From c4f8bbd378c1a65a9b4a25cd922e34024c293115 Mon Sep 17 00:00:00 2001
From: Alexandre Lissy <lissyx+mozillians@lissyx.dyndns.org>
Date: Tue, 20 Aug 2024 08:15:41 +0000
Subject: [PATCH] Bug 1553850 - Add LLVM profiling to Linux Sandbox
 r=gcp,perftest-reviewers,afinder

Differential Revision: https://phabricator.services.mozilla.com/D217167
---
 security/sandbox/linux/SandboxFilter.cpp      | 21 ++++++++++
 .../broker/SandboxBrokerPolicyFactory.cpp     | 39 +++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
index c03efe04d2c3..28dc03b3e4aa 100644
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -737,6 +737,9 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
         .CASES((PR_CAPBSET_READ),  // libcap.so.2 loaded by libpulse.so.0
                                    // queries for capabilities
                Error(EINVAL))
+#if defined(MOZ_PROFILE_GENERATE)
+        .CASES((PR_GET_PDEATHSIG), Allow())
+#endif  // defined(MOZ_PROFILE_GENERATE)
         .Default(InvalidSyscall());
   }
 
@@ -839,7 +842,11 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
       switch (sysno) {
 #ifdef __NR_open
         case __NR_open:
+#  if defined(MOZ_PROFILE_GENERATE)
+          return Allow();
+#  else
           return Trap(OpenTrap, mBroker);
+#  endif
         case __NR_access:
           return Trap(AccessTrap, mBroker);
         CASES_FOR_stat:
@@ -864,7 +871,11 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
           return Trap(ReadlinkTrap, mBroker);
 #endif
         case __NR_openat:
+#if defined(MOZ_PROFILE_GENERATE)
+          return Allow();
+#else
           return Trap(OpenAtTrap, mBroker);
+#endif
         case __NR_faccessat:
           return Trap(AccessAtTrap, mBroker);
         case __NR_faccessat2:
@@ -997,6 +1008,10 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
                                .Else(InvalidSyscall()))
             // Not much different from other forms of dup(), and commonly used.
             .Case(F_DUPFD_CLOEXEC, Allow())
+#if defined(MOZ_PROFILE_GENERATE)
+            // During PGO we bypass the broker and LLVM profile requires this
+            .Case(F_SETLKW, Allow())
+#endif
             .Default(SandboxPolicyBase::EvaluateSyscall(sysno));
       }
 
@@ -2068,6 +2083,9 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon {
                 PR_SET_DUMPABLE,  // Crash reporting
                 PR_SET_PTRACER),  // Debug-mode crash handling
                Allow())
+#if defined(MOZ_PROFILE_GENERATE)
+        .CASES((PR_GET_PDEATHSIG), Allow())
+#endif  // defined(MOZ_PROFILE_GENERATE)
         .Default(InvalidSyscall());
   }
 
@@ -2167,6 +2185,9 @@ class UtilitySandboxPolicy : public SandboxPolicyCommon {
         .CASES((PR_CAPBSET_READ),  // libcap.so.2 loaded by libpulse.so.0
                                    // queries for capabilities
                Error(EINVAL))
+#if defined(MOZ_PROFILE_GENERATE)
+        .CASES((PR_GET_PDEATHSIG), Allow())
+#endif  // defined(MOZ_PROFILE_GENERATE)
         .Default(InvalidSyscall());
   }
 
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
index a9da0ce849bc..f49e1e42a8e3 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -35,6 +35,10 @@
 #include "nsNetCID.h"
 #include "prenv.h"
 
+#if defined(MOZ_PROFILE_GENERATE)
+#  include <string>
+#endif
+
 #ifdef ANDROID
 #  include "cutils/properties.h"
 #endif
@@ -416,6 +420,25 @@ static void AddGLDependencies(SandboxBroker::Policy* policy) {
   // server, because headless GL (e.g., Mesa GBM) may not need it.
 }
 
+// Assums this is an absolute path, SandboxBroker does not like relative paths:
+// RealPath() will try to get the absolute path of the llvm profile path to open
+// for writing but this will return errno=2 because the file does not exists, so
+// sandbox will not allow for its creation.
+//
+// Forcing expecting an absolute path will be enough to make sure it can be
+// allowed.
+//
+// It should only be allowed on instrumented builds, never on production
+// builds.
+#if defined(MOZ_PROFILE_GENERATE)
+static void AddLLVMProfilePathDirectory(SandboxBroker::Policy* aPolicy) {
+  std::string parentPath;
+  if (GetLlvmProfileDir(parentPath)) {
+    aPolicy->AddFutureDir(rdwrcr, parentPath.c_str());
+  }
+}
+#endif  // defined(MOZ_PROFILE_GENERATE)
+
 void SandboxBrokerPolicyFactory::InitContentPolicy() {
   const bool headless =
       StaticPrefs::security_sandbox_content_headless_AtStartup();
@@ -786,6 +809,10 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
     policy->AddPath(rdonly, "/sys/module/amdgpu");
   }
 
+#if defined(MOZ_PROFILE_GENERATE)
+  AddLLVMProfilePathDirectory(policy);
+#endif
+
   mCommonContentPolicy.reset(policy);
 }
 
@@ -975,6 +1002,10 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
   policy->AddPath(rdwr, "/dev/nvhost-vic");
 #endif  // defined(__aarch64__)
 
+#if defined(MOZ_PROFILE_GENERATE)
+  AddLLVMProfilePathDirectory(policy.get());
+#endif
+
   if (policy->IsEmpty()) {
     policy = nullptr;
   }
@@ -1030,6 +1061,10 @@ SandboxBrokerPolicyFactory::GetSocketProcessPolicy(int aPid) {
     }
   }
 
+#if defined(MOZ_PROFILE_GENERATE)
+  AddLLVMProfilePathDirectory(policy.get());
+#endif
+
   if (policy->IsEmpty()) {
     policy = nullptr;
   }
@@ -1088,6 +1123,10 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
     }
   }
 
+#if defined(MOZ_PROFILE_GENERATE)
+  AddLLVMProfilePathDirectory(policy.get());
+#endif
+
   if (policy->IsEmpty()) {
     policy = nullptr;
   }