mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Replace if (!cond) { LOG(FATAL, msg) } with CHECK(cond, msg)
PiperOrigin-RevId: 291916344 Change-Id: Ib522a3f202b20bf8f1ab4ca5774952d4b8f43e91
This commit is contained in:
Wiktor Garbacz
Copybara-Service
parent
d88c9f7598
commit
539d1cac34
|
|
@ -314,9 +314,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
|
||||||
}
|
}
|
||||||
// Send sandboxee pid
|
// Send sandboxee pid
|
||||||
auto status = SendPid(signaling_fd);
|
auto status = SendPid(signaling_fd);
|
||||||
if (!status.ok()) {
|
SAPI_RAW_CHECK(status.ok(), "sending pid: %s", status.message());
|
||||||
SAPI_RAW_LOG(FATAL, "%s", status.message());
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
|
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
|
||||||
|
|
@ -387,17 +385,12 @@ pid_t ForkServer::ServeRequest() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
int comms_fd;
|
int comms_fd;
|
||||||
if (!comms_->RecvFD(&comms_fd)) {
|
SAPI_RAW_CHECK(comms_->RecvFD(&comms_fd), "Failed to receive Comms FD");
|
||||||
SAPI_RAW_LOG(FATAL, "Failed to receive Comms FD");
|
|
||||||
}
|
|
||||||
|
|
||||||
int exec_fd = -1;
|
int exec_fd = -1;
|
||||||
if (fork_request.mode() == FORKSERVER_FORK_EXECVE ||
|
if (fork_request.mode() == FORKSERVER_FORK_EXECVE ||
|
||||||
fork_request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
|
fork_request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
|
||||||
if (!comms_->RecvFD(&exec_fd)) {
|
SAPI_RAW_CHECK(comms_->RecvFD(&exec_fd), "Failed to receive Exec FD");
|
||||||
SAPI_RAW_LOG(FATAL, "Failed to receive Exec FD");
|
|
||||||
}
|
|
||||||
|
|
||||||
// We're duping to a high number here to avoid colliding with the IPC FDs.
|
// We're duping to a high number here to avoid colliding with the IPC FDs.
|
||||||
MoveToFdNumber(&exec_fd, kTargetExecFd);
|
MoveToFdNumber(&exec_fd, kTargetExecFd);
|
||||||
}
|
}
|
||||||
|
|
@ -409,9 +402,8 @@ pid_t ForkServer::ServeRequest() {
|
||||||
|
|
||||||
int user_ns_fd = -1;
|
int user_ns_fd = -1;
|
||||||
if (fork_request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
|
if (fork_request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
|
||||||
if (!comms_->RecvFD(&user_ns_fd)) {
|
SAPI_RAW_CHECK(comms_->RecvFD(&user_ns_fd),
|
||||||
SAPI_RAW_LOG(FATAL, "Failed to receive user namespace fd");
|
"Failed to receive user namespace fd");
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Store uid and gid since they will change if CLONE_NEWUSER is set.
|
// Store uid and gid since they will change if CLONE_NEWUSER is set.
|
||||||
|
|
@ -419,16 +411,14 @@ pid_t ForkServer::ServeRequest() {
|
||||||
uid_t gid = getgid();
|
uid_t gid = getgid();
|
||||||
|
|
||||||
int socketpair_fds[2];
|
int socketpair_fds[2];
|
||||||
if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, socketpair_fds)) {
|
SAPI_RAW_PCHECK(
|
||||||
SAPI_RAW_LOG(FATAL, "socketpair()");
|
socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, socketpair_fds) == 0,
|
||||||
}
|
"creating signaling socketpair");
|
||||||
|
|
||||||
for (int i = 0; i < 2; i++) {
|
for (int i = 0; i < 2; i++) {
|
||||||
int val = 1;
|
int val = 1;
|
||||||
if (setsockopt(socketpair_fds[i], SOL_SOCKET, SO_PASSCRED, &val,
|
SAPI_RAW_PCHECK(setsockopt(socketpair_fds[i], SOL_SOCKET, SO_PASSCRED, &val,
|
||||||
sizeof(val))) {
|
sizeof(val)) == 0,
|
||||||
SAPI_RAW_LOG(FATAL, "setsockopt failed");
|
"setsockopt failed");
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
file_util::fileops::FDCloser fd_closer0{socketpair_fds[0]};
