Add helpers AllowMlock() and AllowMadvisePopulate()

Add helpers to selectively allow use of mlock, munlock, and madvise with MADV_POPULATE_READ, and MADV_POPULATE_WRITE. PiperOrigin-RevId: 624942728 Change-Id: Ieffcdd6c305b4d23440fbd7c3cabc27dfcd0e366
google · Apr 15, 2024 · 0302244 · 0302244
1 parent f9af86f
commit 0302244
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
@@ -75,6 +75,12 @@
 #ifndef MAP_FIXED_NOREPLACE
 #define MAP_FIXED_NOREPLACE 0x100000
 #endif
+#ifndef MADV_POPULATE_READ
+#define MADV_POPULATE_READ 22  // Linux 5.14+
+#endif
+#ifndef MADV_POPULATE_WRITE  // Linux 5.14+
+#define MADV_POPULATE_WRITE 23
+#endif
 #ifndef PR_SET_VMA
 #define PR_SET_VMA 0x53564d41
 #endif
@@ -446,6 +452,18 @@ PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() {
                                           });
 }
 
+PolicyBuilder& PolicyBuilder::AllowMadvisePopulate() {
+  if (allowed_complex_.madvise_populate) {
+    return *this;
+  }
+  allowed_complex_.madvise_populate = true;
+  return AddPolicyOnSyscall(__NR_madvise, {
+                                              ARG_32(2),
+                                              JEQ32(MADV_POPULATE_READ, ALLOW),
+                                              JEQ32(MADV_POPULATE_WRITE, ALLOW),
+                                          });
+}
+
 PolicyBuilder& PolicyBuilder::AllowMmapWithoutExec() {
   if (allowed_complex_.mmap_without_exec) {
     return *this;
@@ -462,6 +480,19 @@ PolicyBuilder& PolicyBuilder::AllowMmap() {
   return AllowSyscalls(kMmapSyscalls);
 }
 
+PolicyBuilder& PolicyBuilder::AllowMlock() {
+#ifdef __NR_mlock
+  AllowSyscall(__NR_mlock);
+#endif
+#ifdef __NR_munlock
+  AllowSyscall(__NR_munlock);
+#endif
+#ifdef __NR_mlock2
+  AllowSyscall(__NR_mlock2);
+#endif
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowOpen() {
 #ifdef __NR_creat
   AllowSyscall(__NR_creat);

diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h
@@ -254,6 +254,9 @@ class PolicyBuilder final {
   // Appends code to allow mmap calls that don't specify PROT_EXEC.
   PolicyBuilder& AllowMmapWithoutExec();
 
+  // Appends code to allow mlock and munlock calls.
+  PolicyBuilder& AllowMlock();
+
   // Appends code to allow calling futex with the given operation.
   PolicyBuilder& AllowFutexOp(int op);
 
@@ -770,6 +773,9 @@ class PolicyBuilder final {
   // Allows a limited version of madvise
   PolicyBuilder& AllowLimitedMadvise();
 
+  // Allows MADV_POPULATE_READ and MADV_POPULATE_WRITE.
+  PolicyBuilder& AllowMadvisePopulate();
+
   // Traps instead of denying ptrace.
   PolicyBuilder& TrapPtrace();
 
@@ -824,6 +830,7 @@ class PolicyBuilder final {
     bool llvm_sanitizers = false;
     bool llvm_coverage = false;
     bool limited_madvise = false;
+    bool madvise_populate = false;
     bool mmap_without_exec = false;
     bool safe_fcntl = false;
     bool tcgets = false;