Add basic CMake support for SAPI, build examples

* Implement add_sapi_library() similar to the Bazel rule * Fix SuperBuild so that glog properly depends on gflags (needed for --logtostderr) * Raise minimum required version of CMake to 3.10 (Ubuntu 18.04 LTS) * Update sum sandbox policy to allow to get IDs and PIDs PiperOrigin-RevId: 258124160 Change-Id: I64c2f8b27a3e842874adca9100bfce20a2b74f17
2024-03-22 13:11:30 +08:00 · 2019-07-15 02:53:18 -07:00 · 2019-07-15 02:53:18 -07:00 · b219661be0
commit b219661be0
parent 686c6d254f
11 changed files with 360 additions and 10 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-cmake_minimum_required(VERSION 3.5)
+cmake_minimum_required(VERSION 3.10)

 option(USE_SUPERBUILD "Whether or not a superbuild should be invoked" ON)
 if(USE_SUPERBUILD)
@ -76,6 +76,20 @@ find_package(Libffi REQUIRED)
 find_package(ZLIB REQUIRED)
 find_package(Protobuf REQUIRED)

+if(CMAKE_VERSION VERSION_LESS "3.12")
+  # Work around FindPythonInterp sometimes not preferring Python 3.
+  foreach(v IN ITEMS 3 3.9 3.8 3.7 3.6 3.5 3.4 3.3 3.2 3.1 3.0)
+    list(APPEND _sapi_py_names python${v})
+  endforeach()
+  find_program(Python3_EXECUTABLE NAMES ${_sapi_py_names})
+  if(NOT Python3_EXECUTABLE)
+    message(FATAL_ERROR "No suitable version of Python 3 found")
+  endif()
+else()
+  find_package(Python3 COMPONENTS Interpreter REQUIRED)
+endif()
+
+# Undo global change
 set(CMAKE_FIND_LIBRARY_SUFFIXES ${_sapi_saved_CMAKE_FIND_LIBRARY_SUFFIXES})

