From 6a1e4b881c2c24f65e74f5c71b7a11b2632b8278 Mon Sep 17 00:00:00 2001 From: Christian Blichmann Date: Thu, 10 Sep 2020 05:47:32 -0700 Subject: [PATCH] Introduce config header to centralize CPU architecture checks This allows us to remove some uses of macros. Related changes: - Make it clear that we support hosting sandboxed binaries from 64-bit processes only. CPU architectures are x86-64 and POWER64 (little endian). - Introduced CPU architecture macros, abstracting away compiler specifics PiperOrigin-RevId: 330918134 Change-Id: Ife7ad5f14723eec9f68055127b0583b8aecd38dd --- sandboxed_api/sandbox2/BUILD.bazel | 19 +++++ sandboxed_api/sandbox2/CMakeLists.txt | 21 +++++ sandboxed_api/sandbox2/buffer_test.cc | 7 +- sandboxed_api/sandbox2/config.h | 83 +++++++++++++++++++ sandboxed_api/sandbox2/limits_test.cc | 1 + sandboxed_api/sandbox2/monitor.cc | 3 +- sandboxed_api/sandbox2/mounts.cc | 21 +++-- sandboxed_api/sandbox2/namespace_test.cc | 1 + .../sandbox2/network_proxy/BUILD.bazel | 1 + .../sandbox2/network_proxy/CMakeLists.txt | 1 + .../sandbox2/network_proxy/client.cc | 12 +-- sandboxed_api/sandbox2/policy.cc | 16 ++-- sandboxed_api/sandbox2/policy_test.cc | 9 +- sandboxed_api/sandbox2/policybuilder.cc | 22 ++--- sandboxed_api/sandbox2/policybuilder.h | 6 +- sandboxed_api/sandbox2/regs.cc | 69 ++++++++------- sandboxed_api/sandbox2/regs.h | 13 ++- sandboxed_api/sandbox2/result.h | 5 +- sandboxed_api/sandbox2/sandbox2_test.cc | 1 + sandboxed_api/sandbox2/syscall.cc | 47 +++++------ sandboxed_api/sandbox2/syscall.h | 32 +++---- sandboxed_api/sandbox2/syscall_defs.cc | 23 ++--- sandboxed_api/sandbox2/syscall_defs.h | 3 +- sandboxed_api/sandbox2/syscall_test.cc | 5 +- sandboxed_api/sandbox2/testcases/BUILD.bazel | 1 + .../sandbox2/testcases/CMakeLists.txt | 1 + sandboxed_api/sandbox2/testcases/policy.cc | 10 ++- sandboxed_api/sandbox2/util.cc | 14 ++-- 28 files changed, 282 insertions(+), 165 deletions(-) create mode 100644 sandboxed_api/sandbox2/config.h diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel index 2bf7542..839a7e0 100644 --- a/sandboxed_api/sandbox2/BUILD.bazel +++ b/sandboxed_api/sandbox2/BUILD.bazel @@ -26,6 +26,13 @@ licenses(["notice"]) # Apache 2.0 exports_files(["testdata/hostname"]) +cc_library( + name = "config", + hdrs = ["config.h"], + copts = sapi_platform_copts(), + deps = ["@com_google_absl//absl/base:config"], +) + cc_library( name = "bpfdisassembler", srcs = ["bpfdisassembler.cc"], @@ -40,6 +47,7 @@ cc_library( hdrs = ["regs.h"], copts = sapi_platform_copts(), deps = [ + ":config", ":syscall", ":violation_cc_proto", "//sandboxed_api/sandbox2/util:strerror", @@ -60,6 +68,7 @@ cc_library( copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ + ":config", ":util", "@com_google_absl//absl/strings", "@com_google_absl//absl/strings:str_format", @@ -73,6 +82,7 @@ cc_test( srcs = ["syscall_test.cc"], copts = sapi_platform_copts(), deps = [ + ":config", ":syscall", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", @@ -85,6 +95,7 @@ cc_library( hdrs = ["result.h"], copts = sapi_platform_copts(), deps = [ + ":config", ":regs", ":syscall", ":util", @@ -272,6 +283,7 @@ cc_library( deps = [ ":client", ":comms", + ":config", ":executor", ":fork_client", ":forkserver_cc_proto", @@ -404,6 +416,7 @@ cc_library( hdrs = ["mounts.h"], copts = sapi_platform_copts(), deps = [ + ":config", ":mounttree_cc_proto", "//sandboxed_api/sandbox2/util:file_base", "//sandboxed_api/sandbox2/util:fileops", @@ -468,6 +481,7 @@ cc_test( ], deps = [ ":comms", + ":config", ":namespace", ":sandbox2", ":testing", @@ -505,6 +519,7 @@ cc_library( copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ + ":config", "//sandboxed_api/sandbox2/util:file_base", "//sandboxed_api/sandbox2/util:fileops", "//sandboxed_api/sandbox2/util:strerror", @@ -541,6 +556,7 @@ cc_test( deps = [ ":buffer", ":comms", + ":config", ":sandbox2", ":testing", "//sandboxed_api/util:status_matchers", @@ -629,6 +645,7 @@ cc_test( copts = sapi_platform_copts(), data = ["//sandboxed_api/sandbox2/testcases:limits"], deps = [ + ":config", ":limits", ":sandbox2", ":testing", @@ -671,6 +688,7 @@ cc_test( "//sandboxed_api/sandbox2/testcases:policy", ], deps = [ + ":config", ":limits", ":regs", ":sandbox2", @@ -695,6 +713,7 @@ cc_test( ], tags = ["local"], deps = [ + ":config", ":sandbox2", ":testing", "//sandboxed_api/sandbox2/util:bpf_helper", diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt index e70356f..e6a746b 100644 --- a/sandboxed_api/sandbox2/CMakeLists.txt +++ b/sandboxed_api/sandbox2/CMakeLists.txt @@ -17,6 +17,16 @@ add_subdirectory(unwind) add_subdirectory(util) add_subdirectory(network_proxy) +# sandboxed_api/sandbox2:config +add_library(sandbox2_config STATIC + config.h +) +add_library(sandbox2::config ALIAS sandbox2_config) +target_link_libraries(sandbox2_config PRIVATE + absl::config + sapi::base +) + # sandboxed_api/sandbox2:bpfdisassembler add_library(sandbox2_bpfdisassembler STATIC bpfdisassembler.cc @@ -37,6 +47,7 @@ add_library(sandbox2::regs ALIAS sandbox2_regs) target_link_libraries(sandbox2_regs