diff --git a/sandboxed_api/client.cc b/sandboxed_api/client.cc index 6628428..bdd8435 100644 --- a/sandboxed_api/client.cc +++ b/sandboxed_api/client.cc @@ -36,6 +36,7 @@ #ifdef MEMORY_SANITIZER #include #endif + #include #include diff --git a/sandboxed_api/sandbox.cc b/sandboxed_api/sandbox.cc index 056d890..05f6ad8 100644 --- a/sandboxed_api/sandbox.cc +++ b/sandboxed_api/sandbox.cc @@ -170,6 +170,7 @@ static std::string PathToSAPILib(const std::string& lib_path) { return ::sapi::UnavailableError("Could not start the forkserver"); } } + sandbox2::PolicyBuilder policy_builder; InitDefaultPolicyBuilder(&policy_builder); auto s2p = ModifyPolicy(&policy_builder); diff --git a/sandboxed_api/sandbox2/comms.cc b/sandboxed_api/sandbox2/comms.cc index 6eef77e..1add4a2 100644 --- a/sandboxed_api/sandbox2/comms.cc +++ b/sandboxed_api/sandbox2/comms.cc @@ -48,6 +48,7 @@ #ifdef MEMORY_SANITIZER #include "base/dynamic_annotations.h" #endif + // Future extension point used to mark code sections that invoke syscalls that // potentially block. // Internally at Google, there is an implementation that supports light-weight diff --git a/sandboxed_api/sandbox2/executor.h b/sandboxed_api/sandbox2/executor.h index bed3858..f4d1122 100644 --- a/sandboxed_api/sandbox2/executor.h +++ b/sandboxed_api/sandbox2/executor.h @@ -79,11 +79,14 @@ class Executor final { // Accessors IPC* ipc() { return &ipc_; } + Limits* limits() { return &limits_; } + Executor& set_enable_sandbox_before_exec(bool value) { enable_sandboxing_pre_execve_ = value; return *this; } + Executor& set_cwd(std::string value) { cwd_ = std::move(value); return *this; diff --git a/sandboxed_api/sandbox2/ipc.cc b/sandboxed_api/sandbox2/ipc.cc index 32120b8..45359ae 100644 --- a/sandboxed_api/sandbox2/ipc.cc +++ b/sandboxed_api/sandbox2/ipc.cc @@ -110,6 +110,7 @@ void IPC::EnableNetworkProxyServer() { NetworkProxyServer network_proxy_server(fd); network_proxy_server.Run(); }; + std::thread proxy_thread{proxy_server}; proxy_thread.detach(); } diff --git a/sandboxed_api/sandbox2/ipc.h b/sandboxed_api/sandbox2/ipc.h index b1b66d7..2dcef67 100644 --- a/sandboxed_api/sandbox2/ipc.h +++ b/sandboxed_api/sandbox2/ipc.h @@ -37,6 +37,7 @@ class IPC final { IPC& operator=(const IPC&) = delete; ~IPC() { InternalCleanupFdMap(); } + Comms* comms() const { return comms_.get(); } // Marks local_fd so that it should be sent to the remote process (sandboxee), diff --git a/sandboxed_api/sandbox2/limits.h b/sandboxed_api/sandbox2/limits.h index 147e051..21e7552 100644 --- a/sandboxed_api/sandbox2/limits.h +++ b/sandboxed_api/sandbox2/limits.h @@ -55,6 +55,7 @@ class Limits final { rlimit_as_.rlim_max = value; return *this; } + const rlimit64& rlimit_cpu() const { return rlimit_cpu_; } Limits& set_rlimit_cpu(const rlimit64& value) { rlimit_cpu_ = value; @@ -65,6 +66,7 @@ class Limits final { rlimit_cpu_.rlim_max = value; return *this; } + const rlimit64& rlimit_fsize() const { return rlimit_fsize_; } Limits& set_rlimit_fsize(const rlimit64& value) { rlimit_fsize_ = value; @@ -75,6 +77,7 @@ class Limits final { rlimit_fsize_.rlim_max = value; return *this; } + const rlimit64& rlimit_nofile() const { return rlimit_nofile_; } Limits& set_rlimit_nofile(const rlimit64& value) { rlimit_nofile_ = value; @@ -85,6 +88,7 @@ class Limits final { rlimit_nofile_.rlim_max = value; return *this; } + const rlimit64& rlimit_core() const { return rlimit_core_; } Limits& set_rlimit_core(const rlimit64& value) { rlimit_core_ = value; diff --git a/sandboxed_api/sandbox2/monitor.cc b/sandboxed_api/sandbox2/monitor.cc index abd1de7..d3339df 100644 --- a/sandboxed_api/sandbox2/monitor.cc +++ b/sandboxed_api/sandbox2/monitor.cc @@ -1012,6 +1012,7 @@ void Monitor::StateProcessStopped(pid_t pid, int status) { } should_dump_stack_ = false; } + #if !defined(PTRACE_EVENT_STOP) #define