mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-08-05 21:37:15 +02:00
186713be0b
when the prior change moved most of them to base policy, the renderer override was kept on our side. but this affects only the renderer- there can be other uses too, so put it in base to be consistent.
125 lines
5.2 KiB
Diff
125 lines
5.2 KiB
Diff
musl uses different syscalls from glibc for some functions, so the sandbox has
|
|
to account for that
|
|
--
|
|
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
|
|
index ff5a1c0..da56b9b 100644
|
|
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
|
|
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
|
|
@@ -139,21 +139,11 @@ namespace sandbox {
|
|
// present (as in newer versions of posix_spawn).
|
|
ResultExpr RestrictCloneToThreadsAndEPERMFork() {
|
|
const Arg<unsigned long> flags(0);
|
|
-
|
|
- // TODO(mdempsky): Extend DSL to support (flags & ~mask1) == mask2.
|
|
- const uint64_t kAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
|
|
- CLONE_SIGHAND | CLONE_THREAD |
|
|
- CLONE_SYSVSEM;
|
|
- const uint64_t kObsoleteAndroidCloneMask = kAndroidCloneMask | CLONE_DETACHED;
|
|
-
|
|
- const uint64_t kGlibcPthreadFlags =
|
|
- CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD |
|
|
- CLONE_SYSVSEM | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
|
|
- const BoolExpr glibc_test = flags == kGlibcPthreadFlags;
|
|
-
|
|
- const BoolExpr android_test =
|
|
- AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
|
|
- flags == kGlibcPthreadFlags);
|
|
+ const int required = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
|
|
+ CLONE_THREAD | CLONE_SYSVSEM;
|
|
+ const int safe = CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
|
|
+ CLONE_DETACHED;
|
|
+ const BoolExpr thread_clone_ok = (flags&~safe)==required;
|
|
|
|
// The following two flags are the two important flags in any vfork-emulating
|
|
// clone call. EPERM any clone call that contains both of them.
|
|
@@ -163,7 +153,7 @@ ResultExpr RestrictCloneToThreadsAndEPERMFork() {
|
|
AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
|
|
(flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
|
|
|
|
- return If(IsAndroid() ? android_test : glibc_test, Allow())
|
|
+ return If(thread_clone_ok, Allow())
|
|
.ElseIf(is_fork_or_clone_vfork, Error(EPERM))
|
|
.Else(CrashSIGSYSClone());
|
|
}
|
|
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
|
|
index d9d1882..0567557 100644
|
|
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
|
|
+++ ./sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
|
|
@@ -392,6 +392,7 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
|
|
#if defined(__i386__)
|
|
case __NR_waitpid:
|
|
#endif
|
|
+ case __NR_set_tid_address:
|
|
return true;
|
|
case __NR_clone: // Should be parameter-restricted.
|
|
case __NR_setns: // Privileged.
|
|
@@ -404,7 +405,6 @@ bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
|
|
#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
|
|
case __NR_set_thread_area:
|
|
#endif
|
|
- case __NR_set_tid_address:
|
|
case __NR_unshare:
|
|
#if !defined(__mips__) && !defined(__aarch64__)
|
|
case __NR_vfork:
|
|
@@ -514,6 +514,8 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
|
|
case __NR_mlock:
|
|
case __NR_munlock:
|
|
case __NR_munmap:
|
|
+ case __NR_mremap:
|
|
+ case __NR_membarrier:
|
|
return true;
|
|
case __NR_madvise:
|
|
case __NR_mincore:
|
|
@@ -531,7 +533,6 @@ bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
|
|
case __NR_modify_ldt:
|
|
#endif
|
|
case __NR_mprotect:
|
|
- case __NR_mremap:
|
|
case __NR_msync:
|
|
case __NR_munlockall:
|
|
case __NR_readahead:
|
|
diff --git a/sandbox/linux/system_headers/linux_syscalls.h ./sandbox/linux/system_headers/linux_syscalls.h
|
|
index 2b78a0c..b6fedb5 100644
|
|
--- a/sandbox/linux/system_headers/linux_syscalls.h
|
|
+++ b/sandbox/linux/system_headers/linux_syscalls.h
|
|
@@ -10,6 +10,7 @@
|
|
#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
|
|
|
|
#include "build/build_config.h"
|
|
+#include <sys/syscall.h>
|
|
|
|
#if defined(__x86_64__)
|
|
#include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
|
|
--- a/sandbox/policy/linux/bpf_renderer_policy_linux.cc
|
|
+++ b/sandbox/policy/linux/bpf_renderer_policy_linux.cc
|
|
@@ -94,6 +94,9 @@
|
|
case __NR_pwrite64:
|
|
case __NR_sched_get_priority_max:
|
|
case __NR_sched_get_priority_min:
|
|
+ case __NR_sched_getparam:
|
|
+ case __NR_sched_getscheduler:
|
|
+ case __NR_sched_setscheduler:
|
|
case __NR_sysinfo:
|
|
case __NR_times:
|
|
case __NR_uname:
|
|
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
|
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
|
|
@@ -225,10 +225,15 @@
|
|
if (sysno == __NR_getpriority || sysno ==__NR_setpriority)
|
|
return RestrictGetSetpriority(current_pid);
|
|
|
|
+ // XXX: hacks for musl sandbox, calls needed?
|
|
+ if (sysno == __NR_sched_getparam || sysno == __NR_sched_getscheduler ||
|
|
+ sysno == __NR_sched_setscheduler) {
|
|
+ return Allow();
|
|
+ }
|
|
+
|
|
// The scheduling syscalls are used in threading libraries and also heavily in
|
|
// abseil. See for example https://crbug.com/1370394.
|
|
- if (sysno == __NR_sched_getaffinity || sysno == __NR_sched_getparam ||
|
|
- sysno == __NR_sched_getscheduler || sysno == __NR_sched_setscheduler) {
|
|
+ if (sysno == __NR_sched_getaffinity) {
|
|
return RestrictSchedTarget(current_pid, sysno);
|
|
}
|
|
|