Author: Jan Svoboda Date: 2026-01-07T15:07:49-08:00 New Revision: 3911c6a2535736a365dd28163dd18daaa4398f74
URL: https://github.com/llvm/llvm-project/commit/3911c6a2535736a365dd28163dd18daaa4398f74 DIFF: https://github.com/llvm/llvm-project/commit/3911c6a2535736a365dd28163dd18daaa4398f74.diff LOG: [clang] Allow enabling sandbox for direct `-cc1` invocations (#174653) This PR enables the FS sandbox for direct `clang -cc1` invocations. https://github.com/llvm/llvm-project/pull/165350 unintentionally implemented the sandbox only for the code path where `clang -cc1` gets invoked after being expanded from a driver command line, which reduced the expected test coverage. Added: Modified: clang/tools/driver/cc1gen_reproducer_main.cpp clang/tools/driver/driver.cpp Removed: ################################################################################ diff --git a/clang/tools/driver/cc1gen_reproducer_main.cpp b/clang/tools/driver/cc1gen_reproducer_main.cpp index 14548c39975da..851d252015c44 100644 --- a/clang/tools/driver/cc1gen_reproducer_main.cpp +++ b/clang/tools/driver/cc1gen_reproducer_main.cpp @@ -116,6 +116,9 @@ generateReproducerForInvocationArguments( ArrayRef<const char *> Argv, const ClangInvocationInfo &Info, const llvm::ToolContext &ToolContext, IntrusiveRefCntPtr<llvm::vfs::FileSystem> VFS) { + // The driver is not expected to be free of sandbox violations. + auto BypassSandbox = llvm::sys::sandbox::scopedDisable(); + using namespace driver; auto TargetAndMode = ToolChain::getTargetAndModeFromProgramName(Argv[0]); diff --git a/clang/tools/driver/driver.cpp b/clang/tools/driver/driver.cpp index 1e2c9884ba63d..490136961ebc6 100644 --- a/clang/tools/driver/driver.cpp +++ b/clang/tools/driver/driver.cpp @@ -38,6 +38,7 @@ #include "llvm/Support/CrashRecoveryContext.h" #include "llvm/Support/ErrorHandling.h" #include "llvm/Support/FileSystem.h" +#include "llvm/Support/IOSandbox.h" #include "llvm/Support/LLVMDriver.h" #include "llvm/Support/Path.h" #include "llvm/Support/PrettyStackTrace.h" @@ -264,8 +265,14 @@ int clang_main(int Argc, char **Argv, const llvm::ToolContext &ToolContext) { } // Handle -cc1 integrated tools. - if (Args.size() >= 2 && StringRef(Args[1]).starts_with("-cc1")) + if (Args.size() >= 2 && StringRef(Args[1]).starts_with("-cc1")) { + // Note that this only enables the sandbox for direct -cc1 invocations and + // out-of-process -cc1 invocations launched by the driver. For in-process + // -cc1 invocations launched by the driver, the sandbox is enabled in + // CC1Command::Execute() for better crash recovery. + auto EnableSandbox = llvm::sys::sandbox::scopedEnable(); return ExecuteCC1Tool(Args, ToolContext, VFS); + } // Handle options that need handling before the real command line parsing in // Driver::BuildCompilation() _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