PRIVATE absl::core_headers absl::strings + sandbox2::config sandbox2::strerror sandbox2::syscall sandbox2::violation_proto @@ -72,6 +83,7 @@ target_link_libraries(sandbox2_result PRIVATE absl::base absl::memory absl::strings + sandbox2::config sandbox2::regs sandbox2::syscall sandbox2::util @@ -280,6 +292,7 @@ target_link_libraries(sandbox2_sandbox2 sandbox2::bpf_helper sandbox2::client sandbox2::comms + sandbox2::config sandbox2::executor sandbox2::file_base sandbox2::fileops @@ -403,6 +416,7 @@ target_link_libraries(sandbox2_mounts PRIVATE absl::str_format absl::strings protobuf::libprotobuf + sandbox2::config sandbox2::file_base sandbox2::fileops sandbox2::minielf @@ -460,6 +474,7 @@ target_link_libraries(sandbox2_util PRIVATE absl::core_headers absl::str_format absl::strings + sandbox2::config sandbox2::file_base sandbox2::fileops sandbox2::strerror @@ -570,6 +585,7 @@ if(SAPI_ENABLE_TESTS) ) target_link_libraries(syscall_test PRIVATE absl::strings + sandbox2::config sandbox2::syscall sapi::test_main ) @@ -608,6 +624,7 @@ if(SAPI_ENABLE_TESTS) absl::memory absl::strings sandbox2::comms + sandbox2::config sandbox2::fileops sandbox2::namespace sandbox2::sandbox2 @@ -632,6 +649,7 @@ if(SAPI_ENABLE_TESTS) absl::memory sandbox2::buffer sandbox2::comms + sandbox2::config sandbox2::sandbox2 sandbox2::testing sapi::status_matchers @@ -706,6 +724,7 @@ if(SAPI_ENABLE_TESTS) target_link_libraries(limits_test PRIVATE absl::memory sandbox2::bpf_helper + sandbox2::config sandbox2::limits sandbox2::sandbox2 sandbox2::testing @@ -755,6 +774,7 @@ if(SAPI_ENABLE_TESTS) absl::memory absl::strings sandbox2::bpf_helper + sandbox2::config sandbox2::limits sandbox2::regs sandbox2::sandbox2 @@ -780,6 +800,7 @@ if(SAPI_ENABLE_TESTS) absl::memory absl::strings sandbox2::bpf_helper + sandbox2::config sandbox2::sandbox2 sandbox2::testing sapi::status_matchers diff --git a/sandboxed_api/sandbox2/buffer_test.cc b/sandboxed_api/sandbox2/buffer_test.cc index 78d8cf9..876be31 100644 --- a/sandboxed_api/sandbox2/buffer_test.cc +++ b/sandboxed_api/sandbox2/buffer_test.cc @@ -29,6 +29,7 @@ #include "gtest/gtest.h" #include "absl/memory/memory.h" #include "sandboxed_api/sandbox2/comms.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/ipc.h" #include "sandboxed_api/sandbox2/policy.h" @@ -90,12 +91,6 @@ std::unique_ptr BufferTestcasePolicy() { .BlockSyscallWithErrno(__NR_access, ENOENT) .BuildOrDie(); -#if defined(__powerpc64__) - - s2p->AllowUnsafeMmapFiles(); - s2p->AllowUnsafeMmapShared(); -#endif /* defined(__powerpc64__) */ - return s2p; } diff --git a/sandboxed_api/sandbox2/config.h b/sandboxed_api/sandbox2/config.h new file mode 100644 index 0000000..ba0fec5 --- /dev/null +++ b/sandboxed_api/sandbox2/config.h @@ -0,0 +1,83 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef SANDBOXED_API_SANDBOX2_CONFIG_H_ +#define SANDBOXED_API_SANDBOX2_CONFIG_H_ + +#include + +#include "absl/base/config.h" + +// GCC/Clang define __x86_64__, Visual Studio uses _M_X64 +#if defined(__x86_64__) || defined(_M_X64) +#define SAPI_X86_64 1 + +// Check various spellings for 64-bit POWER. Not checking for Visual Studio, as +// it does not support 64-bit POWER. +#elif (defined(__PPC64__) || defined(__powerpc64__) || defined(__ppc64__)) && \ + defined(ABSL_IS_LITTLE_ENDIAN) +#define SAPI_PPC64_LE 1 + +// Spellings for AArch64 +#elif defined(__aarch64__) || defined(_M_ARM64) +#define SAPI_ARM64 1 +#endif + +namespace sandbox2 { + +namespace cpu { + +// CPU architectures known to Sandbox2 +enum Architecture : uint16_t { + // Linux: Use a magic value, so it can be easily spotted in the seccomp-bpf + // bytecode decompilation stream. Must be < (1<<15), as/ that's the size of + // data which can be returned by BPF. + kUnknown = 0xCAF0, + kX8664, + kX86, + kPPC64LE, + kArm64, +}; + +} // namespace cpu + +namespace host_cpu { + +// Returns the current host CPU architecture if supported. If not supported, +// returns cpu::kUnknown. +constexpr cpu::Architecture Architecture() { +#if defined(SAPI_X86_64) + return cpu::kX8664; +#elif defined(SAPI_PPC64_LE) + return cpu::kPPC64LE; +#else + return cpu::kUnknown; +#endif +} + +constexpr bool IsX8664() { return Architecture() == cpu::kX8664; } + +constexpr bool IsPPC64LE() { return Architecture() == cpu::kPPC64LE; } + +constexpr bool IsArm64() { return Architecture() == cpu::kArm64; } + +} // namespace host_cpu + +static_assert(host_cpu::Architecture() != cpu::kUnknown, + "Host CPU architecture is not supported: One of x86-64 or " + "POWER64 (little endian) is required."); + +} // namespace sandbox2 + +#endif // SANDBOXED_API_SANDBOX2_CONFIG_H_ diff --git a/sandboxed_api/sandbox2/limits_test.cc b/sandboxed_api/sandbox2/limits_test.cc index 1f3386a..35d9bba 100644 --- a/sandboxed_api/sandbox2/limits_test.cc +++ b/sandboxed_api/sandbox2/limits_test.cc @@ -23,6 +23,7 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" #include "absl/memory/memory.