 # Make Bazel-like includes work
--- a/cmake/SapiUtil.cmake
+++ b/cmake/SapiUtil.cmake
@ -87,3 +87,120 @@ macro(sapi_cc_embed_data)
    absl::core_headers
  )
 endmacro()
+
+# Adds a library target implementing a sandboxed API for another library.
+# The first argument is the target name, similar to the native add_library().
+# This function implements the same functionality as the Bazel version in
+# sandboxed_api/bazel/sapi.bzl.
+#
+# SOURCES Any additional sources to include with the Sandboxed API library.
+#   Typically not necessary, unless the sandbox definition should be in a .cc
+#   file instead of the customary "sandbox.h" header. Bazel also has a "hdrs"
+#   attribute, but CMake does not distinguish headers from sources.
+# FUNCTIONS A list of functions that to use in from host code. Leaving this
+#   list empty will export and wrap all functions found in the library.
+# NOEMBED Whether the SAPI library should be embedded inside host code, so the
+#   SAPI Sandbox can be initialized with the
+#   ::sapi::Sandbox::Sandbox(FileToc*) constructor.
+# LIBRARY The library target to sandbox and expose to the host code (required).
+# LIBRARY_NAME The name of the class which will proxy the library functions
+#   from the functions list (required). You will call functions from the
+#   sandboxed library via instances of this class.
+# INPUTS List of source files which the SAPI interface generator should scan
+#   for function declarations. Library header files are always scanned, so
+#   this can usually be empty/omitted.
+# NAMESPACE C++ namespace identifier to place API class defined by
+#   LIBRARY_NAME into.
+# HEADER If set, does not generate an interface header, but uses the one
+#   specified.
+function(add_sapi_library)
+  set(_sapi_opts NOEMBED)
+  set(_sapi_one_value HEADER LIBRARY LIBRARY_NAME NAMESPACE)
+  set(_sapi_multi_value SOURCES FUNCTIONS INPUTS)
+  cmake_parse_arguments(_sapi
+                        "${_sapi_opts}"
+                        "${_sapi_one_value}"
+                        "${_sapi_multi_value}"
+                        ${ARGN})
+  set(_sapi_NAME "${ARGV0}")
+
+  set(_sapi_gen_header "${_sapi_NAME}.sapi.h")
+  foreach(func IN LISTS _sapi_FUNCTIONS)
+    list(APPEND _sapi_exported_funcs "-Wl,--export-dynamic-symbol,${func}")
+  endforeach()
+  if(NOT _sapi_exported_funcs)
+    set(_sapi_exported_funcs -Wl,--whole-archive
+                             -Wl,--allow-multiple-definition)
+  endif()
+
+  # The sandboxed binary
+  set(_sapi_bin "${_sapi_NAME}.bin")
+  set(_sapi_force_cxx_linkage
+    "${CMAKE_CURRENT_BINARY_DIR}/${_sapi_bin}_force_cxx_linkage.cc")
+  file(TOUCH "${_sapi_force_cxx_linkage}")
+  add_executable("${_sapi_bin}" "${_sapi_force_cxx_linkage}")
+  # TODO(cblichmann): Use target_link_options on CMake >= 3.13
+  target_link_libraries("${_sapi_bin}" PRIVATE
+    -fuse-ld=gold
+    "${_sapi_LIBRARY}"
+    sapi::client
+    ${CMAKE_DL_LIBS}
+    -Wl,-E
+    ${_sapi_exported_funcs}
+  )
+
+  if(NOT _sapi_NOEMBED)
+    set(_sapi_embed "${_sapi_NAME}_embed")
+    sapi_cc_embed_data(NAME "${_sapi_embed}"
+      NAMESPACE "${_sapi_NAMESPACE}"
+      SOURCES "${_sapi_bin}"
+    )
+  endif()
+
+  # Interface
+  list(JOIN _sapi_FUNCTIONS "," _sapi_funcs)
+  foreach(src IN LISTS _sapi_INPUTS)
+    get_filename_component(src "${src}" ABSOLUTE)
+    list(APPEND _sapi_full_inputs "${src}")
+  endforeach()
+  list(JOIN _sapi_full_inputs "," _sapi_full_inputs)
+  if(NOT _sapi_NOEMBED)
+    set(_sapi_embed_dir "${CMAKE_CURRENT_BINARY_DIR}")
+    set(_sapi_embed_name "${_sapi_NAME}")
+  endif()
+  add_custom_command(
+    OUTPUT "${_sapi_gen_header}"
+    COMMAND "${Python3_EXECUTABLE}" -B
+            "${PROJECT_SOURCE_DIR}/sandboxed_api/tools/generator2/sapi_generator.py"
+            "--sapi_name=${_sapi_LIBRARY_NAME}"
+            "--sapi_out=${_sapi_gen_header}"
+            "--sapi_embed_dir=${_sapi_embed_dir}"
+            "--sapi_embed_name=${_sapi_embed_name}"
+            "--sapi_functions=${_sapi_funcs}"
+            "--sapi_ns=${_sapi_NAMESPACE}"
+            # TODO(cblichmann): Implement sapi_isystem
+            "--sapi_in=${_sapi_full_inputs}"
+    COMMENT "Generating interface"
+  )
+
+  # Library with the interface
+  if(NOT _sapi_SOURCES)
+    set(_sapi_force_cxx_linkage
+      "${CMAKE_CURRENT_BINARY_DIR}/${_sapi_NAME}_force_cxx_linkage.cc")
+    file(TOUCH "${_sapi_force_cxx_linkage}")
+    list(APPEND _sapi_SOURCES "${_sapi_force_cxx_linkage}")
+  endif()
+  add_library("${_sapi_NAME}" STATIC
+    ${_sapi_gen_header}
+    ${_sapi_SOURCES}
+  )
+  target_link_libraries("${_sapi_NAME}" PRIVATE
+    sapi::sapi
+    sapi::vars
+  )
+  if(NOT _sapi_NOEMBED)
+    target_link_libraries("${_sapi_NAME}" PRIVATE
+      "${_sapi_embed}"
+    )
+  endif()
+endfunction()
--- a/cmake/SuperBuild.cmake
+++ b/cmake/SuperBuild.cmake
@ -18,7 +18,9 @@ list(APPEND DEPENDENCIES absl)
 ExternalProject_Add(gflags
  GIT_REPOSITORY https://github.com/gflags/gflags.git
  GIT_TAG 28f50e0fed19872e0fd50dd23ce2ee8cd759338e
-  CMAKE_ARGS -DGFLAGS_IS_SUBPROJECT=TRUE
+  CMAKE_ARGS -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+             -DCMAKE_POSITION_INDEPENDENT_CODE=ON
+             -DGFLAGS_IS_SUBPROJECT=TRUE
  INSTALL_COMMAND ""
 )
 list(APPEND DEPENDENCIES gflags)
@ -27,11 +29,13 @@ ExternalProject_Add(glog
  DEPENDS gflags
  GIT_REPOSITORY https://github.com/google/glog.git
  GIT_TAG 41f4bf9cbc3e8995d628b459f6a239df43c2b84a
-  CMAKE_ARGS
-    # Disable symbolizer
-    -DCMAKE_PREFIX_PATH= -DUNWIND_LIBRARY=
-    # getpwuid_r() cannot be linked statically with glibc
-    -DHAVE_PWD_H=
+  CMAKE_ARGS -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+             -DCMAKE_POSITION_INDEPENDENT_CODE=ON
+             "-DCMAKE_PREFIX_PATH=${PROJECT_BINARY_DIR}/Dependencies/Build/gflags"
+             # Disable symbolizer
+             -DUNWIND_LIBRARY=
+             # getpwuid_r() cannot be linked statically with glibc
+             -DHAVE_PWD_H=
  INSTALL_COMMAND ""
 )
 list(APPEND DEPENDENCIES glog)
@ -66,9 +70,9 @@ ExternalProject_Add(protobuf
  GIT_TAG e08f01ce6a78a6cf2834dfa37281eb366eb0c5c3  # 2019-06-05
  PREFIX ${CMAKE_CURRENT_BINARY_DIR}/Dependencies/Build/protobuf
  SOURCE_SUBDIR cmake
-  CMAKE_ARGS -DCMAKE_INSTALL_PREFIX:PATH=<INSTALL_DIR>
-             -DCMAKE_BUILD_TYPE=@CMAKE_BUILD_TYPE@
+  CMAKE_ARGS -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
             -DCMAKE_POSITION_INDEPENDENT_CODE=ON
+             -DCMAKE_INSTALL_PREFIX:PATH=<INSTALL_DIR>
             -Dprotobuf_BUILD_TESTS=OFF
             -Dprotobuf_BUILD_SHARED_LIBS=OFF
             -Dprotobuf_WITH_ZLIB=OFF
--- a/sandboxed_api/CMakeLists.txt
+++ b/sandboxed_api/CMakeLists.txt
@ -13,6 +13,7 @@
 # limitations under the License.