|
file_util::fileops::FDCloser fd_closer0{socketpair_fds[0]};
|
||||||
|
|
@ -468,13 +458,11 @@ pid_t ForkServer::ServeRequest() {
|
||||||
}
|
}
|
||||||
// Send sandboxee pid
|
// Send sandboxee pid
|
||||||
sapi::Status status = SendPid(fd_closer1.get());
|
sapi::Status status = SendPid(fd_closer1.get());
|
||||||
if (!status.ok()) {
|
SAPI_RAW_CHECK(status.ok(), "sending pid: %s", status.message());
|
||||||
SAPI_RAW_LOG(FATAL, "%s", status.message());
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
auto pid_or = ReceivePid(fd_closer0.get());
|
auto pid_or = ReceivePid(fd_closer0.get());
|
||||||
if (!pid_or.ok()) {
|
if (!pid_or.ok()) {
|
||||||
SAPI_RAW_LOG(ERROR, "%s", pid_or.status().message());
|
SAPI_RAW_LOG(ERROR, "receiving pid: %s", pid_or.status().message());
|
||||||
} else {
|
} else {
|
||||||
sandboxee_pid = pid_or.ValueOrDie();
|
sandboxee_pid = pid_or.ValueOrDie();
|
||||||
}
|
}
|
||||||
|
|
@ -524,13 +512,10 @@ pid_t ForkServer::ServeRequest() {
|
||||||
if (user_ns_fd >= 0) {
|
if (user_ns_fd >= 0) {
|
||||||
close(user_ns_fd);
|
close(user_ns_fd);
|
||||||
}
|
}
|
||||||
if (!comms_->SendInt32(init_pid)) {
|
SAPI_RAW_CHECK(comms_->SendInt32(init_pid), "Failed to send init PID: %d",
|
||||||
SAPI_RAW_LOG(FATAL, "Failed to send init PID: %d", init_pid);
|
init_pid);
|
||||||
}
|
SAPI_RAW_CHECK(comms_->SendInt32(sandboxee_pid),
|
||||||
if (!comms_->SendInt32(sandboxee_pid)) {
|
"Failed to send sandboxee PID: %d", sandboxee_pid);
|
||||||
SAPI_RAW_LOG(FATAL, "Failed to send sandboxee PID: %d", sandboxee_pid);
|
|
||||||
}
|
|
||||||
|
|
||||||
return sandboxee_pid;
|
return sandboxee_pid;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -608,12 +593,11 @@ void ForkServer::SanitizeEnvironment(int client_fd) {
|
||||||
close(client_fd);
|
close(client_fd);
|
||||||
// Mark all file descriptors, except the standard ones (needed
|
// Mark all file descriptors, except the standard ones (needed
|
||||||
// for proper sandboxed process operations), as close-on-exec.
|
// for proper sandboxed process operations), as close-on-exec.
|
||||||
if (!sanitizer::SanitizeCurrentProcess(
|
SAPI_RAW_CHECK(sanitizer::SanitizeCurrentProcess(
|
||||||
{STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO,
|
{STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO,
|
||||||
Comms::kSandbox2ClientCommsFD},
|
Comms::kSandbox2ClientCommsFD},
|
||||||
/* close_fds = */ false)) {
|
/* close_fds = */ false),
|
||||||
SAPI_RAW_LOG(FATAL, "sanitizer::SanitizeCurrentProcess(close_fds=false)");
|
"while sanitizing process");
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void ForkServer::ExecuteProcess(int execve_fd, const char** argv,
|
void ForkServer::ExecuteProcess(int execve_fd, const char** argv,
|
||||||
|
|
|
||||||
|
|
@ -94,9 +94,7 @@ static void StartGlobalForkServer() {
|
||||||
|
|
||||||
int exec_fd = sapi::EmbedFile::GetEmbedFileSingleton()->GetFdForFileToc(
|
int exec_fd = sapi::EmbedFile::GetEmbedFileSingleton()->GetFdForFileToc(
|
||||||
forkserver_bin_embed_create());
|
forkserver_bin_embed_create());
|
||||||
if (exec_fd < 0) {
|
SAPI_RAW_CHECK(exec_fd >= 0, "Getting FD for init binary failed");
|
||||||
SAPI_RAW_LOG(FATAL, "Getting FD for init binary failed");
|
|
||||||
}
|
|
||||||
|
|
||||||
char* const args[] = {strdup("S2-FORK-SERV"), nullptr};
|
char* const args[] = {strdup("S2-FORK-SERV"), nullptr};
|
||||||
char* const envp[] = {nullptr};
|
char* const envp[] = {nullptr};
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user