StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Move forkserver into a dedicated binary

Browse Source 
PiperOrigin-RevId: 242637894
Change-Id: I16f19d077e2b5b9d0d4ef58344d5caaef95af7c6
This commit is contained in:
Kevin Hamacher 2019-04-09 12:44:34 +02:00
parent e44231e28a
commit 1b50485be6
5 changed files with 134 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
sandboxed_api/BUILD.bazel
View File

@ -24,22 +24,43 @@ sapi_proto_library(
visibility = ["//visibility:public"], visibility = ["//visibility:public"],
) )
cc_library(
name = "embed_file",
srcs = [
"embed_file.cc",
"file_toc.h",
],
hdrs = ["embed_file.h"],
visibility = ["//visibility:public"],
deps = [
"//sandboxed_api/sandbox2:util",
"//sandboxed_api/sandbox2/util:fileops",
"//sandboxed_api/sandbox2/util:strerror",
"//sandboxed_api/util:status",
"@com_google_absl//absl/container:flat_hash_map",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/synchronization",
"@com_google_glog//:glog",
],
)
# The main Sandboxed-API library # The main Sandboxed-API library
cc_library( cc_library(
name = "sapi", name = "sapi",
srcs = [ srcs = [
"embed_file.cc",
"file_toc.h",
"sandbox.cc", "sandbox.cc",
"transaction.cc", "transaction.cc",
], ],
hdrs = [ hdrs = [
# TODO(hamacher): Remove reexport workaround as soon as the buildsystem
# supports this usecase.
"embed_file.h", "embed_file.h",
"sandbox.h", "sandbox.h",
"transaction.h", "transaction.h",
], ],
visibility = ["//visibility:public"], visibility = ["//visibility:public"],
deps = [ deps = [
":embed_file",
":vars", ":vars",
"//sandboxed_api/sandbox2", "//sandboxed_api/sandbox2",
"//sandboxed_api/sandbox2:client", "//sandboxed_api/sandbox2:client",

22
sandboxed_api/sandbox2/BUILD.bazel
View File

@ -21,6 +21,7 @@ package(default_visibility = [
licenses(["notice"]) # Apache 2.0 licenses(["notice"]) # Apache 2.0
load("//sandboxed_api/bazel:proto.bzl", "sapi_proto_library") load("//sandboxed_api/bazel:proto.bzl", "sapi_proto_library")
load("//sandboxed_api/bazel:embed_data.bzl", "sapi_cc_embed_data")
cc_library( cc_library(
name = "bpfdisassembler", name = "bpfdisassembler",
@ -199,6 +200,25 @@ cc_library(
], ],
) )
cc_binary(
name = "forkserver_bin",
srcs = ["forkserver_bin.cc"],
deps = [
":client",
":comms",
":forkserver",
"//sandboxed_api/sandbox2/util:strerror",
"//sandboxed_api/util:raw_logging",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/strings",
],
)
sapi_cc_embed_data(
name = "forkserver_bin_embed",
srcs = [":forkserver_bin.stripped"],
)
cc_library( cc_library(
name = "global_forkserver", name = "global_forkserver",
srcs = ["global_forkclient.cc"], srcs = ["global_forkclient.cc"],
@ -207,6 +227,8 @@ cc_library(
":client", ":client",
":comms", ":comms",
":forkserver", ":forkserver",
":forkserver_bin_embed",
"//sandboxed_api:embed_file",
"//sandboxed_api/sandbox2/util:strerror", "//sandboxed_api/sandbox2/util:strerror",
"//sandboxed_api/util:raw_logging", "//sandboxed_api/util:raw_logging",
"@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/base:core_headers",

5
sandboxed_api/sandbox2/forkserver.cc
View File

@ -182,6 +182,11 @@ static void RunInitProcess(int signaling_fd, std::set<int> open_fds) {
if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) != 0) { if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) != 0) {
SAPI_RAW_PLOG(ERROR, "prctl(PR_SET_PDEATHSIG, SIGKILL) failed"); SAPI_RAW_PLOG(ERROR, "prctl(PR_SET_PDEATHSIG, SIGKILL) failed");
} }
if (prctl(PR_SET_NAME, "S2-INIT-PROC", 0, 0, 0) != 0) {
SAPI_RAW_PLOG(WARNING, "prctl(PR_SET_NAME, 'S2-INIT-PROC')");
}
for (const auto& fd : open_fds) { for (const auto& fd : open_fds) {
close(fd); close(fd);
} }

