2020-01-17 21:05:03 +08:00
|
|
|
// Copyright 2019 Google LLC
|
2019-07-09 16:31:48 +08:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
// Implementation of the sandbox2::StackTrace class.
|
|
|
|
|
|
|
|
#include "sandboxed_api/sandbox2/stack_trace.h"
|
|
|
|
|
|
|
|
#include <sys/resource.h>
|
|
|
|
#include <syscall.h>
|
2019-10-23 00:05:13 +08:00
|
|
|
|
2019-07-09 16:31:48 +08:00
|
|
|
#include <memory>
|
|
|
|
#include <utility>
|
|
|
|
#include <vector>
|
|
|
|
|
|
|
|
#include <glog/logging.h>
|
|
|
|
#include "sandboxed_api/util/flag.h"
|
|
|
|
#include "absl/memory/memory.h"
|
|
|
|
#include "absl/strings/numbers.h"
|
|
|
|
#include "absl/strings/str_cat.h"
|
|
|
|
#include "absl/strings/strip.h"
|
|
|
|
#include "libcap/include/sys/capability.h"
|
2021-01-14 01:25:25 +08:00
|
|
|
#include "sandboxed_api/config.h"
|
2019-07-09 16:31:48 +08:00
|
|
|
#include "sandboxed_api/sandbox2/comms.h"
|
|
|
|
#include "sandboxed_api/sandbox2/executor.h"
|
|
|
|
#include "sandboxed_api/sandbox2/ipc.h"
|
|
|
|
#include "sandboxed_api/sandbox2/limits.h"
|
|
|
|
#include "sandboxed_api/sandbox2/policy.h"
|
|
|
|
#include "sandboxed_api/sandbox2/policybuilder.h"
|
|
|
|
#include "sandboxed_api/sandbox2/regs.h"
|
|
|
|
#include "sandboxed_api/sandbox2/result.h"
|
|
|
|
#include "sandboxed_api/sandbox2/sandbox2.h"
|
|
|
|
#include "sandboxed_api/sandbox2/unwind/unwind.h"
|
|
|
|
#include "sandboxed_api/sandbox2/unwind/unwind.pb.h"
|
|
|
|
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
2021-01-14 01:25:25 +08:00
|
|
|
#include "sandboxed_api/util/fileops.h"
|
|
|
|
#include "sandboxed_api/util/path.h"
|
2019-07-09 16:31:48 +08:00
|
|
|
|
|
|
|
ABSL_FLAG(bool, sandbox_disable_all_stack_traces, false,
|
|
|
|
"Completely disable stack trace collection for sandboxees");
|
|
|
|
|
|
|
|
ABSL_FLAG(bool, sandbox_libunwind_crash_handler, true,
|
|
|
|
"Sandbox libunwind when handling violations (preferred)");
|
|
|
|
|
|
|
|
namespace sandbox2 {
|
|
|
|
|
2021-01-14 01:25:25 +08:00
|
|
|
namespace file = ::sapi::file;
|
|
|
|
namespace file_util = ::sapi::file_util;
|
|
|
|
|
2019-07-09 16:31:48 +08:00
|
|
|
class StackTracePeer {
|
|
|
|
public:
|
|
|
|
static std::unique_ptr<Policy> GetPolicy(pid_t target_pid,
|
|
|
|
const std::string& maps_file,
|
|
|
|
const std::string& app_path,
|
|
|
|
const std::string& exe_path,
|
|
|
|
const Mounts& mounts);
|
|
|
|
|
|
|
|
static bool LaunchLibunwindSandbox(const Regs* regs, const Mounts& mounts,
|
2020-07-20 15:24:12 +08:00
|
|
|
UnwindResult* result);
|
2019-07-09 16:31:48 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
std::unique_ptr<Policy> StackTracePeer::GetPolicy(pid_t target_pid,
|
|
|
|
const std::string& maps_file,
|
|
|
|
const std::string& app_path,
|
|
|
|
const std::string& exe_path,
|
|
|
|
const Mounts& mounts) {
|
|
|
|
PolicyBuilder builder;
|
|
|
|
builder
|
|
|
|
// Use the mounttree of the original executable as starting point.
