https://github.com/jansvoboda11 created https://github.com/llvm/llvm-project/pull/174653
This PR enables the FS sandbox for direct `clang -cc1` invocations. https://github.com/llvm/llvm-project/pull/165350 unintentionally implemented the sandbox only for the code path where `clang -cc1` gets invoked after being expanded from a driver command line, which reduced the expected test coverage. >From 8cdae2843e8e170980044df373fc91915516c73f Mon Sep 17 00:00:00 2001 From: Jan Svoboda <[email protected]> Date: Mon, 5 Jan 2026 13:44:24 -0800 Subject: [PATCH] [clang] Allow enabling sandbox for direct `-cc1` invocations --- clang/tools/driver/cc1gen_reproducer_main.cpp | 3 +++ clang/tools/driver/driver.cpp | 5 ++++- llvm/CMakeLists.txt | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/clang/tools/driver/cc1gen_reproducer_main.cpp b/clang/tools/driver/cc1gen_reproducer_main.cpp index 14548c39975da..851d252015c44 100644 --- a/clang/tools/driver/cc1gen_reproducer_main.cpp +++ b/clang/tools/driver/cc1gen_reproducer_main.cpp @@ -116,6 +116,9 @@ generateReproducerForInvocationArguments( ArrayRef<const char *> Argv, const ClangInvocationInfo &Info, const llvm::ToolContext &ToolContext, IntrusiveRefCntPtr<llvm::vfs::FileSystem> VFS) { + // The driver is not expected to be free of sandbox violations. + auto BypassSandbox = llvm::sys::sandbox::scopedDisable(); + using namespace driver; auto TargetAndMode = ToolChain::getTargetAndModeFromProgramName(Argv[0]); diff --git a/clang/tools/driver/driver.cpp b/clang/tools/driver/driver.cpp index 1e2c9884ba63d..485b9666222bb 100644 --- a/clang/tools/driver/driver.cpp +++ b/clang/tools/driver/driver.cpp @@ -38,6 +38,7 @@ #include "llvm/Support/CrashRecoveryContext.h" #include "llvm/Support/ErrorHandling.h" #include "llvm/Support/FileSystem.h" +#include "llvm/Support/IOSandbox.h" #include "llvm/Support/LLVMDriver.h" #include "llvm/Support/Path.h" #include "llvm/Support/PrettyStackTrace.h" @@ -264,8 +265,10 @@ int clang_main(int Argc, char **Argv, const llvm::ToolContext &ToolContext) { } // Handle -cc1 integrated tools. - if (Args.size() >= 2 && StringRef(Args[1]).starts_with("-cc1")) + if (Args.size() >= 2 && StringRef(Args[1]).starts_with("-cc1")) { + auto EnableSandbox = llvm::sys::sandbox::scopedEnable(); return ExecuteCC1Tool(Args, ToolContext, VFS); + } // Handle options that need handling before the real command line parsing in // Driver::BuildCompilation() diff --git a/llvm/CMakeLists.txt b/llvm/CMakeLists.txt index f0e4f5d7d6f60..d9e5b08aa7d1e 100644 --- a/llvm/CMakeLists.txt +++ b/llvm/CMakeLists.txt @@ -697,7 +697,7 @@ else() option(LLVM_ENABLE_ASSERTIONS "Enable assertions" ON) endif() -option(LLVM_ENABLE_IO_SANDBOX "Enable IO sandboxing in supported tools" OFF) +option(LLVM_ENABLE_IO_SANDBOX "Enable IO sandboxing in supported tools" ON) # FIXME: Change back to OFF before committing. option(LLVM_ENABLE_EXPENSIVE_CHECKS "Enable expensive checks" OFF) set(LLVM_ABI_BREAKING_CHECKS "WITH_ASSERTS" CACHE STRING _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