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policybuilder.h" diff --git a/sandboxed_api/sandbox2/monitor.cc b/sandboxed_api/sandbox2/monitor.cc index 10e0710..d15c1af 100644 --- a/sandboxed_api/sandbox2/monitor.cc +++ b/sandboxed_api/sandbox2/monitor.cc @@ -49,6 +49,7 @@ #include "absl/time/time.h" #include "sandboxed_api/sandbox2/client.h" #include "sandboxed_api/sandbox2/comms.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/limits.h" #include "sandboxed_api/sandbox2/mounts.h" @@ -761,7 +762,7 @@ void Monitor::LogSyscallViolation(const Syscall& syscall) const { void Monitor::EventPtraceSeccomp(pid_t pid, int event_msg) { // If the seccomp-policy is using RET_TRACE, we request that it returns the // syscall architecture identifier in the SECCOMP_RET_DATA. - const auto syscall_arch = static_cast(event_msg); + const auto syscall_arch = static_cast(event_msg); Regs regs(pid); auto status = regs.Fetch(); if (!status.ok()) { diff --git a/sandboxed_api/sandbox2/mounts.cc b/sandboxed_api/sandbox2/mounts.cc index 7e800ea..d722e6f 100644 --- a/sandboxed_api/sandbox2/mounts.cc +++ b/sandboxed_api/sandbox2/mounts.cc @@ -34,6 +34,7 @@ #include "absl/strings/str_join.h" #include "absl/strings/str_split.h" #include "absl/strings/string_view.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/util/fileops.h" #include "sandboxed_api/sandbox2/util/minielf.h" #include "sandboxed_api/sandbox2/util/path.h" @@ -132,15 +133,19 @@ std::string ResolveLibraryPath(absl::string_view lib_name, return ""; } +constexpr absl::string_view GetPlatformCPUName() { + switch (host_cpu::Architecture()) { + case cpu::kX8664: + return "x86_64"; + case cpu::kPPC64LE: + return "ppc64"; + default: + return "unknown"; + } +} + std::string GetPlatform(absl::string_view interpreter) { -#if defined(__x86_64__) - constexpr absl::string_view kCpuPlatform = "x86_64"; -#elif defined(__powerpc64__) - constexpr absl::string_view kCpuPlatform = "ppc64"; -#else - constexpr absl::string_view kCpuPlatform = "unknown"; -#endif - return absl::StrCat(kCpuPlatform, "-linux-gnu"); + return absl::StrCat(GetPlatformCPUName(), "-linux-gnu"); } } // namespace diff --git a/sandboxed_api/sandbox2/namespace_test.cc b/sandboxed_api/sandbox2/namespace_test.cc index 89da97b..2bedf16 100644 --- a/sandboxed_api/sandbox2/namespace_test.cc +++ b/sandboxed_api/sandbox2/namespace_test.cc @@ -28,6 +28,7 @@ #include "absl/strings/numbers.h" #include "absl/strings/str_cat.h" #include "sandboxed_api/sandbox2/comms.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policybuilder.h" diff --git a/sandboxed_api/sandbox2/network_proxy/BUILD.bazel b/sandboxed_api/sandbox2/network_proxy/BUILD.bazel index f099939..ac58976 100644 --- a/sandboxed_api/sandbox2/network_proxy/BUILD.bazel +++ b/sandboxed_api/sandbox2/network_proxy/BUILD.bazel @@ -44,6 +44,7 @@ cc_library( visibility = ["//visibility:public"], deps = [ "//sandboxed_api/sandbox2:comms", + "//sandboxed_api/sandbox2:config", "//sandboxed_api/sandbox2/util:strerror", "//sandboxed_api/util:status", "@com_google_absl//absl/memory", diff --git a/sandboxed_api/sandbox2/network_proxy/CMakeLists.txt b/sandboxed_api/sandbox2/network_proxy/CMakeLists.txt index c23d917..781cb9d 100644 --- a/sandboxed_api/sandbox2/network_proxy/CMakeLists.txt +++ b/sandboxed_api/sandbox2/network_proxy/CMakeLists.txt @@ -54,6 +54,7 @@ target_link_libraries(sandbox2_network_proxy_client PRIVATE absl::synchronization glog::glog sandbox2::comms + sandbox2::config sandbox2::strerror sapi::base sapi::status diff --git a/sandboxed_api/sandbox2/network_proxy/client.cc b/sandboxed_api/sandbox2/network_proxy/client.cc index e528041..51b1260 100644 --- a/sandboxed_api/sandbox2/network_proxy/client.cc +++ b/sandboxed_api/sandbox2/network_proxy/client.cc @@ -27,6 +27,7 @@ #include "absl/memory/memory.h" #include "absl/status/status.h" #include "absl/strings/str_cat.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/util/strerror.h" #include "sandboxed_api/util/status_macros.h" @@ -36,14 +37,13 @@ namespace sandbox2 { constexpr int SYS_SECCOMP = 1; #endif -#if defined(__x86_64__) +#if defined(SAPI_X86_64) constexpr int kRegResult = REG_RAX; constexpr int kRegSyscall = REG_RAX; constexpr int kRegArg0 = REG_RDI; constexpr int kRegArg1 = REG_RSI; constexpr int kRegArg2 = REG_RDX; -#endif -#if defined(__powerpc64__) +#elif defined(SAPI_PPC64_LE) constexpr int kRegResult = 3; constexpr int kRegSyscall = 0; constexpr int kRegArg0 = 3; @@ -161,9 +161,9 @@ void NetworkProxyHandler::ProcessSeccompTrap(int nr, siginfo_t* info, } if (!ctx) return; -#if defined(__x86_64__) +#if defined(SAPI_X86_64) auto* registers = ctx->uc_mcontext.gregs; -#elif defined(__powerpc64__) +#elif defined(SAPI_PPC64_LE) auto* registers = ctx->uc_mcontext.gp_regs; using ppc_gpreg_t = std::decay::type; #endif @@ -178,7 +178,7 @@ void NetworkProxyHandler::ProcessSeccompTrap(int nr, siginfo_t* info, sockfd = static_cast(registers[kRegArg0]); addr = reinterpret_cast(registers[kRegArg1]); addrlen = static_cast(registers[kRegArg2]); -#if defined(__powerpc64__) +#if defined(SAPI_PPC64_LE) } else if (syscall == __NR_socketcall && static_cast(registers[kRegArg0]) == SYS_CONNECT) { ppc_gpreg_t* args = reinterpret_cast(registers[kRegArg1]); diff --git a/sandboxed_api/sandbox2/policy.cc b/sandboxed_api/sandbox2/policy.cc index e631c0a..4e3fe03 100644 --- a/sandboxed_api/sandbox2/policy.cc +++ b/sandboxed_api/sandbox2/policy.cc @@ -85,10 +85,10 @@ std::vector Policy::GetDefaultPolicy() const { // If compiled arch is different than the runtime one, inform the Monitor. LOAD_ARCH, JEQ32(Syscall::GetHostAuditArch(), JUMP(&l, past_arch_check_l)), - JEQ32(AUDIT_ARCH_X86_64, TRACE(Syscall::kX86_64)), - JEQ32(AUDIT_ARCH_I386, TRACE(Syscall::kX86_32)), - JEQ32(AUDIT_ARCH_PPC64LE, TRACE(Syscall::kPPC_64)), - TRACE(Syscall::kUnknown), + JEQ32(AUDIT_ARCH_X86_64, TRACE(cpu::kX8664)), + JEQ32(AUDIT_ARCH_I386, TRACE(cpu::kX86)), + JEQ32(AUDIT_ARCH_PPC64LE, TRACE(cpu::kPPC64LE)), + TRACE(cpu::kUnknown), LABEL(&l, past_arch_check_l), // After the policy is uploaded, forkserver will execve the sandboxee. We @@ -130,10 +130,10 @@ std::vector Policy::GetDefaultPolicy() const { std::vector Policy::GetTrackingPolicy() const { return { LOAD_ARCH, - JEQ32(AUDIT_ARCH_X86_64, TRACE(Syscall::kX86_64)), - JEQ32(AUDIT_ARCH_I386, TRACE(Syscall::kX86_32)), - JEQ32(AUDIT_ARCH_PPC64LE, TRACE(Syscall::kPPC_64)), - TRACE(Syscall::kUnknown), + JEQ32(AUDIT_ARCH_X86_64, TRACE(cpu::kX8664)), + JEQ32(AUDIT_ARCH_I386, TRACE(cpu::kX86)), + JEQ32(AUDIT_ARCH_PPC64LE, TRACE(cpu::kPPC64LE)), + TRACE(cpu::kUnknown), }; } diff --git a/sandboxed_api/sandbox2/policy_test.cc b/sandboxed_api/sandbox2/policy_test.cc index 809ecd9..226b450 100644 --- a/sandboxed_api/sandbox2/policy_test.cc +++ b/sandboxed_api/sandbox2/policy_test.cc @@ -25,6 +25,7 @@ #include "gtest/gtest.h" #include "absl/memory/memory.h" #include "absl/strings/string_view.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/limits.h" #include "sandboxed_api/sandbox2/policybuilder.h" @@ -56,7 +57,7 @@ std::unique_ptr PolicyTestcasePolicy() { .BuildOrDie(); } -#if defined(__x86_64__) +#ifdef SAPI_X86_64 // Test that 32-bit syscalls from 64-bit are disallowed. TEST(PolicyTest, AMD64Syscall32PolicyAllowed) { SKIP_SANITIZERS_AND_COVERAGE; @@ -72,7 +73,7 @@ TEST(PolicyTest, AMD64Syscall32PolicyAllowed) { ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION)); EXPECT_THAT(result.reason_code(), Eq(1)); // __NR_exit in 32-bit - EXPECT_THAT(result.GetSyscallArch(), Eq(Syscall::kX86_32)); + EXPECT_THAT(result.GetSyscallArch(), Eq(cpu::kX86)); } // Test that 32-bit syscalls from 64-bit for FS checks are disallowed. @@ -90,9 +91,9 @@ TEST(PolicyTest, AMD64Syscall32FsAllowed) { ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION)); EXPECT_THAT(result.reason_code(), Eq(33)); // __NR_access in 32-bit - EXPECT_THAT(result.GetSyscallArch(), Eq(Syscall::kX86_32)); + EXPECT_THAT(result.GetSyscallArch(), Eq(cpu::kX86)); } -#endif // defined(__x86_64__) +#endif // Test that ptrace(2) is disallowed. TEST(PolicyTest, PtraceDisallowed) { diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index dbae2d9..a560190 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -15,14 +15,7 @@ #include "sandboxed_api/sandbox2/policybuilder.h" #include // For TCGETS - -#if defined(__x86_64__) -#include -#endif -#if defined(__powerpc64__) -#include // On PPC, TCGETS macro needs termios -#endif -#include // For the fcntl flags +#include // For the fcntl flags #include #include // For SYS_CONNECT #include // For GRND_NONBLOCK @@ -38,11 +31,18 @@ #include "absl/status/statusor.h" #include "absl/strings/escaping.h" #include "absl/strings/match.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/namespace.h" #include "sandboxed_api/sandbox2/util/bpf_helper.h" #include "sandboxed_api/sandbox2/util/path.h" #include "sandboxed_api/util/status_macros.h" +#if defined(SAPI_X86_64) +#include +#elif defined(SAPI_PPC64_LE) +#include // On PPC, TCGETS macro needs termios +#endif + namespace sandbox2 { namespace { @@ -512,7 +512,7 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() { JEQ32(SIG_UNBLOCK, ALLOW), }); -#if defined(__x86_64__) +#ifdef SAPI_X86_64 // The second argument is a pointer. AddPolicyOnSyscall(__NR_arch_prctl, { ARG_32(0), @@ -901,7 +901,7 @@ PolicyBuilder& PolicyBuilder::AddNetworkProxyPolicy() { LABEL(&labels, getsockopt_end), }; }); -#if defined(__powerpc64__) +#ifdef SAPI_PPC64_LE AddPolicyOnSyscall(__NR_socketcall, { ARG_32(0), JEQ32(SYS_SOCKET, ALLOW), @@ -927,7 +927,7 @@ PolicyBuilder& PolicyBuilder::AddNetworkProxyHandlerPolicy() { }); AddPolicyOnSyscall(__NR_connect, {TRAP(0)}); -#if defined(__powerpc64__) +#ifdef SAPI_PPC64_LE AddPolicyOnSyscall(__NR_socketcall, { ARG_32(0), JEQ32(SYS_CONNECT, TRAP(0)), diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 17e95ff..5a5fd97 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -39,8 +39,6 @@ struct bpf_labels; namespace sandbox2 { -constexpr char kDefaultHostname[] = "sandbox2"; - // PolicyBuilder is a helper class to simplify creation of policies. The builder // uses fluent interface for convenience and increased readability of policies. // @@ -91,6 +89,8 @@ constexpr char