diff --git a/clang/tools/driver/cc1gen_reproducer_main.cpp b/clang/tools/driver/cc1gen_reproducer_main.cpp index 14548c39975da..851d252015c44 100644 --- a/clang/tools/driver/cc1gen_reproducer_main.cpp +++ b/clang/tools/driver/cc1gen_reproducer_main.cpp @@ -116,6 +116,9 @@ generateReproducerForInvocationArguments( ArrayRef Argv, const ClangInvocationInfo &Info, const llvm::ToolContext &ToolContext, IntrusiveRefCntPtr VFS) { + // The driver is not expected to be free of sandbox violations. + auto BypassSandbox = llvm::sys::sandbox::scopedDisable(); + using namespace driver; auto TargetAndMode = ToolChain::getTargetAndModeFromProgramName(Argv[0]); diff --git a/clang/tools/driver/driver.cpp b/clang/tools/driver/driver.cpp index 1e2c9884ba63d..490136961ebc6 100644 --- a/clang/tools/driver/driver.cpp +++ b/clang/tools/driver/driver.cpp @@ -38,6 +38,7 @@ #include "llvm/Support/CrashRecoveryContext.h" #include "llvm/Support/ErrorHandling.h" #include "llvm/Support/FileSystem.h" +#include "llvm/Support/IOSandbox.h" #include "llvm/Support/LLVMDriver.h" #include "llvm/Support/Path.h" #include "llvm/Support/PrettyStackTrace.h" @@ -264,8 +265,14 @@ int clang_main(int Argc, char **Argv, const llvm::ToolContext &ToolContext) { } // Handle -cc1 integrated tools. - if (Args.size() >= 2 && StringRef(Args[1]).starts_with("-cc1")) + if (Args.size() >= 2 && StringRef(Args[1]).starts_with("-cc1")) { + // Note that this only enables the sandbox for direct -cc1 invocations and + // out-of-process -cc1 invocations launched by the driver. For in-process + // -cc1 invocations launched by the driver, the sandbox is enabled in + // CC1Command::Execute() for better crash recovery. + auto EnableSandbox = llvm::sys::sandbox::scopedEnable(); return ExecuteCC1Tool(Args, ToolContext, VFS); + } // Handle options that need handling before the real command line parsing in // Driver::BuildCompilation()