Bug 1553850 - Add LLVM profiling to Linux Sandbox r=gcp,perftest-reviewers,afinder

Differential Revision: https://phabricator.services.mozilla.com/D217167
2024-08-20 08:15:41 +00:00 · 2024-08-20 08:15:41 +00:00 · c4f8bbd378
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -737,6 +737,9 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
        .CASES((PR_CAPBSET_READ),  // libcap.so.2 loaded by libpulse.so.0
                                   // queries for capabilities
               Error(EINVAL))
+#if defined(MOZ_PROFILE_GENERATE)
+        .CASES((PR_GET_PDEATHSIG), Allow())
+#endif  // defined(MOZ_PROFILE_GENERATE)
        .Default(InvalidSyscall());
  }

@ -839,7 +842,11 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
      switch (sysno) {
 #ifdef __NR_open
        case __NR_open:
+#  if defined(MOZ_PROFILE_GENERATE)
+          return Allow();
+#  else
          return Trap(OpenTrap, mBroker);
+#  endif
        case __NR_access:
          return Trap(AccessTrap, mBroker);
        CASES_FOR_stat:
@ -864,7 +871,11 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
          return Trap(ReadlinkTrap, mBroker);
 #endif
        case __NR_openat:
+#if defined(MOZ_PROFILE_GENERATE)
+          return Allow();
+#else
          return Trap(OpenAtTrap, mBroker);
+#endif
        case __NR_faccessat:
          return Trap(AccessAtTrap, mBroker);
        case __NR_faccessat2:
@ -997,6 +1008,10 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
                               .Else(InvalidSyscall()))
            // Not much different from other forms of dup(), and commonly used.
            .Case(F_DUPFD_CLOEXEC, Allow())
+#if defined(MOZ_PROFILE_GENERATE)
+            // During PGO we bypass the broker and LLVM profile requires this
+            .Case(F_SETLKW, Allow())
+#endif
            .Default(SandboxPolicyBase::EvaluateSyscall(sysno));
      }

@ -2068,6 +2083,9 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon {
                PR_SET_DUMPABLE,  // Crash reporting
                PR_SET_PTRACER),  // Debug-mode crash handling
               Allow())
+#if defined(MOZ_PROFILE_GENERATE)
+        .CASES((PR_GET_PDEATHSIG), Allow())
+#endif  // defined(MOZ_PROFILE_GENERATE)
        .Default(InvalidSyscall());
  }

@ -2167,6 +2185,9 @@ class UtilitySandboxPolicy : public SandboxPolicyCommon {
        .CASES((PR_CAPBSET_READ),  // libcap.so.2 loaded by libpulse.so.0
                                   // queries for capabilities
               Error(EINVAL))
+#if defined(MOZ_PROFILE_GENERATE)
+        .CASES((PR_GET_PDEATHSIG), Allow())
+#endif  // defined(MOZ_PROFILE_GENERATE)
        .Default(InvalidSyscall());
  }

--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@ -35,6 +35,10 @@
 #include "nsNetCID.h"
 #include "prenv.h"

+#if defined(MOZ_PROFILE_GENERATE)
+#  include <string>
+#endif
+
 #ifdef ANDROID
 #  include "cutils/properties.h"
 #endif
@ -416,6 +420,25 @@ static void AddGLDependencies(SandboxBroker::Policy* policy) {
  // server, because headless GL (e.g., Mesa GBM) may not need it.
 }

+// Assums this is an absolute path, SandboxBroker does not like relative paths:
+// RealPath() will try to get the absolute path of the llvm profile path to open
+// for writing but this will return errno=2 because the file does not exists, so
+// sandbox will not allow for its creation.
+//
+// Forcing expecting an absolute path will be enough to make sure it can be
+// allowed.
+//
+// It should only be allowed on instrumented builds, never on production
+// builds.
+#if defined(MOZ_PROFILE_GENERATE)
+static void AddLLVMProfilePathDirectory(SandboxBroker::Policy* aPolicy) {
+  std::string parentPath;
+  if (GetLlvmProfileDir(parentPath)) {
+    aPolicy->AddFutureDir(rdwrcr, parentPath.c_str());
+  }
+}
+#endif  // defined(MOZ_PROFILE_GENERATE)
+
 void SandboxBrokerPolicyFactory::InitContentPolicy() {
  const bool headless =
      StaticPrefs::security_sandbox_content_headless_AtStartup();
@ -786,6 +809,10 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
    policy->AddPath(rdonly, "/sys/module/amdgpu");
  }

+#if defined(MOZ_PROFILE_GENERATE)
+  AddLLVMProfilePathDirectory(policy);
+#endif
+
  mCommonContentPolicy.reset(policy);
 }

@ -975,6 +1002,10 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
  policy->AddPath(rdwr, "/dev/nvhost-vic");
 #endif  // defined(__aarch64__)

+#if defined(MOZ_PROFILE_GENERATE)
+  AddLLVMProfilePathDirectory(policy.get());
+#endif
+
  if (policy->IsEmpty()) {
    policy = nullptr;
  }
@ -1030,6 +1061,10 @@ SandboxBrokerPolicyFactory::GetSocketProcessPolicy(int aPid) {
    }
  }

+#if defined(MOZ_PROFILE_GENERATE)
+  AddLLVMProfilePathDirectory(policy.get());
+#endif
+
  if (policy->IsEmpty()) {
    policy = nullptr;
  }
@ -1088,6 +1123,10 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
    }
  }

+#if defined(MOZ_PROFILE_GENERATE)
+  AddLLVMProfilePathDirectory(policy.get());
+#endif
+
  if (policy->IsEmpty()) {
    policy = nullptr;
  }