed, 17 insertions(+) diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index 0a46f1fd..058f3b29 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -476,6 +476,19 @@ PolicyBuilder& PolicyBuilder::AllowMmapWithoutExec() { }); } +PolicyBuilder& PolicyBuilder::AllowMprotectWithoutExec() { + if (allowed_complex_.mprotect_without_exec) { + return *this; + } + allowed_complex_.mprotect_without_exec = true; + return AddPolicyOnSyscall( + __NR_mprotect, { + ARG_32(2), + BPF_JUMP(BPF_JMP | BPF_JSET | BPF_K, PROT_EXEC, 1, 0), + ALLOW, + }); +} + PolicyBuilder& PolicyBuilder::AllowMmap() { return AllowSyscalls(kMmapSyscalls); } diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 0ef4df64..bf1b8cc8 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -254,6 +254,9 @@ class PolicyBuilder final { // Appends code to allow mmap calls that don't specify PROT_EXEC. PolicyBuilder& AllowMmapWithoutExec(); + // Appends code to allow mprotect calls that don't specify PROT_EXEC. + PolicyBuilder& AllowMprotectWithoutExec(); + // Appends code to allow mlock and munlock calls. PolicyBuilder& AllowMlock(); @@ -832,6 +835,7 @@ class PolicyBuilder final { bool limited_madvise = false; bool madvise_populate = false; bool mmap_without_exec = false; + bool mprotect_without_exec = false; bool safe_fcntl = false; bool tcgets = false; bool slow_fences = false;