 add_subdirectory(bazel)  # For filewrapper
+add_subdirectory(examples)
 add_subdirectory(sandbox2)
 add_subdirectory(util)

--- a/sandboxed_api/examples/CMakeLists.txt
+++ b/sandboxed_api/examples/CMakeLists.txt
@ -0,0 +1,16 @@
+# Copyright 2019 Google LLC. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+add_subdirectory(stringop)
+add_subdirectory(sum)
--- a/sandboxed_api/examples/stringop/CMakeLists.txt
+++ b/sandboxed_api/examples/stringop/CMakeLists.txt
@ -0,0 +1,33 @@
+# Copyright 2019 Google LLC. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+add_subdirectory(lib)
+
+# sandboxed_api/examples/stringop:main_stringop
+add_executable(main_stringop
+  main_stringop.cc
+)
+target_link_libraries(main_stringop PRIVATE
+  absl::memory
+  absl::strings
+  absl::time
+  glog::glog
+  sapi::flags
+  sapi::sapi
+  sapi::status
+  sapi::stringop_sapi
+  sapi::test_main
+  sapi::vars
+)
+gtest_discover_tests(main_stringop)
--- a/sandboxed_api/examples/stringop/lib/CMakeLists.txt
+++ b/sandboxed_api/examples/stringop/lib/CMakeLists.txt
@ -0,0 +1,60 @@
+# Copyright 2019 Google LLC. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# sandboxed_api/examples/stringop/lib:stringop_params_proto
+protobuf_generate_cpp(_sapi_stringop_params_pb_cc _sapi_stringop_params_pb_h
+  stringop_params.proto
+)
+# Object library to avoid having to use -Wl,--whole-archive. This simulates
+# Bazel's alwayslink=1.
+add_library(sapi_stringop_params_proto OBJECT
+  ${_sapi_stringop_params_pb_cc}
+  ${_sapi_stringop_params_pb_h}
+)
+add_library(sapi::stringop_params_proto ALIAS sapi_stringop_params_proto)
+target_link_libraries(sapi_stringop_params_proto PRIVATE
+  protobuf::libprotobuf
+  sapi::base
+)
+
+# sandboxed_api/examples/stringop/lib:stringop
+add_library(sapi_stringop STATIC
+  stringop.cc
+)
+add_library(sapi::stringop ALIAS sapi_stringop)
+target_link_libraries(sapi_stringop PRIVATE
+  $<TARGET_OBJECTS:sapi_stringop_params_proto>
+  sapi::base
+  sapi::lenval_core
+)
+
+# sandboxed_api/examples/stringop/lib:stringop-sapi
+add_sapi_library(stringop-sapi
+  SOURCES sandbox.h
+  FUNCTIONS duplicate_string
+            reverse_string
+            pb_duplicate_string
+            pb_reverse_string
+            nop
+            violate
+  INPUTS stringop.cc
+  LIBRARY sapi_stringop
+  LIBRARY_NAME Stringop
+  NAMESPACE ""
+)
+add_library(sapi::stringop_sapi ALIAS stringop-sapi)
+target_link_libraries(stringop-sapi PRIVATE
+  $<TARGET_OBJECTS:sapi_stringop_params_proto>
+  sapi::base
+)
--- a/sandboxed_api/examples/stringop/lib/stringop.cc
+++ b/sandboxed_api/examples/stringop/lib/stringop.cc
@ -13,6 +13,7 @@
 // limitations under the License.

