StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Added sandbox policy for extract function

Browse Source
This commit is contained in:
Andrei Medar 2020-09-16 15:57:31 +00:00
parent 9ec90b741c
commit 7e24ee2232
6 changed files with 237 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
oss-internship-2020/sapi_libarchive/examples/CMakeLists.txt
View File

@ -23,6 +23,7 @@ target_link_libraries(helpers PUBLIC
sandbox2::fileops sandbox2::fileops
sandbox2::util sandbox2::util
sandbox2::file_base sandbox2::file_base
sandbox2::executor
glog::glog glog::glog
libarchive_sapi libarchive_sapi
) )

30
oss-internship-2020/sapi_libarchive/examples/helpers.cc
View File

@ -2,7 +2,8 @@
#include "helpers.h" #include "helpers.h"
std::string MakeAbsolutePathAtCWD(std::string path) { std::string MakeAbsolutePathAtCWD(std::string path) {
std::string result = sandbox2::file_util::fileops::MakeAbsolute(path, sandbox2::file_util::fileops::GetCWD()); std::string result = sandbox2::file_util::fileops::MakeAbsolute(
path, sandbox2::file_util::fileops::GetCWD());
CHECK(result != "") << "Could not create absolute path for: " << path; CHECK(result != "") << "Could not create absolute path for: " << path;
return sandbox2::file::CleanPath(result); return sandbox2::file::CleanPath(result);
} }
@ -14,30 +15,33 @@ std::vector<std::string> MakeAbsolutePathsVec(char *argv[]) {
return arr; return arr;
} }
// std::string GetErrorString(sapi::v::Ptr *archive, LibarchiveSandbox &sandbox, LibarchiveApi &api) { // std::string GetErrorString(sapi::v::Ptr *archive, LibarchiveSandbox &sandbox,
// LibarchiveApi &api) {
// sapi::StatusOr<char *> ret = api.archive_error_string(archive); // sapi::StatusOr<char *> ret = api.archive_error_string(archive);
// CHECK(ret.ok() && ret) << "Could not get error message"; // CHECK(ret.ok() && ret) << "Could not get error message";
// sapi::StatusOr<std::string> ret2 = sandbox.GetCString(sapi::v::RemotePtr(ret.value())); // sapi::StatusOr<std::string> ret2 =
// CHECK(ret.ok()) << "Could not transfer error message"; // sandbox.GetCString(sapi::v::RemotePtr(ret.value())); CHECK(ret.ok()) <<
// return ret2.value(); // "Could not transfer error message"; return ret2.value();
// } // }
std::string CheckStatusAndGetString(const sapi::StatusOr<char *> &status,
std::string CheckStatusAndGetString(const sapi::StatusOr<char *> &status, LibarchiveSandbox &sandbox) { LibarchiveSandbox &sandbox) {
CHECK(status.ok() && status.value() != NULL) << "Could not get error message"; CHECK(status.ok() && status.value() != NULL) << "Could not get error message";
sapi::StatusOr<std::string> ret = sandbox.GetCString(sapi::v::RemotePtr(status.value())); sapi::StatusOr<std::string> ret =
sandbox.GetCString(sapi::v::RemotePtr(status.value()));
CHECK(ret.ok()) << "Could not transfer error message"; CHECK(ret.ok()) << "Could not transfer error message";
return ret.value(); return ret.value();
} }
// std::string CallFunctionAndGetString(sapi::v::Ptr *archive, LibarchiveSandbox &sandbox, // std::string CallFunctionAndGetString(sapi::v::Ptr *archive, LibarchiveSandbox
// LibarchiveApi *api, sapi::StatusOr<char *> (LibarchiveApi::*func)(sapi::v::Ptr *)) { // &sandbox, LibarchiveApi *api, sapi::StatusOr<char *>
// (LibarchiveApi::*func)(sapi::v::Ptr *)) {
// sapi::StatusOr<char *> ret = (api->*func)(archive); // sapi::StatusOr<char *> ret = (api->*func)(archive);
// CHECK(ret.ok() && ret) << "Could not get error message"; // CHECK(ret.ok() && ret) << "Could not get error message";
// sapi::StatusOr<std::string> ret2 = sandbox.GetCString(sapi::v::RemotePtr(ret.value())); // sapi::StatusOr<std::string> ret2 =
// CHECK(ret.ok()) << "Could not transfer error message"; // sandbox.GetCString(sapi::v::RemotePtr(ret.value())); CHECK(ret.ok()) <<
// return ret2.value(); // "Could not transfer error message"; return ret2.value();
// } // }

