Allow getrusage under ASAN.

BUG=413528 Review URL: https://codereview.chromium.org/890493002 Cr-Commit-Position: refs/heads/master@{#313674}

Allow getrusage under ASAN.
BUG=413528 Review URL: https://codereview.chromium.org/890493002 Cr-Commit-Position: refs/heads/master@{#313674}
ff97bf24 · rickyz · Commit bot · 5d8a530b · ff97bf24 · ff97bf24
Commit ff97bf24 authored Jan 28, 2015 by rickyz Committed by Commit bot Jan 29, 2015
4 changed files
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -109,6 +109,11 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
    return Allow();
  }

+  // Used when RSS limiting is enabled in sanitizers.
+  if (sysno == __NR_getrusage) {
+    return RestrictGetrusage();
+  }
+
  if (sysno == __NR_sigaltstack) {
    // Required for better stack overflow detection in ASan. Disallowed in
    // non-ASan builds.

--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -304,4 +304,9 @@ ResultExpr RestrictPrlimit64(pid_t target_pid) {
  return If(pid == 0 || pid == target_pid, Allow()).Else(CrashSIGSYS());
 }

+ResultExpr RestrictGetrusage() {
+  const Arg<int> who(0);
+  return If(who == RUSAGE_SELF, Allow()).Else(CrashSIGSYS());
+}
+
 }  // namespace sandbox.
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
@@ -91,6 +91,10 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictSchedTarget(pid_t target_pid,
 // or target_pid.
 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimit64(pid_t target_pid);

+// Restricts the |who| argument of getrusage to RUSAGE_SELF (meaning the calling
+// process).
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictGetrusage();
+
 }  // namespace sandbox.

 #endif  // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc
@@ -240,6 +240,34 @@ BPF_DEATH_TEST_C(ParameterRestrictions,
  sys_prlimit64(kInitPID, RLIMIT_AS, NULL, NULL);
 }

+class RestrictGetrusagePolicy : public bpf_dsl::Policy {
+ public:
+  RestrictGetrusagePolicy() {}
+  ~RestrictGetrusagePolicy() override {}
+
+  ResultExpr EvaluateSyscall(int sysno) const override {
+    switch (sysno) {
+      case __NR_getrusage:
+        return RestrictGetrusage();
+      default:
+        return Allow();
+    }
+  }
+};
+
+BPF_TEST_C(ParameterRestrictions, getrusage_allowed, RestrictGetrusagePolicy) {
+  struct rusage usage;
+  BPF_ASSERT_EQ(0, getrusage(RUSAGE_SELF, &usage));
+}
+
+BPF_DEATH_TEST_C(ParameterRestrictions,
+                 getrusage_crash_not_self,
+                 DEATH_SEGV_MESSAGE(sandbox::GetErrorMessageContentForTests()),
+                 RestrictGetrusagePolicy) {
+  struct rusage usage;
+  getrusage(RUSAGE_CHILDREN, &usage);
+}
+
 }  // namespace

 }  // namespace sandbox