StarMirror
/
sandboxed-api
mirror of https://github.com/google/sandboxed-api
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Provide an option to use the unotify monitor instead of the ptrace monitor. 

PiperOrigin-RevId: 590847415
Change-Id: I45b1c392e108694f990a9762a2077e19d72f7b05
pull/171/head
Oliver Kunz 2023-12-14 00:47:34 -08:00 committed by Copybara-Service
parent 0a992b683f
commit 1255f57108
3 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sandboxed_api/sandbox.cc
View File

@ -139,7 +139,7 @@ static std::string PathToSAPILib(const std::string& lib_path) {
: GetDataDependencyFilePath(lib_path);
}
absl::Status Sandbox::Init() {
absl::Status Sandbox::Init(bool use_unotify_monitor) {
// It's already initialized
if (is_active()) {
return absl::OkStatus();
@ -188,6 +188,9 @@ absl::Status Sandbox::Init() {
sandbox2::PolicyBuilder policy_builder;
InitDefaultPolicyBuilder(&policy_builder);
if (use_unotify_monitor) {
policy_builder.CollectStacktracesOnSignal(false);
}
auto s2p = ModifyPolicy(&policy_builder);
// Spawn new process from the forkserver.
@ -208,6 +211,9 @@ absl::Status Sandbox::Init() {
s2_ = std::make_unique<sandbox2::Sandbox2>(std::move(executor),
std::move(s2p), CreateNotifier());
if (use_unotify_monitor) {
SAPI_RETURN_IF_ERROR(s2_->EnableUnotifyMonitor());
}
s2_awaited_ = false;
auto res = s2_->RunAsync();

2
sandboxed_api/sandbox.h
View File

@ -52,7 +52,7 @@ class Sandbox {
virtual ~Sandbox();
// Initializes a new sandboxing session.
absl::Status Init();
absl::Status Init(bool use_unotify_monitor = false);
// Returns whether the current sandboxing session is active.
bool is_active() const;

19
sandboxed_api/sapi_test.cc
View File

@ -284,5 +284,24 @@ TEST(SandboxTest, NoRaceInConcurrentTerminate) {
EXPECT_THAT(result.final_status(), Eq(sandbox2::Result::EXTERNAL_KILL));
}
TEST(SandboxTest, UseUnotifyMonitor) {
SumSandbox sandbox;
ASSERT_THAT(sandbox.Init(/*use_unotify_monitor=*/true), IsOk());
SumApi api(&sandbox);
// Violate the sandbox policy.
EXPECT_THAT(api.violate(), StatusIs(absl::StatusCode::kUnavailable));
EXPECT_THAT(api.sum(1, 2).status(), StatusIs(absl::StatusCode::kUnavailable));
EXPECT_THAT(sandbox.AwaitResult().final_status(),
Eq(sandbox2::Result::VIOLATION));
// Restart the sandbox.
ASSERT_THAT(sandbox.Restart(false), IsOk());
// The sandbox should now be responsive again.
SAPI_ASSERT_OK_AND_ASSIGN(int result, api.sum(1, 2));
EXPECT_THAT(result, Eq(3));
}
} // namespace
} // namespace sapi