diff options
| author | Wiktor Garbacz <wiktorg@google.com> | 2024-01-16 03:59:28 -0800 |
|---|---|---|
| committer | Copybara-Service <copybara-worker@google.com> | 2024-01-16 04:00:31 -0800 |
| commit | fbfc2b9eac67a9ff163c59ba663e331cff575f46 (patch) | |
| tree | 1242d777bb78a9605b1479d26eeaad2841f3b5d4 | |
| parent | 9a06f3ac0c704505fda4b62af90913110ff63b93 (diff) | |
| download | sandboxed-api-fbfc2b9eac67a9ff163c59ba663e331cff575f46.tar.gz | |
Handle `prlimit64` in `Allow*RLimit`
PiperOrigin-RevId: 598794581
Change-Id: If7898294aab1cf77f9b8007e4a9dc8bd74449f9b
| -rw-r--r-- | sandboxed_api/sandbox2/policybuilder.cc | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index 9198f97..9b7901b 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -805,6 +805,9 @@ PolicyBuilder& PolicyBuilder::AllowGetPGIDs() { } PolicyBuilder& PolicyBuilder::AllowGetRlimit() { +#ifdef __NR_prlimit64 + AddPolicyOnSyscall(__NR_prlimit64, {ARG(2), JEQ64(0, 0, ALLOW)}); +#endif return AllowSyscalls({ #ifdef __NR_getrlimit __NR_getrlimit, @@ -817,6 +820,9 @@ PolicyBuilder& PolicyBuilder::AllowGetRlimit() { PolicyBuilder& PolicyBuilder::AllowSetRlimit() { return AllowSyscalls({ +#ifdef __NR_prlimit64 + __NR_prlimit64, +#endif #ifdef __NR_setrlimit __NR_setrlimit, #endif @@ -865,7 +871,7 @@ PolicyBuilder& PolicyBuilder::AllowLogForwarding() { ARG_32(0), JEQ32(SIG_BLOCK, ALLOW), }); - AllowSyscall(__NR_prlimit64); + AllowGetRlimit(); // For LOG(FATAL) return AddPolicyOnSyscall(__NR_kill, @@ -999,9 +1005,7 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() { OverridableBlockSyscallWithErrno(__NR_readlink, ENOENT); #endif -#ifdef __NR_prlimit64 - OverridableBlockSyscallWithErrno(__NR_prlimit64, EPERM); -#endif + AllowGetRlimit(); AddPolicyOnSyscall(__NR_mprotect, { ARG_32(2), JEQ32(PROT_READ, ALLOW), |