kDefaultHostname[] = "sandbox2"; // For a more complicated example, see examples/persistent/persistent_sandbox.cc class PolicyBuilder final { public: + static constexpr absl::string_view kDefaultHostname = "sandbox2"; + using BpfInitializer = std::initializer_list; using BpfFunc = const std::function(bpf_labels&)>&; using SyscallInitializer = std::initializer_list; @@ -542,7 +542,7 @@ class PolicyBuilder final { bool use_namespaces_ = true; bool requires_namespaces_ = false; bool allow_unrestricted_networking_ = false; - std::string hostname_ = kDefaultHostname; + std::string hostname_ = std::string(kDefaultHostname); bool collect_stacktrace_on_violation_ = true; bool collect_stacktrace_on_signal_ = true; diff --git a/sandboxed_api/sandbox2/regs.cc b/sandboxed_api/sandbox2/regs.cc index 6dfcd14..07f8e87 100644 --- a/sandboxed_api/sandbox2/regs.cc +++ b/sandboxed_api/sandbox2/regs.cc @@ -24,64 +24,69 @@ #include #include "absl/strings/str_cat.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/util/strerror.h" namespace sandbox2 { absl::Status Regs::Fetch() { -#if defined(__powerpc64__) - iovec pt_iov = {&user_regs_, sizeof(user_regs_)}; - - if (ptrace(PTRACE_GETREGSET, pid_, NT_PRSTATUS, &pt_iov) == -1L) { - return absl::InternalError(absl::StrCat( - "ptrace(PTRACE_GETREGSET, pid=", pid_, ") failed: ", StrError(errno))); - } - if (pt_iov.iov_len != sizeof(user_regs_)) { - return absl::InternalError(absl::StrCat( - "ptrace(PTRACE_GETREGSET, pid=", pid_, - ") size returned: ", pt_iov.iov_len, - " different than sizeof(user_regs_): ", sizeof(user_regs_))); - } -#else +#ifdef SAPI_X86_64 if (ptrace(PTRACE_GETREGS, pid_, 0, &user_regs_) == -1L) { return absl::InternalError(absl::StrCat("ptrace(PTRACE_GETREGS, pid=", pid_, ") failed: ", StrError(errno))); } #endif + if constexpr (host_cpu::IsPPC64LE()) { + iovec pt_iov = {&user_regs_, sizeof(user_regs_)}; + + if (ptrace(PTRACE_GETREGSET, pid_, NT_PRSTATUS, &pt_iov) == -1L) { + return absl::InternalError( + absl::StrCat("ptrace(PTRACE_GETREGSET, pid=", pid_, + ") failed: ", StrError(errno))); + } + if (pt_iov.iov_len != sizeof(user_regs_)) { + return absl::InternalError(absl::StrCat( + "ptrace(PTRACE_GETREGSET, pid=", pid_, + ") size returned: ", pt_iov.iov_len, + " different than sizeof(user_regs_): ", sizeof(user_regs_))); + } + } return absl::OkStatus(); } absl::Status Regs::Store() { -#if defined(__powerpc64__) - iovec pt_iov = {&user_regs_, sizeof(user_regs_)}; - - if (ptrace(PTRACE_SETREGSET, pid_, NT_PRSTATUS, &pt_iov) == -1L) { - return absl::InternalError(absl::StrCat( - "ptrace(PTRACE_SETREGSET, pid=", pid_, ") failed: ", StrError(errno))); - } -#else +#ifdef SAPI_X86_64 if (ptrace(PTRACE_SETREGS, pid_, 0, &user_regs_) == -1) { return absl::InternalError(absl::StrCat("ptrace(PTRACE_SETREGS, pid=", pid_, ") failed: ", StrError(errno))); } #endif + if constexpr (host_cpu::IsPPC64LE()) { + iovec pt_iov = {&user_regs_, sizeof(user_regs_)}; + + if (ptrace(PTRACE_SETREGSET, pid_, NT_PRSTATUS, &pt_iov) == -1L) { + return absl::InternalError( + absl::StrCat("ptrace(PTRACE_SETREGSET, pid=", pid_, + ") failed: ", StrError(errno))); + } + } return absl::OkStatus(); } absl::Status Regs::SkipSyscallReturnValue(uint64_t value) { -#if defined(__x86_64__) +#if defined(SAPI_X86_64) user_regs_.orig_rax = -1; user_regs_.rax = value; -#elif defined(__powerpc64__) +#elif defined(SAPI_PPC64_LE) user_regs_.gpr[0] = -1; user_regs_.gpr[3] = value; #endif return Store(); } -Syscall Regs::ToSyscall(Syscall::CpuArch syscall_arch) const { -#if defined(__x86_64__) - if (ABSL_PREDICT_TRUE(syscall_arch == Syscall::kX86_64)) { +Syscall Regs::ToSyscall(cpu::Architecture syscall_arch) const { +#if defined(SAPI_X86_64) + if (ABSL_PREDICT_TRUE(syscall_arch == cpu::kX8664)) { auto syscall = user_regs_.orig_rax; Syscall::Args args = {user_regs_.rdi, user_regs_.rsi, user_regs_.rdx, user_regs_.r10, user_regs_.r8, user_regs_.r9}; @@ -89,7 +94,7 @@ Syscall Regs::ToSyscall(Syscall::CpuArch syscall_arch) const { auto ip = user_regs_.rip; return Syscall(syscall_arch, syscall, args, pid_, sp, ip); } - if (syscall_arch == Syscall::kX86_32) { + if (syscall_arch == cpu::kX86) { auto syscall = user_regs_.orig_rax & 0xFFFFFFFF; Syscall::Args args = { user_regs_.rbx & 0xFFFFFFFF, user_regs_.rcx & 0xFFFFFFFF, @@ -99,8 +104,8 @@ Syscall Regs::ToSyscall(Syscall::CpuArch syscall_arch) const { auto ip = user_regs_.rip & 0xFFFFFFFF; return Syscall(syscall_arch, syscall, args, pid_, sp, ip); } -#elif defined(__powerpc64__) - if (ABSL_PREDICT_TRUE(syscall_arch == Syscall::kPPC_64)) { +#elif defined(SAPI_PPC64_LE) + if (ABSL_PREDICT_TRUE(syscall_arch == cpu::kPPC64LE)) { auto syscall = user_regs_.gpr[0]; Syscall::Args args = {user_regs_.orig_gpr3, user_regs_.gpr[4], user_regs_.gpr[5], user_regs_.gpr[6], @@ -114,7 +119,7 @@ Syscall Regs::ToSyscall(Syscall::CpuArch syscall_arch) const { } void Regs::StoreRegisterValuesInProtobuf(RegisterValues* values) const { -#if defined(__x86_64__) +#if defined(SAPI_X86_64) RegisterX8664* regs = values->mutable_register_x86_64(); regs->set_r15(user_regs_.r15); regs->set_r14(user_regs_.r14); @@ -143,7 +148,7 @@ void Regs::StoreRegisterValuesInProtobuf(RegisterValues* values) const { regs->set_es(user_regs_.es); regs->set_fs(user_regs_.fs); regs->set_gs(user_regs_.gs); -#elif defined(__powerpc64__) +#elif defined(SAPI_PPC64_LE) RegisterPowerpc64* regs = values->mutable_register_powerpc64(); for (int i = 0; i < ABSL_ARRAYSIZE(user_regs_.gpr); ++i) { regs->add_gpr(user_regs_.gpr[i]); diff --git a/sandboxed_api/sandbox2/regs.h b/sandboxed_api/sandbox2/regs.h index f1149a9..661c8b6 100644 --- a/sandboxed_api/sandbox2/regs.h +++ b/sandboxed_api/sandbox2/regs.h @@ -24,6 +24,7 @@ #include #include "absl/status/status.