|
|
|
|
.SetMounts(mounts)
|
|
|
|
.AllowOpen()
|
|
|
|
.AllowRead()
|
|
|
|
.AllowWrite()
|
|
|
|
.AllowSyscall(__NR_close)
|
|
|
|
.AllowMmap()
|
|
|
|
.AllowExit()
|
|
|
|
.AllowHandleSignals()
|
|
|
|
|
|
|
|
// libunwind
|
|
|
|
.AllowSyscall(__NR_fstat)
|
2020-12-17 01:17:53 +08:00
|
|
|
#ifdef __NR_fstat64
|
|
|
|
.AllowSyscall(__NR_fstat64)
|
|
|
|
#endif
|
2019-07-09 16:31:48 +08:00
|
|
|
.AllowSyscall(__NR_lseek)
|
2020-09-14 16:18:09 +08:00
|
|
|
#ifdef __NR__llseek
|
|
|
|
.AllowSyscall(__NR__llseek) // Newer glibc on PPC
|
|
|
|
#endif
|
2019-07-09 16:31:48 +08:00
|
|
|
.AllowSyscall(__NR_mincore)
|
|
|
|
.AllowSyscall(__NR_mprotect)
|
|
|
|
.AllowSyscall(__NR_munmap)
|
|
|
|
.AllowSyscall(__NR_pipe2)
|
|
|
|
|
|
|
|
// Symbolizer
|
|
|
|
.AllowSyscall(__NR_brk)
|
|
|
|
.AllowSyscall(__NR_clock_gettime)
|
|
|
|
|
|
|
|
// Other
|
|
|
|
.AllowSyscall(__NR_dup)
|
|
|
|
.AllowSyscall(__NR_fcntl)
|
|
|
|
.AllowSyscall(__NR_getpid)
|
|
|
|
.AllowSyscall(__NR_gettid)
|
|
|
|
.AllowSyscall(__NR_madvise)
|
|
|
|
|
|
|
|
// Required for our ptrace replacement.
|
|
|
|
.AddPolicyOnSyscall(
|
|
|
|
__NR_process_vm_readv,
|
|
|
|
{
|
2020-07-20 15:24:12 +08:00
|
|
|
// The pid technically is a 64bit int, however Linux usually uses
|
|
|
|
// max 16 bit, so we are fine with comparing only 32 bits here.
|
2019-07-09 16:31:48 +08:00
|
|
|
ARG_32(0),
|
|
|
|
JEQ32(static_cast<unsigned int>(target_pid), ALLOW),
|
|
|
|
JEQ32(static_cast<unsigned int>(1), ALLOW),
|
|
|
|
})
|
|
|
|
|
|
|
|
// Add proc maps.
|
|
|
|
.AddFileAt(maps_file,
|
|
|
|
file::JoinPath("/proc", absl::StrCat(target_pid), "maps"))
|
|
|
|
.AddFileAt(maps_file,
|
|
|
|
file::JoinPath("/proc", absl::StrCat(target_pid), "task",
|
|
|
|
absl::StrCat(target_pid), "maps"))
|
|
|
|
|
|
|
|
// Add the binary itself.
|
|
|
|
.AddFileAt(exe_path, app_path);
|
|
|
|
|
|
|
|
// Add all possible libraries without the need of parsing the binary
|
|
|
|
// or /proc/pid/maps.
