llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT--> @llvm/pr-subscribers-clang Author: Jan Svoboda (jansvoboda11) <details> <summary>Changes</summary> This PR enables the FS sandbox for direct `clang -cc1` invocations. https://github.com/llvm/llvm-project/pull/165350 unintentionally implemented the sandbox only for the code path where `clang -cc1` gets invoked after being expanded from a driver command line, which reduced the expected test coverage. --- Full diff: https://github.com/llvm/llvm-project/pull/174653.diff 2 Files Affected: - (modified) clang/tools/driver/cc1gen_reproducer_main.cpp (+3) - (modified) clang/tools/driver/driver.cpp (+8-1) ``````````diff diff --git a/clang/tools/driver/cc1gen_reproducer_main.cpp b/clang/tools/driver/cc1gen_reproducer_main.cpp index 14548c39975da..851d252015c44 100644 --- a/clang/tools/driver/cc1gen_reproducer_main.cpp +++ b/clang/tools/driver/cc1gen_reproducer_main.cpp @@ -116,6 +116,9 @@ generateReproducerForInvocationArguments( ArrayRef<const char *> Argv, const ClangInvocationInfo &Info, const llvm::ToolContext &ToolContext, IntrusiveRefCntPtr<llvm::vfs::FileSystem> VFS) { + // The driver is not expected to be free of sandbox violations. + auto BypassSandbox = llvm::sys::sandbox::scopedDisable(); + using namespace driver; auto TargetAndMode = ToolChain::getTargetAndModeFromProgramName(Argv[0]); diff --git a/clang/tools/driver/driver.cpp b/clang/tools/driver/driver.cpp index 1e2c9884ba63d..490136961ebc6 100644 --- a/clang/tools/driver/driver.cpp +++ b/clang/tools/driver/driver.cpp @@ -38,6 +38,7 @@ #include "llvm/Support/CrashRecoveryContext.h" #include "llvm/Support/ErrorHandling.h" #include "llvm/Support/FileSystem.h" +#include "llvm/Support/IOSandbox.h" #include "llvm/Support/LLVMDriver.h" #include "llvm/Support/Path.h" #include "llvm/Support/PrettyStackTrace.h" @@ -264,8 +265,14 @@ int clang_main(int Argc, char **Argv, const llvm::ToolContext &ToolContext) { } // Handle -cc1 integrated tools. - if (Args.size() >= 2 && StringRef(Args[1]).starts_with("-cc1")) + if (Args.size() >= 2 && StringRef(Args[1]).starts_with("-cc1")) { + // Note that this only enables the sandbox for direct -cc1 invocations and + // out-of-process -cc1 invocations launched by the driver. For in-process + // -cc1 invocations launched by the driver, the sandbox is enabled in + // CC1Command::Execute() for better crash recovery. + auto EnableSandbox = llvm::sys::sandbox::scopedEnable(); return ExecuteCC1Tool(Args, ToolContext, VFS); + } // Handle options that need handling before the real command line parsing in // Driver::BuildCompilation() `````````` </details> https://github.com/llvm/llvm-project/pull/174653 _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
