Add AllowMmap/AllowMprotect/AllowDynamicStartup variants with executable mappings

happyCoder92 · copybara-github · commit 30757dbfca84 · 2025-05-22T02:56:09.000-07:00
PiperOrigin-RevId: 761880262
Change-Id: I9140f3723e9353190f866bcdd4547f34ab636cd5
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
@@ -42,7 +42,6 @@
 #include <memory>
 #include <optional>
 #include <string>
-#include <type_traits>
 #include <utility>
 #include <vector>
 
@@ -57,6 +56,7 @@
 #include "absl/types/span.h"
 #include "sandboxed_api/config.h"
 #include "sandboxed_api/sandbox2/allowlists/all_syscalls.h"
+#include "sandboxed_api/sandbox2/allowlists/map_exec.h"
 #include "sandboxed_api/sandbox2/allowlists/namespaces.h"
 #include "sandboxed_api/sandbox2/allowlists/seccomp_speculation.h"
 #include "sandboxed_api/sandbox2/allowlists/trace_all_syscalls.h"
@@ -591,9 +591,14 @@ PolicyBuilder& PolicyBuilder::AllowMprotectWithoutExec() {
                      });
 }
 
-std::enable_if_t<builder_internal::is_type_complete_v<MapExec>, PolicyBuilder&>
-PolicyBuilder::AllowMmap() {
-  return AllowSyscalls(kMmapSyscalls);
+PolicyBuilder& PolicyBuilder::AllowMprotect(MapExec) {
+  return Allow(MapExec()).AllowSyscall(__NR_mprotect);
+}
+
+PolicyBuilder& PolicyBuilder::AllowMmap() { return AllowMmap(MapExec()); }
+
+PolicyBuilder& PolicyBuilder::AllowMmap(MapExec) {
+  return AllowSyscalls(kMmapSyscalls).AllowSyscall(__NR_mprotect);
 }
 
 PolicyBuilder& PolicyBuilder::AllowMlock() {
@@ -1259,13 +1264,12 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
   return *this;
 }
 
-std::enable_if_t<builder_internal::is_type_complete_v<MapExec>, PolicyBuilder&>
-PolicyBuilder::AllowDynamicStartup() {
-  if (!allow_map_exec_) {
-    SetError(absl::FailedPreconditionError(
-        "Allowing dynamic startup requires Allow(MapExec)."));
-    return *this;
-  }
+PolicyBuilder& PolicyBuilder::AllowDynamicStartup() {
+  return AllowDynamicStartup(MapExec());
+}
+
+PolicyBuilder& PolicyBuilder::AllowDynamicStartup(MapExec) {
+  Allow(MapExec());
   if (allowed_complex_.dynamic_startup) {
     return *this;
   }
diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h
@@ -23,7 +23,6 @@
 #include <memory>
 #include <optional>
 #include <string>
-#include <type_traits>
 #include <utility>
 #include <vector>
 
@@ -55,16 +54,6 @@ class SeccompSpeculation;
 class TraceAllSyscalls;
 class UnrestrictedNetworking;
 
-namespace builder_internal {
-
-template <typename, typename = void>
-constexpr bool is_type_complete_v = false;
-
-template <typename T>
-constexpr bool is_type_complete_v<T, std::void_t<decltype(sizeof(T))>> = true;
-
-}  // namespace builder_internal
-
 // PolicyBuilder is a helper class to simplify creation of policies. The builder
 // uses fluent interface for convenience and increased readability of policies.
 //
@@ -336,18 +325,19 @@ class PolicyBuilder final {
   // Appends code to unconditionally allow mmap. Specifically this allows mmap
   // and mmap2 syscall on architectures where these syscalls exist.
   //
-  // This function requires that targets :map_exec library to be linked
-  // against. Otherwise, the PolicyBuilder will fail to build the policy.
-  //
   // Prefer using `AllowMmapWithoutExec()` as allowing mapping executable pages
   // makes exploitation easier.
-  std::enable_if_t<builder_internal::is_type_complete_v<MapExec>,
-                   PolicyBuilder&>
-  AllowMmap();
+  PolicyBuilder& AllowMmap(MapExec);
+
+  ABSL_DEPRECATED("Use AllowMmap(MapExec) or AllowMmapWithoutExec() instead.")
+  PolicyBuilder& AllowMmap();
 
   // Appends code to allow mmap calls that don't specify PROT_EXEC.
   PolicyBuilder& AllowMmapWithoutExec();
 
+  // Appends code to allow mprotect (also with PROT_EXEC).
+  PolicyBuilder& AllowMprotect(MapExec);
+
   // Appends code to allow mprotect calls that don't specify PROT_EXEC.
   PolicyBuilder& AllowMprotectWithoutExec();
 
@@ -708,9 +698,10 @@ class PolicyBuilder final {
   //
   // In addition to syscalls allowed by `AllowStaticStartup`, also allow
   // reading, seeking, mmap()-ing and closing files.
-  std::enable_if_t<builder_internal::is_type_complete_v<MapExec>,
-                   PolicyBuilder&>
-  AllowDynamicStartup();
+  PolicyBuilder& AllowDynamicStartup(MapExec);
+
+  ABSL_DEPRECATED("Use AllowDynamicStartup(MapExec) instead.")
+  PolicyBuilder& AllowDynamicStartup();
 
   // Appends a policy, which will be run on the specified syscall.
   //