|
|
|
|
for (const auto& library_path : {
|
|
|
|
"/usr/lib",
|
|
|
|
"/lib",
|
|
|
|
}) {
|
|
|
|
if (access(library_path, F_OK) != -1) {
|
|
|
|
VLOG(1) << "Adding library folder '" << library_path << "'";
|
|
|
|
builder.AddDirectory(library_path);
|
|
|
|
} else {
|
|
|
|
VLOG(1) << "Could not add library folder '" << library_path
|
|
|
|
<< "' as it does not exist";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-07-20 15:24:12 +08:00
|
|
|
auto policy = builder.TryBuild();
|
|
|
|
if (!policy.ok()) {
|
2019-07-09 16:31:48 +08:00
|
|
|
LOG(ERROR) << "Creating stack unwinder sandbox policy failed";
|
|
|
|
return nullptr;
|
|
|
|
}
|
2020-07-01 23:23:20 +08:00
|
|
|
auto keep_capabilities = absl::make_unique<std::vector<int>>();
|
2019-07-09 16:31:48 +08:00
|
|
|
keep_capabilities->push_back(CAP_SYS_PTRACE);
|
2020-07-20 15:24:12 +08:00
|
|
|
(*policy)->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
|
2019-07-09 16:31:48 +08:00
|
|
|
// Use no special namespace flags when cloning. We will join an existing
|
|
|
|
// user namespace and will unshare() afterwards (See forkserver.cc).
|
2020-07-20 15:24:12 +08:00
|
|
|
(*policy)->GetNamespace()->clone_flags_ = 0;
|
|
|
|
return std::move(*policy);
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
bool StackTracePeer::LaunchLibunwindSandbox(const Regs* regs,
|
|
|
|
const Mounts& mounts,
|
2020-07-20 15:24:12 +08:00
|
|
|
sandbox2::UnwindResult* result) {
|
2019-07-09 16:31:48 +08:00
|
|
|
const pid_t pid = regs->pid();
|
|
|
|
|
|
|
|
// Tell executor to use this special internal mode.
|
|
|
|
std::vector<std::string> argv;
|
|
|
|
std::vector<std::string> envp;
|
|
|
|
|
|
|
|
// We're not using absl::make_unique here as we're a friend of this specific
|
|
|
|
// constructor and using make_unique won't work.
|
|
|
|
auto executor = absl::WrapUnique(new Executor(pid));
|
|
|
|
|
|
|
|
executor->limits()
|
|
|
|
->set_rlimit_as(RLIM64_INFINITY)
|
|
|
|
.set_rlimit_cpu(10)
|
|
|
|
.set_walltime_limit(absl::Seconds(5));
|
|
|
|
|
|
|
|
// Temporary directory used to provide files from /proc to the unwind sandbox.
|
|
|
|
char unwind_temp_directory_template[] = "/tmp/.sandbox2_unwind_XXXXXX";
|
|
|
|
char* unwind_temp_directory = mkdtemp(unwind_temp_directory_template);
|
|
|
|
if (!unwind_temp_directory) {
|
|
|
|
LOG(WARNING) << "Could not create temporary directory for unwinding";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
struct UnwindTempDirectoryCleanup {
|
|
|
|
~UnwindTempDirectoryCleanup() {
|
|
|
|
file_util::fileops::DeleteRecursively(capture);
|
|
|
|
}
|
|
|
|
char* capture;
|
|
|
|
} cleanup{unwind_temp_directory};
|
|
|
|
|
|
|
|
// Copy over important files from the /proc directory as we can't mount them.
|
|
|
|
const std::string unwind_temp_maps_path =
|
|
|
|
file::JoinPath(unwind_temp_directory, "maps");
|
|
|
|
|
|
|
|
if (!file_util::fileops::CopyFile(
|
|
|
|
file::JoinPath("/proc", absl::StrCat(pid), "maps"),
|
|
|
|
unwind_temp_maps_path, 0400)) {
|
|
|
|
LOG(WARNING) << "Could not copy maps file";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get path to the binary.
|
2019-10-23 00:05:13 +08:00
|
|
|
// app_path contains the path like it is also in /proc/pid/maps. It is
|
|
|
|
// relative to the sandboxee's mount namespace. If it is not existing
|
|
|
|
// (anymore) it will have a ' (deleted)' suffix.