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/syscall.h" #include "sandboxed_api/sandbox2/violation.pb.h" @@ -33,10 +34,6 @@ namespace sandbox2 { // assumes the process is already attached. class Regs { public: -#if !defined(__x86_64__) && !defined(__powerpc64__) - static_assert(false, "No support for the current CPU architecture"); -#endif - explicit Regs(pid_t pid) : pid_(pid) {} // Copies register values from the process @@ -49,7 +46,7 @@ class Regs { absl::Status SkipSyscallReturnValue(uint64_t value); // Converts raw register values obtained on syscall entry to syscall info - Syscall ToSyscall(Syscall::CpuArch syscall_arch) const; + Syscall ToSyscall(cpu::Architecture syscall_arch) const; pid_t pid() const { return pid_; } @@ -60,7 +57,7 @@ class Regs { friend class StackTracePeer; struct PtraceRegisters { -#if defined(__x86_64__) +#if defined(SAPI_X86_64) uint64_t r15; uint64_t r14; uint64_t r13; @@ -88,7 +85,7 @@ class Regs { uint64_t es; uint64_t fs; uint64_t gs; -#elif defined(__powerpc64__) +#elif defined(SAPI_PPC64_LE) uint64_t gpr[32]; uint64_t nip; uint64_t msr; @@ -108,6 +105,8 @@ class Regs { uint64_t zero1; uint64_t zero2; uint64_t zero3; +#else + static_assert(false, "Host CPU architecture not supported, see config.h"); #endif }; diff --git a/sandboxed_api/sandbox2/result.h b/sandboxed_api/sandbox2/result.h index f381ccb..d2d9c5a 100644 --- a/sandboxed_api/sandbox2/result.h +++ b/sandboxed_api/sandbox2/result.h @@ -28,6 +28,7 @@ #include "absl/memory/memory.h" #include "absl/status/status.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/regs.h" #include "sandboxed_api/sandbox2/syscall.h" @@ -131,8 +132,8 @@ class Result { // Returns the current syscall architecture. // Client architecture when final_status_ == VIOLATION, might be different // from the host architecture (32-bit vs 64-bit syscalls). - Syscall::CpuArch GetSyscallArch() const { - return syscall_ ? syscall_->arch() : Syscall::kUnknown; + cpu::Architecture GetSyscallArch() const { + return syscall_ ? syscall_->arch() : cpu::kUnknown; } const std::vector stack_trace() { return stack_trace_; } diff --git a/sandboxed_api/sandbox2/sandbox2_test.cc b/sandboxed_api/sandbox2/sandbox2_test.cc index edf3d6c..df94c1f 100644 --- a/sandboxed_api/sandbox2/sandbox2_test.cc +++ b/sandboxed_api/sandbox2/sandbox2_test.cc @@ -26,6 +26,7 @@ #include "gtest/gtest.h" #include "absl/memory/memory.h" #include "absl/strings/str_cat.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policybuilder.h" diff --git a/sandboxed_api/sandbox2/syscall.cc b/sandboxed_api/sandbox2/syscall.cc index 2b3ffad..7e06717 100644 --- a/sandboxed_api/sandbox2/syscall.cc +++ b/sandboxed_api/sandbox2/syscall.cc @@ -12,12 +12,11 @@ // See the License for the specific language governing permissions and // limitations under the License. -// Implementation of the sandbox2::Syscall class. - #include "sandboxed_api/sandbox2/syscall.h" #include #include + #include #include #include @@ -26,6 +25,7 @@ #include #include "absl/strings/str_format.h" #include "absl/strings/str_join.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/syscall_defs.h" #ifndef AUDIT_ARCH_PPC64LE @@ -34,13 +34,13 @@ namespace sandbox2 { -std::string Syscall::GetArchDescription(CpuArch arch) { +std::string Syscall::GetArchDescription(cpu::Architecture arch) { switch (arch) { - case kX86_64: + case cpu::kX8664: return "[X86-64]"; - case kX86_32: + case cpu::kX86: return "[X86-32]"; - case kPPC_64: + case cpu::kPPC64LE: return "[PPC-64]"; default: LOG(ERROR) << "Unknown CPU architecture: " << arch; @@ -48,32 +48,25 @@ std::string Syscall::GetArchDescription(CpuArch arch) { } } -Syscall::CpuArch Syscall::GetHostArch() { -#if defined(__x86_64__) - return kX86_64; -#elif defined(__i386__) - return kX86_32; -#elif defined(__powerpc64__) - return kPPC_64; -#endif -} - uint32_t Syscall::GetHostAuditArch() { -#if defined(__x86_64__) - return AUDIT_ARCH_X86_64; -#elif defined(__i386__) - return AUDIT_ARCH_I386; -#elif defined(__powerpc64__) - return AUDIT_ARCH_PPC64LE; -#endif + switch (host_cpu::Architecture()) { + case cpu::kX8664: + return AUDIT_ARCH_X86_64; + case cpu::kPPC64LE: + return AUDIT_ARCH_PPC64LE; + default: + // The static_assert() in config.h should prevent us from ever getting + // here. + return 0; // Not reached + } } std::string Syscall::GetName() const { - absl::string_view name = SyscallTable::get(arch_).GetName(nr_); - if (name.empty()) { - return absl::StrFormat("UNKNOWN[%d/0x%x]", nr_, nr_); + if (absl::string_view name = SyscallTable::get(arch_).GetName(nr_); + !name.empty()) { + return std::string(name); } - return std::string(name); + return absl::StrFormat("UNKNOWN[%d/0x%x]", nr_, nr_); } std::vector Syscall::GetArgumentsDescription() const { diff --git a/sandboxed_api/sandbox2/syscall.h b/sandboxed_api/sandbox2/syscall.h index 50f8dbf..132a505 100644 --- a/sandboxed_api/sandbox2/syscall.h +++ b/sandboxed_api/sandbox2/syscall.h @@ -13,7 +13,7 @@ // limitations under the License. // The sandbox2::Syscalls class defines mostly static helper methods which -// are used to analyze status of the ptraced process +// are used to analyze the status of the sandboxed process. #ifndef SANDBOXED_API_SANDBOX2_SYSCALL_H__ #define SANDBOXED_API_SANDBOX2_SYSCALL_H__ @@ -26,40 +26,34 @@ #include #include +#include "sandboxed_api/sandbox2/config.h" + namespace sandbox2 { class Syscall { public: - // Supported CPU architectures. - // Linux: Use a magic value, so it can be easily spotted in the seccomp-bpf - // bytecode decompilation stream. Must be < (1<<15), as/ that's the size of - // data which can be returned by BPF. - enum CpuArch { - kUnknown = 0xCAF0, - kX86_64, - kX86_32, - kPPC_64, - }; // Maximum number of syscall arguments static constexpr size_t kMaxArgs = 6; using Args = std::array; // Returns the host architecture, according to CpuArch. - static CpuArch GetHostArch(); + static constexpr cpu::Architecture GetHostArch() { + return host_cpu::Architecture(); + } // Returns the host architecture, according to . static uint32_t GetHostAuditArch(); // Returns a description of the architecture. - static std::string GetArchDescription(CpuArch arch); + static std::string GetArchDescription(cpu::Architecture arch); Syscall() = default; - Syscall(CpuArch arch, uint64_t nr, Args args = {}) + Syscall(cpu::Architecture arch, uint64_t nr, Args args = {}) : arch_(arch), nr_(nr), args_(args) {} pid_t pid() const { return pid_; } uint64_t nr() const { return nr_; } - CpuArch arch() const { return arch_; } + cpu::Architecture arch() const { return arch_; } const Args& args() const { return args_; } uint64_t stack_pointer() const { return sp_; } uint64_t instruction_pointer() const { return ip_; } @@ -72,12 +66,12 @@ class Syscall { private: friend class Regs; - Syscall(pid_t pid) : pid_(pid) {} - Syscall(CpuArch arch, uint64_t nr, Args args, pid_t pid, uint64_t sp, - uint64_t ip) + explicit Syscall(pid_t pid) : pid_(pid) {} + Syscall(cpu::Architecture arch, uint64_t nr, Args args, pid_t pid, + uint64_t sp, uint64_t ip) : arch_(arch), nr_(nr), args_(args), pid_(pid), sp_(sp), ip_(ip) {} - CpuArch arch_ = kUnknown; + cpu::Architecture arch_ = cpu::kUnknown; uint64_t nr_ = -1; Args args_ = {}; pid_t pid_ = -1; diff --git a/sandboxed_api/sandbox2/syscall_defs.cc b/sandboxed_api/sandbox2/syscall_defs.cc index 1a8c94f..410d054 100644 --- a/sandboxed_api/sandbox2/syscall_defs.cc +++ b/sandboxed_api/sandbox2/syscall_defs.cc @@ -7,6 +7,7 @@ #include "absl/strings/escaping.h" #include "absl/strings/str_cat.h" #include "absl/strings/str_format.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/util.h" namespace sandbox2 { @@ -128,7 +129,6 @@ std::vector SyscallTable::GetArgumentsDescription( #define SYSCALLS_UNUSED00_99(prefix) \ SYSCALLS_UNUSED00_49(prefix), SYSCALLS_UNUSED50_99(prefix) -#if defined(__x86_64__) // Syscall description table for Linux x86_64 constexpr SyscallTable::Entry kSyscallDataX8664[] = { MakeEntry("read", kInt, kHex, kInt), // 0 @@ -824,12 +824,10 @@ constexpr SyscallTable::Entry kSyscallDataX8632[] = { MakeEntry("bpf", kHex, kHex, kHex, kHex, kHex, kHex), // 357 }; -#elif defined(__powerpc64__) - // http://lxr.free-electrons.com/source/arch/powerpc/include/uapi/asm/unistd.h // Note: PPC64 syscalls can have up to 7 register arguments, but nobody is // using the 7th argument - probably for x64 compatibility reasons. -constexpr SyscallTable::Entry kSyscallDataPPC64[] = { +constexpr SyscallTable::Entry kSyscallDataPPC64LE[] = { MakeEntry("restart_syscall", kGen, kGen, kGen, kGen, kGen, kGen), // 0 MakeEntry("exit", kInt, kGen, kGen, kGen, kGen, kGen), // 1 MakeEntry("fork", kGen, kGen, kGen, kGen, kGen, kGen), // 2 @@ -1218,25 +1216,20 @@ constexpr SyscallTable::Entry kSyscallDataPPC64[] = { MakeEntry("pwritev2", kHex, kHex, kHex, kHex, kHex, kHex), // 381 }; -#endif - #undef SYSCALLS_UNUSED00_99 #undef SYSCALLS_UNUSED50_99 #undef SYSCALLS_UNUSED00_49 #undef SYSCALLS_UNUSED0_9 #undef SYSCALLS_UNUSED -SyscallTable SyscallTable::get(Syscall::CpuArch arch) { - switch (arch) { -#if defined(__x86_64__) - case Syscall::kX86_64: +SyscallTable SyscallTable::get(cpu::Architecture arch) { + switch (host_cpu::Architecture()) { + case cpu::kX8664: return SyscallTable(kSyscallDataX8664); - case Syscall::kX86_32: + case cpu::kX86: return SyscallTable(kSyscallDataX8632); -#elif defined(__powerpc64__) - case Syscall::kPPC_64: - return SyscallTable(kSyscallDataPPC64); -#endif + case cpu::kPPC64LE: + return SyscallTable(kSyscallDataPPC64LE); default: return SyscallTable(); } diff --git a/sandboxed_api/sandbox2/syscall_defs.h b/sandboxed_api/sandbox2/syscall_defs.h index bef3d19..168ed1d 100644 --- a/sandboxed_api/sandbox2/syscall_defs.h +++ b/sandboxed_api/sandbox2/syscall_defs.h @@ -9,6 +9,7 @@ #include "absl/strings/string_view.h" #include "absl/types/span.