StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Provide an option to use the unotify monitor instead of the ptrace monitor.

Browse Source 
PiperOrigin-RevId: 590847415
Change-Id: I45b1c392e108694f990a9762a2077e19d72f7b05
This commit is contained in:
Oliver Kunz 2023-12-14 00:47:34 -08:00 committed by Copybara-Service
parent 0a992b683f
commit 1255f57108
3 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sandboxed_api/sandbox.cc
View File

@ -139,7 +139,7 @@ static std::string PathToSAPILib(const std::string& lib_path) {
: GetDataDependencyFilePath(lib_path); : GetDataDependencyFilePath(lib_path);
} }
absl::Status Sandbox::Init() { absl::Status Sandbox::Init(bool use_unotify_monitor) {
// It's already initialized // It's already initialized
if (is_active()) { if (is_active()) {
return absl::OkStatus(); return absl::OkStatus();
@ -188,6 +188,9 @@ absl::Status Sandbox::Init() {
sandbox2::PolicyBuilder policy_builder; sandbox2::PolicyBuilder policy_builder;
InitDefaultPolicyBuilder(&policy_builder); InitDefaultPolicyBuilder(&policy_builder);
if (use_unotify_monitor) {
policy_builder.CollectStacktracesOnSignal(false);
}
auto s2p = ModifyPolicy(&policy_builder); auto s2p = ModifyPolicy(&policy_builder);
// Spawn new process from the forkserver. // Spawn new process from the forkserver.
@ -208,6 +211,9 @@ absl::Status Sandbox::Init() {
s2_ = std::make_unique<sandbox2::Sandbox2>(std::move(executor), s2_ = std::make_unique<sandbox2::Sandbox2>(std::move(executor),
std::move(s2p), CreateNotifier()); std::move(s2p), CreateNotifier());
if (use_unotify_monitor) {
SAPI_RETURN_IF_ERROR(s2_->EnableUnotifyMonitor());
}
s2_awaited_ = false; s2_awaited_ = false;
auto res = s2_->RunAsync(); auto res = s2_->RunAsync();

2
sandboxed_api/sandbox.h
View File

@ -52,7 +52,7 @@ class Sandbox {
virtual ~Sandbox(); virtual ~Sandbox();
// Initializes a new sandboxing session. // Initializes a new sandboxing session.
absl::Status Init(); absl::Status Init(bool use_unotify_monitor = false);
// Returns whether the current sandboxing session is active. // Returns whether the current sandboxing session is active.
bool is_active() const; bool is_active() const;

19
sandboxed_api/sapi_test.cc
View File

@ -284,5 +284,24 @@ TEST(SandboxTest, NoRaceInConcurrentTerminate) {
EXPECT_THAT(result.final_status(), Eq(sandbox2::Result::EXTERNAL_KILL)); EXPECT_THAT(result.final_status(), Eq(sandbox2::Result::EXTERNAL_KILL));
} }
TEST(SandboxTest, UseUnotifyMonitor) {
SumSandbox sandbox;
ASSERT_THAT(sandbox.Init(/*use_unotify_monitor=*/true), IsOk());
SumApi api(&sandbox);
// Violate the sandbox policy.
EXPECT_THAT(api.violate(), StatusIs(absl::StatusCode::kUnavailable));
EXPECT_THAT(api.sum(1, 2).status(), StatusIs(absl::StatusCode::kUnavailable));
EXPECT_THAT(sandbox.AwaitResult().final_status(),
Eq(sandbox2::Result::VIOLATION));
// Restart the sandbox.
ASSERT_THAT(sandbox.Restart(false), IsOk());
// The sandbox should now be responsive again.
SAPI_ASSERT_OK_AND_ASSIGN(int result, api.sum(1, 2));
EXPECT_THAT(result, Eq(3));
}
} // namespace } // namespace
} // namespace sapi } // namespace sapi