|
2019-07-09 16:31:48 +08:00
|
|
|
std::string app_path;
|
|
|
|
std::string proc_pid_exe = file::JoinPath("/proc", absl::StrCat(pid), "exe");
|
|
|
|
if (!file_util::fileops::ReadLinkAbsolute(proc_pid_exe, &app_path)) {
|
|
|
|
LOG(WARNING) << "Could not obtain absolute path to the binary";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2019-10-23 00:05:13 +08:00
|
|
|
// The exe_path will have a mountable path of the application, even if it was
|
|
|
|
// removed.
|
|
|
|
// Resolve app_path backing file.
|
2021-02-19 16:43:06 +08:00
|
|
|
std::string exe_path = mounts.ResolvePath(app_path).value_or("");
|
2019-10-23 00:05:13 +08:00
|
|
|
|
|
|
|
if (exe_path.empty()) {
|
|
|
|
// File was probably removed.
|
2019-07-09 16:31:48 +08:00
|
|
|
LOG(WARNING) << "File was removed, using /proc/pid/exe.";
|
|
|
|
app_path = std::string(absl::StripSuffix(app_path, " (deleted)"));
|
|
|
|
// Create a copy of /proc/pid/exe, mount that one.
|
|
|
|
exe_path = file::JoinPath(unwind_temp_directory, "exe");
|
|
|
|
if (!file_util::fileops::CopyFile(proc_pid_exe, exe_path, 0700)) {
|
|
|
|
LOG(WARNING) << "Could not copy /proc/pid/exe";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
VLOG(1) << "Resolved binary: " << app_path << " / " << exe_path;
|
|
|
|
|
|
|
|
// Add mappings for the binary (as they might not have been added due to the
|
|
|
|
// forkserver).
|
|
|
|
auto policy = StackTracePeer::GetPolicy(pid, unwind_temp_maps_path, app_path,
|
|
|
|
exe_path, mounts);
|
|
|
|
if (!policy) {
|
|
|
|
return false;
|
|
|
|
}
|
2020-07-20 15:24:12 +08:00
|
|
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
2019-07-09 16:31:48 +08:00
|
|
|
|
|
|
|
VLOG(1) << "Running libunwind sandbox";
|
2020-07-20 15:24:12 +08:00
|
|
|
sandbox.RunAsync();
|
2021-02-19 20:42:52 +08:00
|
|
|
Comms* comms = sandbox.comms();
|
2020-07-20 15:24:12 +08:00
|
|
|
|
2019-07-09 16:31:48 +08:00
|
|
|
UnwindSetup msg;
|
|
|
|
msg.set_pid(pid);
|
|
|
|
msg.set_regs(reinterpret_cast<const char*>(®s->user_regs_),
|
|
|
|
sizeof(regs->user_regs_));
|
|
|
|
msg.set_default_max_frames(kDefaultMaxFrames);
|
|
|
|
|
|
|
|
bool success = true;
|
|
|
|
if (!comms->SendProtoBuf(msg)) {
|
|
|
|
LOG(ERROR) << "Sending libunwind setup message failed";
|
|
|
|
success = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (success && !comms->RecvProtoBuf(result)) {
|
|
|
|
LOG(ERROR) << "Receiving libunwind result failed";
|
|
|
|
success = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!success) {
|
2020-07-20 15:24:12 +08:00
|
|
|
sandbox.Kill();
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
2020-07-20 15:24:12 +08:00
|
|
|
auto sandbox_result = sandbox.AwaitResult();
|
2019-07-09 16:31:48 +08:00
|
|
|
|
2020-07-20 15:24:12 +08:00
|
|
|
LOG(INFO) << "Libunwind execution status: " << sandbox_result.ToString();
|
2019-07-09 16:31:48 +08:00
|
|
|
|
2020-07-20 15:24:12 +08:00
|
|
|
return success && sandbox_result.final_status() == Result::OK;
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
|
|
|
|
2020-07-20 15:24:12 +08:00
|
|
|
std::vector<std::string> GetStackTrace(const Regs* regs, const Mounts& mounts) {
|
2021-01-14 01:25:25 +08:00
|
|
|
if constexpr (sapi::host_cpu::IsArm64()) {
|
2020-09-11 21:33:57 +08:00
|
|
|
return {"[Stack traces unavailable]"};
|
|
|
|
}
|
2019-07-09 16:31:48 +08:00
|
|
|
if (absl::GetFlag(FLAGS_sandbox_disable_all_stack_traces)) {
|
2020-07-20 15:24:12 +08:00
|
|
|
return {"[Stacktraces disabled]"};
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
|
|
|
if (!regs) {
|
|
|
|
LOG(WARNING) << "Could not obtain stacktrace, regs == nullptr";
|
2020-07-20 15:24:12 +08:00
|
|
|
return {"[ERROR (noregs)]"};
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Show a warning if sandboxed libunwind is requested but we're running in
|
2021-02-01 23:10:43 +08:00
|
|
|
// an ASAN/coverage build (= we can't use sandboxed libunwind).
