2020-01-17 21:05:03 +08:00
|
|
|
// Copyright 2019 Google LLC
|
2019-03-19 00:21:48 +08:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
#ifndef SANDBOXED_API_SANDBOX2_EXECUTOR_H_
|
|
|
|
#define SANDBOXED_API_SANDBOX2_EXECUTOR_H_
|
|
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <unistd.h>
|
2020-07-17 19:54:20 +08:00
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
#include <memory>
|
|
|
|
#include <string>
|
2021-01-28 18:20:13 +08:00
|
|
|
#include <utility>
|
2019-03-19 00:21:48 +08:00
|
|
|
#include <vector>
|
|
|
|
|
|
|
|
#include <glog/logging.h>
|
|
|
|
#include "absl/base/macros.h"
|
2021-01-28 18:20:13 +08:00
|
|
|
#include "absl/strings/string_view.h"
|
|
|
|
#include "absl/types/span.h"
|
2020-07-17 19:54:20 +08:00
|
|
|
#include "sandboxed_api/sandbox2/fork_client.h"
|
2019-03-19 00:21:48 +08:00
|
|
|
#include "sandboxed_api/sandbox2/ipc.h"
|
|
|
|
#include "sandboxed_api/sandbox2/limits.h"
|
|
|
|
#include "sandboxed_api/sandbox2/namespace.h"
|
2021-01-28 18:20:13 +08:00
|
|
|
#include "sandboxed_api/util/fileops.h"
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
namespace sandbox2 {
|
|
|
|
|
|
|
|
// The sandbox2::Executor class is responsible for both creating and executing
|
|
|
|
// new processes which will be sandboxed.
|
|
|
|
class Executor final {
|
|
|
|
public:
|
|
|
|
Executor(const Executor&) = delete;
|
|
|
|
Executor& operator=(const Executor&) = delete;
|
|
|
|
|
|
|
|
// Initialized with a path to the process that the Executor class will
|
|
|
|
// execute
|
2021-01-28 18:20:13 +08:00
|
|
|
Executor(
|
|
|
|
absl::string_view path, absl::Span<const std::string> argv,
|
|
|
|
absl::Span<const std::string> envp = absl::MakeConstSpan(CopyEnviron()))
|
|
|
|
: path_(std::string(path)),
|
|
|
|
argv_(argv.begin(), argv.end()),
|
|
|
|
envp_(envp.begin(), envp.end()) {
|
|
|
|
CHECK(!path_.empty());
|
|
|
|
SetUpServerSideCommsFd();
|
|
|
|
}
|
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
// Executor will own this file-descriptor, so if intend to use it, pass here
|
|
|
|
// dup(fd) instead
|
2021-01-28 18:20:13 +08:00
|
|
|
Executor(int exec_fd, absl::Span<const std::string> argv,
|
|
|
|
absl::Span<const std::string> envp)
|
|
|
|
: exec_fd_(exec_fd),
|
|
|
|
argv_(argv.begin(), argv.end()),
|
|
|
|
envp_(envp.begin(), envp.end()) {
|
|
|
|
CHECK_GE(exec_fd, 0);
|
|
|
|
SetUpServerSideCommsFd();
|
|
|
|
}
|
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
// Uses a custom ForkServer (which the supplied ForkClient can communicate
|
|
|
|
// with), which knows how to fork (or even execute) new sandboxed processes
|
|
|
|
// (hence, no need to supply path/argv/envp here)
|
|
|
|
explicit Executor(ForkClient* fork_client)
|
2021-01-28 18:20:13 +08:00
|
|
|
: enable_sandboxing_pre_execve_(false), fork_client_(fork_client) {
|
|
|
|
CHECK(fork_client != nullptr);
|
|
|
|
SetUpServerSideCommsFd();
|
|
|
|
}
|
2019-03-19 00:21:48 +08:00
|
|
|
|
2019-10-24 00:51:44 +08:00
|
|
|
~Executor();
|
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
// Creates a new process which will act as a custom ForkServer. Should be used
|
|
|
|
// with custom fork servers only.
|
|
|
|
// This function returns immediately and returns a nullptr on failure.