PTRACE_EVENT_STOP 128 #endif diff --git a/sandboxed_api/sandbox2/policy_test.cc b/sandboxed_api/sandbox2/policy_test.cc index b9a0ef3..f48a93f 100644 --- a/sandboxed_api/sandbox2/policy_test.cc +++ b/sandboxed_api/sandbox2/policy_test.cc @@ -67,6 +67,7 @@ TEST(PolicyTest, AMD64Syscall32PolicyAllowed) { Sandbox2 s2(std::move(executor), std::move(policy)); auto result = s2.Run(); + ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION)); EXPECT_THAT(result.reason_code(), Eq(1)); // __NR_exit in 32-bit EXPECT_THAT(result.GetSyscallArch(), Eq(Syscall::kX86_32)); @@ -83,6 +84,7 @@ TEST(PolicyTest, AMD64Syscall32FsAllowed) { Sandbox2 s2(std::move(executor), std::move(policy)); auto result = s2.Run(); + ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION)); EXPECT_THAT(result.reason_code(), Eq(33)); // __NR_access in 32-bit diff --git a/sandboxed_api/sandbox2/sandbox2.cc b/sandboxed_api/sandbox2/sandbox2.cc index 15b98ea..2f1cf77 100644 --- a/sandboxed_api/sandbox2/sandbox2.cc +++ b/sandboxed_api/sandbox2/sandbox2.cc @@ -83,6 +83,7 @@ void Sandbox2::Kill() { if (monitor_thread_ == nullptr) { return; } + pthread_kill(monitor_thread_->native_handle(), Monitor::kExternalKillSignal); } @@ -92,6 +93,7 @@ void Sandbox2::DumpStackTrace() { if (monitor_thread_ == nullptr) { return; } + pthread_kill(monitor_thread_->native_handle(), Monitor::kDumpStackSignal); } @@ -110,6 +112,7 @@ void Sandbox2::SetWallTimeLimit(time_t limit) const { union sigval v; v.sival_int = static_cast(limit); + pthread_sigqueue(monitor_thread_->native_handle(), Monitor::kTimerSetSignal, v); } diff --git a/sandboxed_api/sandbox2/util/bpf_helper.c b/sandboxed_api/sandbox2/util/bpf_helper.c index cd88ed2..47a78b3 100644 --- a/sandboxed_api/sandbox2/util/bpf_helper.c +++ b/sandboxed_api/sandbox2/util/bpf_helper.c @@ -22,7 +22,6 @@ // and can serve as a starting point for developing // applications using prctl(PR_ATTACH_SECCOMP_FILTER). - #include "sandboxed_api/sandbox2/util/bpf_helper.h" #include @@ -107,4 +106,3 @@ void seccomp_bpf_print(struct sock_filter *filter, size_t count) printf("{ code=%u,jt=%u,jf=%u,k=%u },\n", filter->code, filter->jt, filter->jf, filter->k); } - diff --git a/sandboxed_api/sandbox2/util/bpf_helper.h b/sandboxed_api/sandbox2/util/bpf_helper.h index 77f9e61..eb6e2af 100644 --- a/sandboxed_api/sandbox2/util/bpf_helper.h +++ b/sandboxed_api/sandbox2/util/bpf_helper.h @@ -295,5 +295,4 @@ union arg64 { } #endif - #endif // SANDBOXED_API_SANDBOX2_UTIL_BPF_HELPER_H_ diff --git a/sandboxed_api/sandbox2/util/fileops.h b/sandboxed_api/sandbox2/util/fileops.h index 850cb28..8081c6d 100644 --- a/sandboxed_api/sandbox2/util/fileops.h +++ b/sandboxed_api/sandbox2/util/fileops.h @@ -22,6 +22,7 @@ namespace sandbox2 { namespace file_util { + namespace fileops { // RAII helper class to automatically close file descriptors. diff --git a/sandboxed_api/sandbox2/util/path.h b/sandboxed_api/sandbox2/util/path.h index 7d72415..5f25897 100644 --- a/sandboxed_api/sandbox2/util/path.h +++ b/sandboxed_api/sandbox2/util/path.h @@ -20,6 +20,7 @@ #include #include "absl/strings/string_view.h" + namespace sandbox2 { namespace file { diff --git a/sandboxed_api/tools/generator2/sapi_generator.py b/sandboxed_api/tools/generator2/sapi_generator.py index 0778283..4110115 100644 --- a/sandboxed_api/tools/generator2/sapi_generator.py +++ b/sandboxed_api/tools/generator2/sapi_generator.py @@ -19,7 +19,6 @@ interface wrapper. """ import sys - from absl import app from absl import flags from absl import logging diff --git a/sandboxed_api/util/flag.h b/sandboxed_api/util/flag.h index 12bfccc..4c1131a 100644 --- a/sandboxed_api/util/flag.h +++ b/sandboxed_api/util/flag.h @@ -14,6 +14,7 @@ #ifndef SANDBOXED_API_UTIL_FLAG_H_ #define SANDBOXED_API_UTIL_FLAG_H_ + #include #define ABSL_FLAG(type, name, default_value, help) \