69
sandboxed_api/sandbox2/forkserver_bin.cc Normal file
View File

@ -0,0 +1,69 @@
// Copyright 2019 Google LLC. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <sys/prctl.h>
#include <sys/socket.h>
#include <unistd.h>
#include <csignal>
#include <cstdlib>
#include "absl/base/attributes.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/forkserver.h"
#include "sandboxed_api/sandbox2/sanitizer.h"
#include "sandboxed_api/sandbox2/util/strerror.h"
#include "sandboxed_api/util/raw_logging.h"
int main() {
// Make sure the logs go stderr.
google::LogToStderr();
// Close all non-essential FDs to keep newly opened FD numbers consistent.
sandbox2::sanitizer::CloseAllFDsExcept(
{0, 1, 2, sandbox2::Comms::kSandbox2ClientCommsFD});
// Make the process' name easily recognizable with ps/pstree.
if (prctl(PR_SET_NAME, "S2-FORK-SERV", 0, 0, 0) != 0) {
SAPI_RAW_PLOG(WARNING, "prctl(PR_SET_NAME, 'S2-FORK-SERV')");
}
// Don't react (with stack-tracing) to SIGTERM's sent from other processes
// (e.g. from the borglet or SubProcess). This ForkServer should go down if
// the parent goes down (or if the GlobalForkServerComms is closed), which is
// assured by prctl(PR_SET_PDEATHSIG, SIGKILL) being called in the
// ForkServer::Initialize(). We don't want to change behavior of non-global
// ForkServers, hence it's called here and not in the
// ForkServer::Initialize().
struct sigaction sa;
sa.sa_handler = SIG_IGN;
sa.sa_flags = 0;
sigemptyset(&sa.sa_mask);
if (sigaction(SIGTERM, &sa, nullptr) == -1) {
SAPI_RAW_PLOG(WARNING, "sigaction(SIGTERM, sa_handler=SIG_IGN)");
}
sandbox2::Comms comms(sandbox2::Comms::kSandbox2ClientCommsFD);
sandbox2::ForkServer fork_server(&comms);
while (true) {
pid_t child_pid = fork_server.ServeRequest();
if (!child_pid) {
// FORKSERVER_FORK sent to the global forkserver. This case does not make
// sense, we thus kill the process here.
exit(0);
}
}
}

49
sandboxed_api/sandbox2/global_forkclient.cc
View File

@ -16,8 +16,10 @@
#include "sandboxed_api/sandbox2/global_forkclient.h" #include "sandboxed_api/sandbox2/global_forkclient.h"
#include <fcntl.h>
#include <sys/prctl.h> #include <sys/prctl.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <syscall.h>
#include <unistd.h> #include <unistd.h>
#include <csignal> #include <csignal>
@ -25,8 +27,10 @@
#include "absl/base/attributes.h" #include "absl/base/attributes.h"
#include "absl/strings/str_cat.h" #include "absl/strings/str_cat.h"
#include "sandboxed_api/embed_file.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/forkserver.h" #include "sandboxed_api/sandbox2/forkserver.h"
#include "sandboxed_api/sandbox2/forkserver_bin_embed.h"
#include "sandboxed_api/sandbox2/sanitizer.h" #include "sandboxed_api/sandbox2/sanitizer.h"
#include "sandboxed_api/sandbox2/util/strerror.h" #include "sandboxed_api/sandbox2/util/strerror.h"
#include "sandboxed_api/util/raw_logging.h" #include "sandboxed_api/util/raw_logging.h"
@ -84,43 +88,20 @@ static void StartGlobalForkServer() {
return; return;
} }
// Make sure the logs go stderr. // Move the comms FD to the proper, expected FD number.
google::LogToStderr(); // The new FD will not be CLOEXEC, which is what we want.
dup2(sv[0], Comms::kSandbox2ClientCommsFD);
// Close all non-essential FDs to keep newly opened FD numbers consistent. int exec_fd = sapi::EmbedFile::GetEmbedFileSingleton()->GetFdForFileToc(
sandbox2::sanitizer::CloseAllFDsExcept({0, 1, 2, sv[0]}); forkserver_bin_embed_create());
if (exec_fd < 0) {
// Make the process' name easily recognizable with ps/pstree. SAPI_RAW_LOG(FATAL, "Getting FD for init binary failed");
if (prctl(PR_SET_NAME, "S2-FORK-SERV", 0, 0, 0) != 0) {
SAPI_RAW_PLOG(WARNING, "prctl(PR_SET_NAME, 'S2-FORK-SERV')");
} }
// Don't react (with stack-tracing) to SIGTERM's sent from other processes char* const args[] = {strdup("S2-FORK-SERV"), nullptr};
// (e.g. from the borglet or SubProcess). This ForkServer should go down if char* const envp[] = {nullptr};
// the parent goes down (or if the GlobalForkServerComms is closed), which is syscall(__NR_execveat, exec_fd, "", args, envp, AT_EMPTY_PATH);
// assured by prctl(PR_SET_PDEATHSIG, SIGKILL) being called in the SAPI_RAW_PCHECK(false, "Could not launch forkserver binary");
// ForkServer::Initialize(). We don't want to change behavior of non-global
// ForkServers, hence it's called here and not in the
// ForkServer::Initialize().
struct sigaction sa;
sa.sa_handler = SIG_IGN;
sa.sa_flags = 0;
sigemptyset(&sa.sa_mask);
if (sigaction(SIGTERM, &sa, nullptr) == -1) {
SAPI_RAW_PLOG(WARNING, "sigaction(SIGTERM, sa_handler=SIG_IGN)");
}
Comms comms(sv[0]);
ForkServer fork_server(&comms);
while (true) {
pid_t child_pid = fork_server.ServeRequest();
if (!child_pid) {
// FORKSERVER_FORK sent to the global forkserver. This case does not make
// sense, we thus kill the process here.
exit(0);
}
}
} }
} // namespace sandbox2 } // namespace sandbox2