24
oss-internship-2020/sapi_libarchive/examples/helpers.h
View File

@ -2,30 +2,30 @@
#define SAPI_LIBARCHIVE_HELPERS_H #define SAPI_LIBARCHIVE_HELPERS_H
#include <glog/logging.h> #include <glog/logging.h>
#include "libarchive_sapi.sapi.h"
#include "sandboxed_api/sandbox2/util.h" #include "sandboxed_api/sandbox2/util.h"
#include "sandboxed_api/sandbox2/util/fileops.h" #include "sandboxed_api/sandbox2/util/fileops.h"
#include "sandboxed_api/sandbox2/util/path.h" #include "sandboxed_api/sandbox2/util/path.h"
#include "libarchive_sapi.sapi.h"
// Used to convert the paths provided as arguments for the program // Used to convert the paths provided as arguments for the program
// (the paths used) to an array of absolute paths. This allows the user // (the paths used) to an array of absolute paths. This allows the user
// to use either relative or absolute paths // to use either relative or absolute paths
std::vector<std::string> MakeAbsolutePathsVec(char *argv[]); std::vector<std::string> MakeAbsolutePathsVec(char *argv[]);
// Converts only one string to an absolute path by prepending the current
// Converts only one string to an absolute path by prepending the current working // working directory to the relative path
// directory to the relative path
std::string MakeAbsolutePathAtCWD(std::string path); std::string MakeAbsolutePathAtCWD(std::string path);
// Calls the archive_error_string and returns the mesage after it was transferred // Calls the archive_error_string and returns the mesage after it was
// to the client process. // transferred to the client process. std::string GetErrorString(sapi::v::Ptr
// std::string GetErrorString(sapi::v::Ptr *archive, LibarchiveSandbox &sandbox, LibarchiveApi &api); // *archive, LibarchiveSandbox &sandbox, LibarchiveApi &api);
std::string CheckStatusAndGetString(const sapi::StatusOr<char *> &status,
LibarchiveSandbox &sandbox);
std::string CheckStatusAndGetString(const sapi::StatusOr<char *> &status, LibarchiveSandbox &sandbox); // std::string CallFunctionAndGetString(sapi::v::Ptr *archive, LibarchiveSandbox
// &sandbox, LibarchiveApi *api, sapi::StatusOr<char *>
// std::string CallFunctionAndGetString(sapi::v::Ptr *archive, LibarchiveSandbox &sandbox, // (LibarchiveApi::*func)(sapi::v::Ptr *));
// LibarchiveApi *api, sapi::StatusOr<char *> (LibarchiveApi::*func)(sapi::v::Ptr *));
#endif // SAPI_LIBARCHIVE_HELPERS_H #endif // SAPI_LIBARCHIVE_HELPERS_H

17
oss-internship-2020/sapi_libarchive/examples/sandbox.h
View File

@ -20,7 +20,8 @@ class SapiLibarchiveSandboxCreate : public LibarchiveSandbox {
class SapiLibarchiveSandboxExtract : public LibarchiveSandbox { class SapiLibarchiveSandboxExtract : public LibarchiveSandbox {
public: public:
// TODO // TODO
explicit SapiLibarchiveSandboxExtract(const std::string &archive_path, const int do_extract) explicit SapiLibarchiveSandboxExtract(const std::string& archive_path,
const int do_extract)
: archive_path_(archive_path), do_extract_(do_extract) {} : archive_path_(archive_path), do_extract_(do_extract) {}
private: private:
@ -28,14 +29,19 @@ class SapiLibarchiveSandboxExtract : public LibarchiveSandbox {
// TODO create /output/ + chdir here if do_execute // TODO create /output/ + chdir here if do_execute
if (do_extract_) { if (do_extract_) {
// TODO change the directory // TODO change the directory
std::cout << "inside executor do extract" << std::endl; std::cout << "changing dir" << std::endl;
} else { if (!sandbox2::file_util::fileops::Exists("/output", false)) {
// Do nothing since we do not need to create any files CHECK(sandbox2::util::CreateDirRecursive("/output", 644))
<< "Could not create /output directory";
}
executor = &executor->set_cwd("/output");
} }
} }
std::unique_ptr<sandbox2::Policy> ModifyPolicy( std::unique_ptr<sandbox2::Policy> ModifyPolicy(
sandbox2::PolicyBuilder*) override { sandbox2::PolicyBuilder*) override {
// TODO no auto
auto policy = sandbox2::PolicyBuilder() auto policy = sandbox2::PolicyBuilder()
.AllowRead() .AllowRead()
.AllowWrite() .AllowWrite()
@ -56,7 +62,8 @@ class SapiLibarchiveSandboxExtract : public LibarchiveSandbox {
if (do_extract_) { if (do_extract_) {
// map "/output/" to cwd // map "/output/" to cwd
std::cout << "do extract inside policy" << std::endl; policy = policy.AddDirectoryAt(sandbox2::file_util::fileops::GetCWD(),
"/output", false);
} }
return policy.BuildOrDie(); return policy.BuildOrDie();
} }

