Provide an option to use the unotify monitor instead of the ptrace monitor.

PiperOrigin-RevId: 590847415 Change-Id: I45b1c392e108694f990a9762a2077e19d72f7b05
2024-03-22 13:11:30 +08:00 · 2023-12-14 00:47:34 -08:00 · 2023-12-14 00:47:34 -08:00 · 1255f57108
commit 1255f57108
parent 0a992b683f
3 changed files with 27 additions and 2 deletions
--- a/sandboxed_api/sandbox.cc
+++ b/sandboxed_api/sandbox.cc
@ -139,7 +139,7 @@ static std::string PathToSAPILib(const std::string& lib_path) {
                                        : GetDataDependencyFilePath(lib_path);
 }

-absl::Status Sandbox::Init() {
+absl::Status Sandbox::Init(bool use_unotify_monitor) {
  // It's already initialized
  if (is_active()) {
    return absl::OkStatus();
@ -188,6 +188,9 @@ absl::Status Sandbox::Init() {

    sandbox2::PolicyBuilder policy_builder;
    InitDefaultPolicyBuilder(&policy_builder);
+  if (use_unotify_monitor) {
+    policy_builder.CollectStacktracesOnSignal(false);
+  }
  auto s2p = ModifyPolicy(&policy_builder);

  // Spawn new process from the forkserver.
@ -208,6 +211,9 @@ absl::Status Sandbox::Init() {

  s2_ = std::make_unique<sandbox2::Sandbox2>(std::move(executor),
                                             std::move(s2p), CreateNotifier());
+  if (use_unotify_monitor) {
+    SAPI_RETURN_IF_ERROR(s2_->EnableUnotifyMonitor());
+  }
  s2_awaited_ = false;
  auto res = s2_->RunAsync();

--- a/sandboxed_api/sandbox.h
+++ b/sandboxed_api/sandbox.h
@ -52,7 +52,7 @@ class Sandbox {
  virtual ~Sandbox();

  // Initializes a new sandboxing session.
-  absl::Status Init();
+  absl::Status Init(bool use_unotify_monitor = false);

  // Returns whether the current sandboxing session is active.
  bool is_active() const;
--- a/sandboxed_api/sapi_test.cc
+++ b/sandboxed_api/sapi_test.cc
@ -284,5 +284,24 @@ TEST(SandboxTest, NoRaceInConcurrentTerminate) {
  EXPECT_THAT(result.final_status(), Eq(sandbox2::Result::EXTERNAL_KILL));
 }

+TEST(SandboxTest, UseUnotifyMonitor) {
+  SumSandbox sandbox;
+  ASSERT_THAT(sandbox.Init(/*use_unotify_monitor=*/true), IsOk());
+  SumApi api(&sandbox);
+
+  // Violate the sandbox policy.
+  EXPECT_THAT(api.violate(), StatusIs(absl::StatusCode::kUnavailable));
+  EXPECT_THAT(api.sum(1, 2).status(), StatusIs(absl::StatusCode::kUnavailable));
+  EXPECT_THAT(sandbox.AwaitResult().final_status(),
+              Eq(sandbox2::Result::VIOLATION));
+
+  // Restart the sandbox.
+  ASSERT_THAT(sandbox.Restart(false), IsOk());
+
+  // The sandbox should now be responsive again.
+  SAPI_ASSERT_OK_AND_ASSIGN(int result, api.sum(1, 2));
+  EXPECT_THAT(result, Eq(3));
+}
+
 }  // namespace
 }  // namespace sapi