Skip setting seccomp filter when running with ASan.
Also add an example build target for an ASan-ified libminijail (useful
for debugging).
Bug: 28052772
Change-Id: Ib36a0303d635becaa8802dee56d486f11060ea47
diff --git a/libminijail.c b/libminijail.c
index fcfee1e..a0c4c86 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -1355,6 +1355,21 @@
}
/*
+ * Code running with ASan
+ * (https://github.com/google/sanitizers/wiki/AddressSanitizer)
+ * will make system calls not included in the syscall filter policy,
+ * which will likely crash the program. Skip setting seccomp filter in
+ * that case.
+ * 'running_with_asan()' has no inputs and is completely defined at
+ * build time, so this cannot be used by an attacker to skip setting
+ * seccomp filter.
+ */
+ if (j->flags.seccomp_filter && running_with_asan()) {
+ warn("running with ASan, not setting seccomp filter");
+ return;
+ }
+
+ /*
* If we're logging seccomp filter failures,
* install the SIGSYS handler first.
*/