1
oss-internship-2020/sapi_libarchive/examples/sapi_example.cc
View File

@ -13,6 +13,5 @@ int main() {
std::cout << "OK" << std::endl; std::cout << "OK" << std::endl;
} }
return 0; return 0;
} }

117
oss-internship-2020/sapi_libarchive/examples/sapi_minitar.cc
View File

@ -125,7 +125,8 @@ static void create(const char *filename, int compress, const char **argv);
#endif #endif
static void errmsg(const char *); static void errmsg(const char *);
static void extract(const char *filename, int do_extract, int flags); static void extract(const char *filename, int do_extract, int flags);
static int copy_data(struct archive *, struct archive *); static int copy_data(sapi::v::RemotePtr *ar, sapi::v::RemotePtr *aw,
LibarchiveApi &api, SapiLibarchiveSandboxExtract &sandbox);
static void msg(const char *); static void msg(const char *);
static void usage(void); static void usage(void);
@ -259,71 +260,78 @@ static void extract(const char *filename, int do_extract, int flags) {
sapi::StatusOr<int> ret2; sapi::StatusOr<int> ret2;
ret2 = api.archive_write_disk_set_options(&ext_ptr, flags); ret2 = api.archive_write_disk_set_options(&ext_ptr, flags);
CHECK(ret2.ok()) << "write_disk_set_options call failed"; CHECK(ret2.ok()) << "write_disk_set_options call failed";
CHECK(ret2.value() != ARCHIVE_FATAL) << "Unexpected result from write_disk_set_options call"; CHECK(ret2.value() != ARCHIVE_FATAL)
<< "Unexpected result from write_disk_set_options call";
#ifndef NO_BZIP2_EXTRACT #ifndef NO_BZIP2_EXTRACT
ret2 = api.archive_read_support_filter_bzip2(&a_ptr); ret2 = api.archive_read_support_filter_bzip2(&a_ptr);
CHECK(ret2.ok()) << "read_support_filter_bzip2 call failed"; CHECK(ret2.ok()) << "read_support_filter_bzip2 call failed";
CHECK(ret2.value() != ARCHIVE_FATAL) << "Unexpected result from read_support_filter_bzip2 call"; CHECK(ret2.value() != ARCHIVE_FATAL)
<< "Unexpected result from read_support_filter_bzip2 call";
#endif #endif
#ifndef NO_GZIP_EXTRACT #ifndef NO_GZIP_EXTRACT
ret2 = api.archive_read_support_filter_gzip(&a_ptr); ret2 = api.archive_read_support_filter_gzip(&a_ptr);
CHECK(ret2.ok()) << "read_suppport_filter_gzip call failed"; CHECK(ret2.ok()) << "read_suppport_filter_gzip call failed";
CHECK(ret2.value() != ARCHIVE_FATAL) << "Unexpected result from read_suppport_filter_gzip call"; CHECK(ret2.value() != ARCHIVE_FATAL)
<< "Unexpected result from read_suppport_filter_gzip call";
#endif #endif
#ifndef NO_COMPRESS_EXTRACT #ifndef NO_COMPRESS_EXTRACT
ret2 = api.archive_read_support_filter_compress(&a_ptr); ret2 = api.archive_read_support_filter_compress(&a_ptr);
CHECK(ret2.ok()) << "read_support_filter_compress call failed"; CHECK(ret2.ok()) << "read_support_filter_compress call failed";
CHECK(ret2.value() != ARCHIVE_FATAL) << "Unexpected result from read_support_filter_compress call"; CHECK(ret2.value() != ARCHIVE_FATAL)
<< "Unexpected result from read_support_filter_compress call";
#endif #endif
#ifndef NO_TAR_EXTRACT #ifndef NO_TAR_EXTRACT
ret2 = api.archive_read_support_format_tar(&a_ptr); ret2 = api.archive_read_support_format_tar(&a_ptr);
CHECK(ret2.ok()) << "read_support_format_tar call failed"; CHECK(ret2.ok()) << "read_support_format_tar call failed";
CHECK(ret2.value() != ARCHIVE_FATAL) << "Unexpected result fromread_support_format_tar call"; CHECK(ret2.value() != ARCHIVE_FATAL)
