StarMirror
/
sandboxed-api
mirror of https://github.com/google/sandboxed-api
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Treat libunwind sandbox as a ~regular sandboxee 

This removes dependency on unwind from forkserver,
which should reduce binary size for all the custom forkservers (also the SAPI generated ones).
Unwind was only ever used by the global forkserver anyhow

PiperOrigin-RevId: 557921074
Change-Id: Iea4904da0506fee5a00f970538f512cba7b02326
pull/171/head
Wiktor Garbacz 2023-08-17 13:32:10 -07:00 committed by Copybara-Service
parent 6a64659fac
commit b258535161
6 changed files with 14 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sandboxed_api/sandbox2/BUILD.bazel
View File

@ -256,9 +256,11 @@ cc_binary(
copts = sapi_platform_copts(),
stamp = 0,
deps = [
":client",
":comms",
":forkserver",
":sanitizer",
"//sandboxed_api/sandbox2/unwind",
"//sandboxed_api/util:raw_logging",
"@com_google_absl//absl/log:globals",
],
@ -614,7 +616,6 @@ cc_library(
":sanitizer",
":syscall",
":util",
"//sandboxed_api/sandbox2/unwind",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:raw_logging",

2
sandboxed_api/sandbox2/CMakeLists.txt
View File

@ -219,6 +219,7 @@ target_link_libraries(sandbox2_forkserver_bin PRIVATE
sandbox2::comms
sandbox2::forkserver
sandbox2::sanitizer
sandbox2::unwind
sandbox2::util
sapi::base
sapi::raw_logging
@ -572,7 +573,6 @@ target_link_libraries(sandbox2_forkserver
sapi::strerror
sandbox2::sanitizer
sandbox2::syscall
sandbox2::unwind
sandbox2::util
sapi::base
sapi::raw_logging

4
sandboxed_api/sandbox2/executor.cc
View File

@ -132,9 +132,7 @@ absl::StatusOr<SandboxeeProcess> Executor::StartSubProcess(int32_t clone_flags,
//
// Otherwise, it's either sandboxing pre- or post-execve with the global
// Fork-Server.
if (libunwind_sbox_for_pid_ != 0) {
request.set_mode(FORKSERVER_FORK_JOIN_SANDBOX_UNWIND);
} else if (exec_fd_.get() == -1) {
if (exec_fd_.get() == -1) {
request.set_mode(FORKSERVER_FORK);
} else if (enable_sandboxing_pre_execve_) {
request.set_mode(FORKSERVER_FORK_EXECVE_SANDBOX);

19
sandboxed_api/sandbox2/forkserver.cc
View File

@ -56,7 +56,6 @@
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/sanitizer.h"
#include "sandboxed_api/sandbox2/syscall.h"
#include "sandboxed_api/sandbox2/unwind/unwind.h"
#include "sandboxed_api/sandbox2/util.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/util/fileops.h"
@ -340,8 +339,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
absl::StrCat("sending pid: ", status.message()).c_str());
}
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
// Sandboxing can be enabled either here - just before execve, or somewhere
// inside the executed binary (e.g. after basic structures have been
// initialized, and resources acquired). In the latter case, it's up to the
@ -358,13 +356,9 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
// that we can set up the envp after we received the file descriptors but
// before we enable the syscall filter.
std::vector<int> preserved_fds;
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
preserved_fds.push_back(execve_fd);
}
preserved_fds.push_back(execve_fd);
c.PrepareEnvironment(&preserved_fds);
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
execve_fd = preserved_fds[0];
}
execve_fd = preserved_fds[0];
if (client_comms.GetConnectionFD() != Comms::kSandbox2ClientCommsFD) {
envs.push_back(absl::StrCat(Comms::kSandbox2CommsFDEnvVar, "=",
@ -377,12 +371,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
util::CharPtrArray envp = util::CharPtrArray::FromStringVector(envs);
c.EnableSandbox();
if (request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
exit(RunLibUnwindAndSymbolizer(&client_comms) ? EXIT_SUCCESS
: EXIT_FAILURE);
} else {
ExecuteProcess(execve_fd, argv.data(), envp.data());
}
ExecuteProcess(execve_fd, argv.data(), envp.data());
}
if (will_execve) {

3
sandboxed_api/sandbox2/forkserver.proto
View File

@ -29,8 +29,7 @@ enum Mode {
FORKSERVER_FORK_EXECVE = 2;
// Just fork
FORKSERVER_FORK = 3;
// Special internal case: join a user namespace prior to unwinding
FORKSERVER_FORK_JOIN_SANDBOX_UNWIND = 4;
reserved 4;
}
enum MonitorType {

8
sandboxed_api/sandbox2/forkserver_bin.cc
View File

@ -20,9 +20,11 @@
#include <cstdlib>
#include "absl/log/globals.h"
#include "sandboxed_api/sandbox2/client.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/forkserver.h"
#include "sandboxed_api/sandbox2/sanitizer.h"
#include "sandboxed_api/sandbox2/unwind/unwind.h"
#include "sandboxed_api/util/raw_logging.h"
int main() {
@ -64,9 +66,9 @@ int main() {
while (!fork_server.IsTerminated()) {
pid_t child_pid = fork_server.ServeRequest();
if (child_pid == 0) {
// FORKSERVER_FORK sent to the global forkserver. This case does not make
// sense, we thus kill the process here.
_Exit(0);
sandbox2::Client client(&comms);
client.SandboxMeHere();
exit(sandbox2::RunLibUnwindAndSymbolizer(&comms));
}
}
SAPI_RAW_VLOG(1, "ForkServer Comms closed. Exiting");