merge in nyc-release history after reset to nyc-dev
diff --git a/Android.mk b/Android.mk
index 2e54ec2..7fec11f 100644
--- a/Android.mk
+++ b/Android.mk
@@ -102,6 +102,25 @@
include $(BUILD_SHARED_LIBRARY)
+# Example ASan-ified libminijail shared library for target.
+# Commented out since it's only needed for local debugging.
+# =========================================================
+# include $(CLEAR_VARS)
+# LOCAL_MODULE := libminijail_asan
+# LOCAL_MODULE_TAGS := optional
+#
+# LOCAL_CFLAGS := $(minijailCommonCFlags)
+# LOCAL_CLANG := true
+# LOCAL_SANITIZE := address
+# LOCAL_MODULE_RELATIVE_PATH := asan
+# LOCAL_SRC_FILES := $(libminijailSrcFiles)
+#
+# LOCAL_STATIC_LIBRARIES := libminijail_generated
+# LOCAL_SHARED_LIBRARIES := $(minijailCommonLibraries)
+# LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)
+# include $(BUILD_SHARED_LIBRARY)
+
+
# libminijail static library for target.
# =========================================================
include $(CLEAR_VARS)
@@ -186,6 +205,8 @@
LOCAL_MODULE_TAGS := optional
LOCAL_CFLAGS := $(minijailCommonCFlags)
LOCAL_CLANG := true
+# Don't build with ASan, but leave commented out for easy local debugging.
+# LOCAL_SANITIZE := address
LOCAL_SRC_FILES := \
examples/drop_privs.cpp
diff --git a/libminijail.c b/libminijail.c
index 2164186..0af36a3 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -1272,6 +1272,21 @@
}
/*
+ * Code running with ASan
+ * (https://github.com/google/sanitizers/wiki/AddressSanitizer)
+ * will make system calls not included in the syscall filter policy,
+ * which will likely crash the program. Skip setting seccomp filter in
+ * that case.
+ * 'running_with_asan()' has no inputs and is completely defined at
+ * build time, so this cannot be used by an attacker to skip setting
+ * seccomp filter.
+ */
+ if (j->flags.seccomp_filter && running_with_asan()) {
+ warn("running with ASan, not setting seccomp filter");
+ return;
+ }
+
+ /*
* If we're logging seccomp filter failures,
* install the SIGSYS handler first.
*/
diff --git a/util.h b/util.h
index 0cc1d15..15dd56b 100644
--- a/util.h
+++ b/util.h
@@ -37,6 +37,18 @@
#endif
}
+static inline int running_with_asan() {
+#ifndef __has_feature
+#define __has_feature(x) 0
+#endif
+
+#if __has_feature(address_sanitizer)
+ return 1;
+#else
+ return 0;
+#endif
+}
+
int lookup_syscall(const char *name);
const char *lookup_syscall_name(int nr);
long int parse_constant(char *constant_str, char **endptr);
