2020-01-17 21:05:03 +08:00
|
|
|
// Copyright 2019 Google LLC
|
2019-04-09 18:44:34 +08:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
2022-01-28 17:38:27 +08:00
|
|
|
// https://www.apache.org/licenses/LICENSE-2.0
|
2019-04-09 18:44:34 +08:00
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
#include <sys/prctl.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
#include <csignal>
|
|
|
|
#include <cstdlib>
|
|
|
|
|
2022-10-20 21:48:06 +08:00
|
|
|
#include "absl/log/globals.h"
|
2023-08-18 04:32:10 +08:00
|
|
|
#include "sandboxed_api/sandbox2/client.h"
|
2019-04-09 18:44:34 +08:00
|
|
|
#include "sandboxed_api/sandbox2/comms.h"
|
|
|
|
#include "sandboxed_api/sandbox2/forkserver.h"
|
|
|
|
#include "sandboxed_api/sandbox2/sanitizer.h"
|
2023-08-18 04:32:10 +08:00
|
|
|
#include "sandboxed_api/sandbox2/unwind/unwind.h"
|
2019-04-09 18:44:34 +08:00
|
|
|
#include "sandboxed_api/util/raw_logging.h"
|
|
|
|
|
2023-08-16 16:32:33 +08:00
|
|
|
int main() {
|
2019-04-09 18:44:34 +08:00
|
|
|
// Make sure the logs go stderr.
|
2022-10-20 21:48:06 +08:00
|
|
|
absl::SetStderrThreshold(absl::LogSeverityAtLeast::kInfo);
|
2019-04-09 18:44:34 +08:00
|
|
|
|
|
|
|
// Close all non-essential FDs to keep newly opened FD numbers consistent.
|
2021-09-10 18:34:21 +08:00
|
|
|
absl::Status status = sandbox2::sanitizer::CloseAllFDsExcept(
|
2019-04-09 18:44:34 +08:00
|
|
|
{0, 1, 2, sandbox2::Comms::kSandbox2ClientCommsFD});
|
|
|
|
|
2021-09-10 18:34:21 +08:00
|
|
|
if (!status.ok()) {
|
|
|
|
SAPI_RAW_LOG(WARNING, "Closing non-essential FDs failed");
|
|
|
|
}
|
|
|
|
|
2019-04-09 18:44:34 +08:00
|
|
|
// Make the process' name easily recognizable with ps/pstree.
|
|
|
|
if (prctl(PR_SET_NAME, "S2-FORK-SERV", 0, 0, 0) != 0) {
|
|
|
|
SAPI_RAW_PLOG(WARNING, "prctl(PR_SET_NAME, 'S2-FORK-SERV')");
|
|
|
|
}
|
|
|
|
|
|
|
|
// Don't react (with stack-tracing) to SIGTERM's sent from other processes
|
|
|
|
// (e.g. from the borglet or SubProcess). This ForkServer should go down if
|
|
|
|
// the parent goes down (or if the GlobalForkServerComms is closed), which is
|
|
|
|
// assured by prctl(PR_SET_PDEATHSIG, SIGKILL) being called in the
|
|
|
|
// ForkServer::Initialize(). We don't want to change behavior of non-global
|
|
|
|
// ForkServers, hence it's called here and not in the
|
|
|
|
// ForkServer::Initialize().
|
|
|
|
struct sigaction sa;
|
|
|
|
sa.sa_handler = SIG_IGN;
|
|
|
|
sa.sa_flags = 0;
|
|
|
|
sigemptyset(&sa.sa_mask);
|
|
|
|
if (sigaction(SIGTERM, &sa, nullptr) == -1) {
|
|
|
|
SAPI_RAW_PLOG(WARNING, "sigaction(SIGTERM, sa_handler=SIG_IGN)");
|
|
|
|
}
|
|
|
|
|
2022-10-07 17:07:33 +08:00
|
|
|
sandbox2::Comms comms(sandbox2::Comms::kDefaultConnection);
|
2019-04-09 18:44:34 +08:00
|
|
|
sandbox2::ForkServer fork_server(&comms);
|
2023-05-10 20:05:31 +08:00
|
|
|
sandbox2::sanitizer::WaitForSanitizer();
|
2019-04-09 18:44:34 +08:00
|
|
|
|
2023-03-29 17:21:31 +08:00
|
|
|
while (!fork_server.IsTerminated()) {
|
2019-04-09 18:44:34 +08:00
|
|
|
pid_t child_pid = fork_server.ServeRequest();
|
2023-03-29 17:21:31 +08:00
|
|
|
if (child_pid == 0) {
|
2023-08-18 04:32:10 +08:00
|
|
|
sandbox2::Client client(&comms);
|
|
|
|
client.SandboxMeHere();
|
|
|
|
exit(sandbox2::RunLibUnwindAndSymbolizer(&comms));
|
2019-04-09 18:44:34 +08:00
|
|
|
}
|
|
|
|
}
|
2023-03-29 17:21:31 +08:00
|
|
|
SAPI_RAW_VLOG(1, "ForkServer Comms closed. Exiting");
|
2019-04-09 18:44:34 +08:00
|
|
|
}
|