|
|
|
|
if (const bool coverage_enabled =
|
|
|
|
getenv("COVERAGE") != nullptr;
|
|
|
|
absl::GetFlag(FLAGS_sandbox_libunwind_crash_handler) &&
|
|
|
|
(sapi::sanitizers::IsAny() || coverage_enabled)) {
|
|
|
|
LOG_IF(WARNING, sapi::sanitizers::IsAny())
|
2019-07-09 16:31:48 +08:00
|
|
|
<< "Sanitizer build, using non-sandboxed libunwind";
|
|
|
|
LOG_IF(WARNING, coverage_enabled)
|
|
|
|
<< "Coverage build, using non-sandboxed libunwind";
|
2020-07-20 15:24:12 +08:00
|
|
|
return UnsafeGetStackTrace(regs->pid());
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!absl::GetFlag(FLAGS_sandbox_libunwind_crash_handler)) {
|
2020-07-20 15:24:12 +08:00
|
|
|
return UnsafeGetStackTrace(regs->pid());
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
|
|
|
|
2020-07-20 15:24:12 +08:00
|
|
|
UnwindResult res;
|
|
|
|
if (!StackTracePeer::LaunchLibunwindSandbox(regs, mounts, &res)) {
|
|
|
|
return {};
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
2020-07-20 15:24:12 +08:00
|
|
|
return {res.stacktrace().begin(), res.stacktrace().end()};
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
|
|
|
|
2020-07-20 15:24:12 +08:00
|
|
|
std::vector<std::string> UnsafeGetStackTrace(pid_t pid) {
|
2019-07-09 16:31:48 +08:00
|
|
|
LOG(WARNING) << "Using non-sandboxed libunwind";
|
|
|
|
std::vector<uintptr_t> ips;
|
2020-07-20 15:24:12 +08:00
|
|
|
return RunLibUnwindAndSymbolizer(pid, &ips, kDefaultMaxFrames);
|
|
|
|
}
|
|
|
|
|
|
|
|
std::vector<std::string> CompactStackTrace(
|
|
|
|
const std::vector<std::string>& stack_trace) {
|
|
|
|
std::vector<std::string> compact_trace;
|
|
|
|
compact_trace.reserve(stack_trace.size() / 2);
|
|
|
|
const std::string* prev = nullptr;
|
|
|
|
int seen = 0;
|
|
|
|
auto add_repeats = [&compact_trace](int seen) {
|
|
|
|
if (seen != 0) {
|
|
|
|
compact_trace.push_back(
|
|
|
|
absl::StrCat("(previous frame repeated ", seen, " times)"));
|
|
|
|
}
|
|
|
|
};
|
|
|
|
for (const auto& frame : stack_trace) {
|
|
|
|
if (prev && frame == *prev) {
|
|
|
|
++seen;
|
|
|
|
} else {
|
|
|
|
prev = &frame;
|
|
|
|
add_repeats(seen);
|
|
|
|
seen = 0;
|
|
|
|
compact_trace.push_back(frame);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
add_repeats(seen);
|
|
|
|
return compact_trace;
|
2019-07-09 16:31:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace sandbox2
|