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/syscall.h" namespace sandbox2 { @@ -23,7 +24,7 @@ class SyscallTable { struct Entry; // Returns the syscall table for the architecture. - static SyscallTable get(Syscall::CpuArch arch); + static SyscallTable get(cpu::Architecture arch); int size() { return data_.size(); } diff --git a/sandboxed_api/sandbox2/syscall_test.cc b/sandboxed_api/sandbox2/syscall_test.cc index 1cb7228..2d13257 100644 --- a/sandboxed_api/sandbox2/syscall_test.cc +++ b/sandboxed_api/sandbox2/syscall_test.cc @@ -19,6 +19,7 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" #include "absl/strings/str_cat.h" +#include "sandboxed_api/sandbox2/config.h" using ::testing::Eq; using ::testing::StartsWith; @@ -45,7 +46,7 @@ TEST(SyscallTest, Basic) { EXPECT_THAT(arg_desc[2], Eq("0x5 [5]")); EXPECT_THAT( syscall.GetDescription(), - Eq(absl::StrCat(Syscall::GetArchDescription(Syscall::GetHostArch()), + Eq(absl::StrCat(Syscall::GetArchDescription(host_cpu::Architecture()), " read [", __NR_read, "](0x1 [1], 0xbadbeef, 0x5 [5]) IP: 0, STACK: 0"))); } @@ -53,7 +54,7 @@ TEST(SyscallTest, Basic) { TEST(SyscallTest, Empty) { Syscall syscall; - EXPECT_THAT(syscall.arch(), Eq(Syscall::kUnknown)); + EXPECT_THAT(syscall.arch(), Eq(cpu::kUnknown)); EXPECT_THAT(syscall.GetName(), StartsWith("UNKNOWN")); EXPECT_THAT(syscall.GetArgumentsDescription().size(), Eq(Syscall::kMaxArgs)); } diff --git a/sandboxed_api/sandbox2/testcases/BUILD.bazel b/sandboxed_api/sandbox2/testcases/BUILD.bazel index 1983e4d..307db47 100644 --- a/sandboxed_api/sandbox2/testcases/BUILD.bazel +++ b/sandboxed_api/sandbox2/testcases/BUILD.bazel @@ -178,6 +178,7 @@ cc_binary( "fully_static_link", # link libc statically ], linkstatic = 1, # prefer static libraries + deps = ["//sandboxed_api/sandbox2:config"], ) # security: disable=cc-static-no-pie diff --git a/sandboxed_api/sandbox2/testcases/CMakeLists.txt b/sandboxed_api/sandbox2/testcases/CMakeLists.txt index 4af43ba..c57ffc5 100644 --- a/sandboxed_api/sandbox2/testcases/CMakeLists.txt +++ b/sandboxed_api/sandbox2/testcases/CMakeLists.txt @@ -159,6 +159,7 @@ set_target_properties(policy PROPERTIES ) target_link_libraries(policy PRIVATE sapi::base + sandbox2::config ${_sandbox2_fully_static_linkopts} ) diff --git a/sandboxed_api/sandbox2/testcases/policy.cc b/sandboxed_api/sandbox2/testcases/policy.cc index e1f851e..ae598cf 100644 --- a/sandboxed_api/sandbox2/testcases/policy.cc +++ b/sandboxed_api/sandbox2/testcases/policy.cc @@ -23,7 +23,9 @@ #include #include -#if defined(__x86_64__) +#include "sandboxed_api/sandbox2/config.h" + +#ifdef SAPI_X86_64 void TestAMD64SyscallMismatch() { int64_t result; @@ -53,7 +55,7 @@ void TestAMD64SyscallMismatchFs() { : "rax", "rbx", "rcx"); exit(-result); } -#endif // defined(__x86_64__) +#endif void TestPtrace() { ptrace(PTRACE_SEIZE, getppid(), 0, 0); @@ -97,14 +99,14 @@ int main(int argc, char** argv) { int testno = atoi(argv[1]); // NOLINT switch (testno) { -#if defined(__x86_64__) +#ifdef SAPI_X86_64 case 1: TestAMD64SyscallMismatch(); break; case 2: TestAMD64SyscallMismatchFs(); break; -#endif // defined(__x86_64__) +#endif case 3: TestPtrace(); break; diff --git a/sandboxed_api/sandbox2/util.cc b/sandboxed_api/sandbox2/util.cc index 55f7aa6..3e97abc 100644 --- a/sandboxed_api/sandbox2/util.cc +++ b/sandboxed_api/sandbox2/util.cc @@ -39,13 +39,13 @@ #include "absl/strings/str_format.h" #include "absl/strings/string_view.h" #include "absl/strings/strip.h" +#include "sandboxed_api/sandbox2/config.h" #include "sandboxed_api/sandbox2/util/fileops.h" #include "sandboxed_api/sandbox2/util/path.h" #include "sandboxed_api/sandbox2/util/strerror.h" #include "sandboxed_api/util/raw_logging.h" -namespace sandbox2 { -namespace util { +namespace sandbox2::util { void CharPtrArrToVecString(char* const* arr, std::vector* vec) { for (int i = 0; arr[i]; ++i) { @@ -126,13 +126,10 @@ ABSL_ATTRIBUTE_NO_SANITIZE_ADDRESS ABSL_ATTRIBUTE_NOINLINE pid_t CloneAndJump(int flags, jmp_buf* env_ptr) { uint8_t stack_buf[PTHREAD_STACK_MIN] ABSL_CACHELINE_ALIGNED; -#if defined(__x86_64__) || defined(__x86__) || defined(__i386__) || \ - defined(__powerpc64__) + static_assert(host_cpu::IsX8664() || host_cpu::IsPPC64LE(), + "Host CPU architecture not supported, see config.h"); // Stack grows down. void* stack = stack_buf + sizeof(stack_buf); -#else -#error "Architecture is not supported" -#endif int r; { r = clone(&ChildFunc, stack, flags, env_ptr, nullptr, nullptr, nullptr); @@ -321,5 +318,4 @@ absl::StatusOr ReadCPathFromPid(pid_t pid, uintptr_t ptr) { return path; } -} // namespace util -} // namespace sandbox2 +} // namespace sandbox2::util