|
|
|
|
std::unique_ptr<ForkClient> StartForkServer();
|
|
|
|
|
|
|
|
// Accessors
|
|
|
|
IPC* ipc() { return &ipc_; }
|
2019-03-19 18:40:51 +08:00
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
Limits* limits() { return &limits_; }
|
2019-03-19 18:40:51 +08:00
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
Executor& set_enable_sandbox_before_exec(bool value) {
|
|
|
|
enable_sandboxing_pre_execve_ = value;
|
|
|
|
return *this;
|
|
|
|
}
|
2019-03-19 18:40:51 +08:00
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
Executor& set_cwd(std::string value) {
|
|
|
|
cwd_ = std::move(value);
|
|
|
|
return *this;
|
|
|
|
}
|
|
|
|
|
|
|
|
private:
|
|
|
|
friend class Monitor;
|
|
|
|
friend class StackTracePeer;
|
|
|
|
|
|
|
|
// Internal constructor for executing libunwind on the given pid
|
|
|
|
// enable_sandboxing_pre_execve=false as we are not going to execve.
|
|
|
|
explicit Executor(pid_t libunwind_sbox_for_pid)
|
2021-01-28 18:20:13 +08:00
|
|
|
: libunwind_sbox_for_pid_(libunwind_sbox_for_pid),
|
|
|
|
enable_sandboxing_pre_execve_(false) {
|
|
|
|
CHECK_GE(libunwind_sbox_for_pid_, 0);
|
|
|
|
SetUpServerSideCommsFd();
|
|
|
|
}
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
// Creates a copy of the environment
|
|
|
|
static std::vector<std::string> CopyEnviron();
|
|
|
|
|
|
|
|
// Creates a server-side Comms end-point using a pre-connected file
|
|
|
|
// descriptor.
|
|
|
|
void SetUpServerSideCommsFd();
|
|
|
|
|
|
|
|
// Starts a new process which is connected with this Executor instance via a
|
|
|
|
// Comms channel.
|
|
|
|
// For clone_flags refer to Linux' 'man 2 clone'.
|
|
|
|
//
|
|
|
|
// caps is a vector of capabilities that are kept in the permitted set after
|
|
|
|
// the clone, use with caution.
|
|
|
|
//
|
|
|
|
// Returns the same values as fork().
|
|
|
|
pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr,
|
2021-07-12 17:37:17 +08:00
|
|
|
const std::vector<int>& caps = {},
|
2019-03-19 00:21:48 +08:00
|
|
|
pid_t* init_pid_out = nullptr);
|
|
|
|
|
|
|
|
// Whether the Executor has been started yet
|
|
|
|
bool started_ = false;
|
|
|
|
|
|
|
|
// If this executor is running the libunwind sandbox for a process,
|
|
|
|
// this variable will hold the PID of the process. Otherwise it is zero.
|
2021-01-28 18:20:13 +08:00
|
|
|
pid_t libunwind_sbox_for_pid_ = 0;
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
// Should the sandboxing be enabled before execve() occurs, or the binary will
|
|
|
|
// do it by itself, using the Client object's methods
|
2021-01-28 18:20:13 +08:00
|
|
|
bool enable_sandboxing_pre_execve_ = true;
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
// Alternate (path/fd)/argv/envp to be used the in the __NR_execve call.
|
2021-01-28 18:20:13 +08:00
|
|
|
int exec_fd_ = -1;
|
2019-03-19 00:21:48 +08:00
|
|
|
std::string path_;
|
|
|
|
std::vector<std::string> argv_;
|
|
|
|
std::vector<std::string> envp_;
|
|
|
|
|
2021-01-28 18:20:13 +08:00
|
|
|
// chdir to cwd_, if set. Defaults to current working directory.
|
|
|
|
std::string cwd_ = []() {
|
|
|
|
std::string cwd = sapi::file_util::fileops::GetCWD();
|
|
|
|
PCHECK(!cwd.empty());
|
|
|
|
return cwd;
|
|
|
|
}();
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
// Server (sandbox) end-point of a socket-pair used to create Comms channel
|
|
|
|
int server_comms_fd_ = -1;
|
|
|
|
// Client (sandboxee) end-point of a socket-pair used to create Comms channel
|
|
|
|
int client_comms_fd_ = -1;
|
|
|
|
|
|
|
|
// ForkClient connecting to the ForkServer - not owned by the object
|
2021-01-28 18:20:13 +08:00
|
|
|
ForkClient* fork_client_ = nullptr;
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
IPC ipc_; // Used for communication with the sandboxee
|
|
|
|
Limits limits_; // Defines server- and client-side limits
|
|
|
|
};
|
|
|
|
|
|
|
|
} // namespace sandbox2
|
|
|
|
|
|
|
|
#endif // SANDBOXED_API_SANDBOX2_EXECUTOR_H_
|