<< "Unexpected result fromread_support_format_tar call";
#endif #endif
#ifndef NO_CPIO_EXTRACT #ifndef NO_CPIO_EXTRACT
ret2 = api.archive_read_support_format_cpio(&a_ptr); ret2 = api.archive_read_support_format_cpio(&a_ptr);
CHECK(ret2.ok()) << "read_support_format_cpio call failed"; CHECK(ret2.ok()) << "read_support_format_cpio call failed";
CHECK(ret2.value() != ARCHIVE_FATAL) << "Unexpected result from read_support_format_tar call"; CHECK(ret2.value() != ARCHIVE_FATAL)
<< "Unexpected result from read_support_format_tar call";
#endif #endif
#ifndef NO_LOOKUP #ifndef NO_LOOKUP
ret2 = api.archive_write_disk_set_standard_lookup(&ext_ptr); ret2 = api.archive_write_disk_set_standard_lookup(&ext_ptr);
CHECK(ret2.ok()) << "write_disk_set_standard_lookup call failed"; CHECK(ret2.ok()) << "write_disk_set_standard_lookup call failed";
CHECK(ret2.value() != ARCHIVE_FATAL) << "Unexpected result from write_disk_set_standard_lookup call"; CHECK(ret2.value() != ARCHIVE_FATAL)
<< "Unexpected result from write_disk_set_standard_lookup call";
#endif #endif
if (filename != NULL && strcmp(filename, "-") == 0) filename = NULL;
if (filename != NULL && strcmp(filename, "-") == 0)
filename = NULL;
sapi::v::ConstCStr sapi_filename(filename_absolute.c_str()); sapi::v::ConstCStr sapi_filename(filename_absolute.c_str());
std::cout << "opening filename" << std::endl; std::cout << "opening filename" << std::endl;
ret2 = api.archive_read_open_filename(&a_ptr, sapi_filename.PtrBefore(), 10240); ret2 =
api.archive_read_open_filename(&a_ptr, sapi_filename.PtrBefore(), 10240);
CHECK(ret2.ok()) << "read_open_filename call failed"; CHECK(ret2.ok()) << "read_open_filename call failed";
// CHECK(!ret2.value()) << GetErrorString(&a_ptr, sandbox, api); // CHECK(!ret2.value()) << GetErrorString(&a_ptr, sandbox, api);
CHECK(!ret2.value()) << CheckStatusAndGetString(api.archive_error_string(&a_ptr), sandbox); CHECK(!ret2.value()) << CheckStatusAndGetString(
// CHECK(!ret2.value()) << CallFunctionAndGetString(&a_ptr, sandbox, &api, &api.archive_error_string); api.archive_error_string(&a_ptr), sandbox);
// CHECK(!ret2.value()) << CallFunctionAndGetString(&a_ptr, sandbox, &api,
sapi::v::IntBase<struct archive_entry *> entry_ptr_tmp(0); // &api.archive_error_string);
for (;;) { for (;;) {
int needcr = 0;
std::cout << "================reading headers==============" << std::endl; std::cout << "================reading headers==============" << std::endl;
sapi::v::IntBase<struct archive_entry *> entry_ptr_tmp(0);
ret2 = api.archive_read_next_header(&a_ptr, entry_ptr_tmp.PtrBoth()); ret2 = api.archive_read_next_header(&a_ptr, entry_ptr_tmp.PtrBoth());
// std::cout << "val = " << ret2.value() << std::endl; // std::cout << "val = " << ret2.value() << std::endl;
CHECK(ret2.ok()) << "read_next_header call failed"; CHECK(ret2.ok()) << "read_next_header call failed";
// CHECK(ret2.value() != ARCHIVE_OK) << GetErrorString(&a_ptr, sandbox, api); // CHECK(ret2.value() != ARCHIVE_OK) << GetErrorString(&a_ptr, sandbox,
// api);
if (ret2.value() == ARCHIVE_EOF) { if (ret2.value() == ARCHIVE_EOF) {
break; break;
} }
CHECK(ret2.value() == ARCHIVE_OK) << CheckStatusAndGetString(api.archive_error_string(&a_ptr), sandbox); CHECK(ret2.value() == ARCHIVE_OK)
<< CheckStatusAndGetString(api.archive_error_string(&a_ptr), sandbox);
