phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-01-27 03:33:27 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge bitcoin/bitcoin#23255: util: Add mincore and clone3 to syscall sandbox

Browse source 
fab40732a9 util: Add mincore and clone3 to syscall sandbox (MarcoFalke)

Pull request description:

  Closes #23248

ACKs for top commit:
  practicalswift:
    cr ACK fab40732a9
  laanwj:
    ACK fab40732a9
  fanquake:
    ACK fab40732a9

Tree-SHA512: a8eb6b1844e40880163d2c52022dc4f84a53fae4d82fc651e456f527eca455dec32bbf960dac4366915c8a73d57b546b0b18f11b4da031962f7f775f2ca8c112
This commit is contained in:
fanquake 2021-10-12 08:46:50 +08:00
commit e418a8e675
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/util/syscall_sandbox.cpp
View file

@ -46,6 +46,12 @@ bool g_syscall_sandbox_log_violation_before_terminating{false};
// Define system call numbers for x86_64 that are referenced in the system call profile // Define system call numbers for x86_64 that are referenced in the system call profile
// but not provided by the kernel headers used in the GUIX build. // but not provided by the kernel headers used in the GUIX build.
// Usually, they can be found via "grep name /usr/include/x86_64-linux-gnu/asm/unistd_64.h"
#ifndef __NR_clone3
#define __NR_clone3 435
#endif
#ifndef __NR_statx #ifndef __NR_statx
#define __NR_statx 332 #define __NR_statx 332
#endif #endif
@ -115,6 +121,7 @@ const std::map<uint32_t, std::string> LINUX_SYSCALLS{
{__NR_clock_nanosleep, "clock_nanosleep"}, {__NR_clock_nanosleep, "clock_nanosleep"},
{__NR_clock_settime, "clock_settime"}, {__NR_clock_settime, "clock_settime"},
{__NR_clone, "clone"}, {__NR_clone, "clone"},
{__NR_clone3, "clone3"},
{__NR_close, "close"}, {__NR_close, "close"},
{__NR_connect, "connect"}, {__NR_connect, "connect"},
{__NR_copy_file_range, "copy_file_range"}, {__NR_copy_file_range, "copy_file_range"},
@ -540,6 +547,7 @@ public:
allowed_syscalls.insert(__NR_brk); // change data segment size allowed_syscalls.insert(__NR_brk); // change data segment size
allowed_syscalls.insert(__NR_madvise); // give advice about use of memory allowed_syscalls.insert(__NR_madvise); // give advice about use of memory
allowed_syscalls.insert(__NR_membarrier); // issue memory barriers on a set of threads allowed_syscalls.insert(__NR_membarrier); // issue memory barriers on a set of threads
allowed_syscalls.insert(__NR_mincore); // check if virtual memory is in RAM
allowed_syscalls.insert(__NR_mlock); // lock memory allowed_syscalls.insert(__NR_mlock); // lock memory
allowed_syscalls.insert(__NR_mmap); // map files or devices into memory allowed_syscalls.insert(__NR_mmap); // map files or devices into memory
allowed_syscalls.insert(__NR_mprotect); // set protection on a region of memory allowed_syscalls.insert(__NR_mprotect); // set protection on a region of memory
@ -705,6 +713,7 @@ public:
void AllowProcessStartOrDeath() void AllowProcessStartOrDeath()
{ {
allowed_syscalls.insert(__NR_clone); // create a child process allowed_syscalls.insert(__NR_clone); // create a child process
allowed_syscalls.insert(__NR_clone3); // create a child process
allowed_syscalls.insert(__NR_exit); // terminate the calling process allowed_syscalls.insert(__NR_exit); // terminate the calling process
allowed_syscalls.insert(__NR_exit_group); // exit all threads in a process allowed_syscalls.insert(__NR_exit_group); // exit all threads in a process
allowed_syscalls.insert(__NR_fork); // create a child process allowed_syscalls.insert(__NR_fork); // create a child process