 #include <sys/ptrace.h>
+
 #include <algorithm>
 #include <iostream>

--- a/sandboxed_api/examples/sum/CMakeLists.txt
+++ b/sandboxed_api/examples/sum/CMakeLists.txt
@ -0,0 +1,32 @@
+# Copyright 2019 Google LLC. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+add_subdirectory(lib)
+
+# sandboxed_api/examples/sum:main_sum
+add_executable(sapi_main_sum
+  main_sum.cc
+)
+add_executable(sapi::main_sum ALIAS sapi_main_sum)
+target_link_libraries(sapi_main_sum PRIVATE
+  absl::memory
+  absl::strings
+  glog::glog
+  sapi::base
+  sapi::flags
+  sapi::sapi
+  sapi::status
+  sapi::sum_sapi
+  sapi::vars
+)
--- a/sandboxed_api/examples/sum/lib/CMakeLists.txt
+++ b/sandboxed_api/examples/sum/lib/CMakeLists.txt
@ -0,0 +1,70 @@
+# Copyright 2019 Google LLC. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# sandboxed_api/examples/sum/lib:sum_params_proto
+protobuf_generate_cpp(_sapi_sum_params_pb_cc _sapi_sum_params_pb_h
+  sum_params.proto
+)
+# Object library to avoid having to use -Wl,--whole-archive. This simulates
+# Bazel's alwayslink=1.
+add_library(sapi_sum_params_proto OBJECT
+  ${_sapi_sum_params_pb_cc}
+  ${_sapi_sum_params_pb_h}
+)
+add_library(sapi::sum_params_proto ALIAS sapi_sum_params_proto)
+target_link_libraries(sapi_sum_params_proto PRIVATE
+  protobuf::libprotobuf
+  sapi::base
+)
+
+# sandboxed_api/examples/sum/lib:sum
+add_library(sapi_sum STATIC
+  sum.c
+  sum_cpp.cc
+)
+add_library(sapi::sum ALIAS sapi_sum)
+target_link_libraries(sapi_sum PRIVATE
+  $<TARGET_OBJECTS:sapi_sum_params_proto>
+  glog::glog
+  sapi::base
+)
+
+# sandboxed_api/examples/sum/lib:sum-sapi
+add_sapi_library(sum-sapi
+  SOURCES sandbox.h
+  FUNCTIONS sum
+            sums
+            addf
+            sub
+            mul
+            divs
+            muld
+            crash
+            violate
+            sumarr
+            testptr
+            read_int
+            sleep_for_sec
+            sumproto
+  INPUTS sum.c
+         sum_cpp.cc
+  LIBRARY sapi_sum
+  LIBRARY_NAME Sum
+  NAMESPACE ""
+)
+add_library(sapi::sum_sapi ALIAS sum-sapi)
+target_link_libraries(sum-sapi PRIVATE
+  $<TARGET_OBJECTS:sapi_sum_params_proto>
+  sapi::base
+)
--- a/sandboxed_api/examples/sum/lib/sandbox.h
+++ b/sandboxed_api/examples/sum/lib/sandbox.h
@ -36,13 +36,15 @@ class SumSapiSandbox : public SumSandbox {
        .AllowExit()
        .AllowStat()
        .AllowTime()
+        .AllowGetIDs()
+        .AllowGetPIDs()
        .AllowSyscalls({
+            __NR_tgkill,
            __NR_recvmsg,
            __NR_sendmsg,
            __NR_lseek,
            __NR_nanosleep,
            __NR_futex,
-            __NR_gettid,
            __NR_close,
        })
        .AddFile("/etc/localtime")