sapi::v::RemotePtr entry_ptr(entry_ptr_tmp.GetValue()); sapi::v::RemotePtr entry_ptr(entry_ptr_tmp.GetValue());
@ -331,17 +339,34 @@ static void extract(const char *filename, int do_extract, int flags) {
std::cout << "x "; std::cout << "x ";
} }
if (verbose || !do_extract) { if (verbose || !do_extract) {
std::cout << CheckStatusAndGetString(api.archive_entry_pathname(&entry_ptr), sandbox) << " "; std::cout << CheckStatusAndGetString(
api.archive_entry_pathname(&entry_ptr), sandbox)
<< " ";
needcr = 1;
} }
std::cout << "qqqqq" << std::endl;
if (do_extract) { if (do_extract) {
std::cout << "EXTRACT HERE"; std::cout << "EXTRACT HERE" << std::endl;
ret2 = api.archive_write_header(&ext_ptr, &entry_ptr);
CHECK(ret2.ok()) << "write_header call faield";
std::cout << "val = " << ret2.value() << std::endl;
if (ret2.value() != ARCHIVE_OK) {
std::cout << CheckStatusAndGetString(api.archive_error_string(&a_ptr),
sandbox);
needcr = 1;
} else if (copy_data(&a_ptr, &ext_ptr, api, sandbox) != ARCHIVE_OK) {
needcr = 1;
}
} }
// use the needcr stuff here TODO // use the needcr stuff here TODO
if (needcr) {
std::cout << std::endl; std::cout << std::endl;
}
} }
std::cout << "out of loop" << std::endl; std::cout << "out of loop" << std::endl;
@ -354,20 +379,52 @@ static void extract(const char *filename, int do_extract, int flags) {
CHECK(ret2.ok()) << "read_free call failed"; CHECK(ret2.ok()) << "read_free call failed";
CHECK(!ret2.value()) << "Unexpected result from read_free call"; CHECK(!ret2.value()) << "Unexpected result from read_free call";
ret2 = api.archive_write_close(&ext_ptr); ret2 = api.archive_write_close(&ext_ptr);
CHECK(ret2.ok()) << "write_close call failed"; CHECK(ret2.ok()) << "write_close call failed";
CHECK(!ret2.value()) << "Unexpected result from write_close call"; CHECK(!ret2.value()) << "Unexpected result from write_close call";
ret2 = api.archive_write_free(&ext_ptr); ret2 = api.archive_write_free(&ext_ptr);
CHECK(ret2.ok()) << "write_free call failed"; CHECK(ret2.ok()) << "write_free call failed";
CHECK(!ret2.value()) << "Unexpected result from write_free call"; CHECK(!ret2.value()) << "Unexpected result from write_free call";
} }
static int copy_data(struct archive *ar, struct archive *aw) { static int copy_data(sapi::v::RemotePtr *ar, sapi::v::RemotePtr *aw,
return 0; LibarchiveApi &api,
SapiLibarchiveSandboxExtract &sandbox) {
std::cout << "CALL COPY_DATA XXXXXXXXXXXX\n";
sapi::StatusOr<int> ret;
sapi::v::IntBase<struct archive_entry *> buff_ptr_tmp(0);
sapi::v::ULLong size;
sapi::v::SLLong offset;
for (;;) {
ret = api.archive_read_data_block(ar, buff_ptr_tmp.PtrBoth(),
size.PtrBoth(), offset.PtrBoth());
CHECK(ret.ok()) << "read_data_block call failed";
if (ret.value() == ARCHIVE_EOF) {
return ARCHIVE_OK;
}
if (ret.value() != ARCHIVE_OK) {
std::cout << CheckStatusAndGetString(api.archive_error_string(ar),
sandbox);
return ret.value();
}
sapi::v::RemotePtr buff_ptr(buff_ptr_tmp.GetValue());
ret = api.archive_write_data_block(aw, &buff_ptr, size.GetValue(),
offset.GetValue());
CHECK(ret.ok()) << "write_data_block call failed";
if (ret.value() != ARCHIVE_OK) {
std::cout << CheckStatusAndGetString(api.archive_error_string(ar),
sandbox);
return ret.value();
}
}
} }
static void msg(const char *m) { write(1, m, strlen(m)); } static void msg(const char *m) { write(1, m, strlen(m)); }