mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Treat libunwind sandbox as a ~regular sandboxee
This removes dependency on unwind from forkserver, which should reduce binary size for all the custom forkservers (also the SAPI generated ones). Unwind was only ever used by the global forkserver anyhow PiperOrigin-RevId: 557921074 Change-Id: Iea4904da0506fee5a00f970538f512cba7b02326
This commit is contained in:
parent
6a64659fac
commit
b258535161
|
@ -256,9 +256,11 @@ cc_binary(
|
|||
copts = sapi_platform_copts(),
|
||||
stamp = 0,
|
||||
deps = [
|
||||
":client",
|
||||
":comms",
|
||||
":forkserver",
|
||||
":sanitizer",
|
||||
"//sandboxed_api/sandbox2/unwind",
|
||||
"//sandboxed_api/util:raw_logging",
|
||||
"@com_google_absl//absl/log:globals",
|
||||
],
|
||||
|
@ -614,7 +616,6 @@ cc_library(
|
|||
":sanitizer",
|
||||
":syscall",
|
||||
":util",
|
||||
"//sandboxed_api/sandbox2/unwind",
|
||||
"//sandboxed_api/sandbox2/util:bpf_helper",
|
||||
"//sandboxed_api/util:fileops",
|
||||
"//sandboxed_api/util:raw_logging",
|
||||
|
|
|
@ -219,6 +219,7 @@ target_link_libraries(sandbox2_forkserver_bin PRIVATE
|
|||
sandbox2::comms
|
||||
sandbox2::forkserver
|
||||
sandbox2::sanitizer
|
||||
sandbox2::unwind
|
||||
sandbox2::util
|
||||
sapi::base
|
||||
sapi::raw_logging
|
||||
|
@ -572,7 +573,6 @@ target_link_libraries(sandbox2_forkserver
|
|||
sapi::strerror
|
||||
sandbox2::sanitizer
|
||||
sandbox2::syscall
|
||||
sandbox2::unwind
|
||||
sandbox2::util
|
||||
sapi::base
|
||||
sapi::raw_logging
|
||||
|
|
|
@ -132,9 +132,7 @@ absl::StatusOr<SandboxeeProcess> Executor::StartSubProcess(int32_t clone_flags,
|
|||
//
|
||||
// Otherwise, it's either sandboxing pre- or post-execve with the global
|
||||
// Fork-Server.
|
||||
if (libunwind_sbox_for_pid_ != 0) {
|
||||
request.set_mode(FORKSERVER_FORK_JOIN_SANDBOX_UNWIND);
|
||||
} else if (exec_fd_.get() == -1) {
|
||||
if (exec_fd_.get() == -1) {
|
||||
request.set_mode(FORKSERVER_FORK);
|
||||
} else if (enable_sandboxing_pre_execve_) {
|
||||
request.set_mode(FORKSERVER_FORK_EXECVE_SANDBOX);
|
||||
|
|
|
@ -56,7 +56,6 @@
|
|||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
#include "sandboxed_api/sandbox2/sanitizer.h"
|
||||
#include "sandboxed_api/sandbox2/syscall.h"
|
||||
#include "sandboxed_api/sandbox2/unwind/unwind.h"
|
||||
#include "sandboxed_api/sandbox2/util.h"
|
||||
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
||||
#include "sandboxed_api/util/fileops.h"
|
||||
|
@ -340,8 +339,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
|
|||
absl::StrCat("sending pid: ", status.message()).c_str());
|
||||
}
|
||||
|
||||
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
|
||||
request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
|
||||
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
|
||||
// Sandboxing can be enabled either here - just before execve, or somewhere
|
||||
// inside the executed binary (e.g. after basic structures have been
|
||||
// initialized, and resources acquired). In the latter case, it's up to the
|
||||
|
@ -358,13 +356,9 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
|
|||
// that we can set up the envp after we received the file descriptors but
|
||||
// before we enable the syscall filter.
|
||||
std::vector<int> preserved_fds;
|
||||
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
|
||||
preserved_fds.push_back(execve_fd);
|
||||
}
|
||||
preserved_fds.push_back(execve_fd);
|
||||
c.PrepareEnvironment(&preserved_fds);
|
||||
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
|
||||
execve_fd = preserved_fds[0];
|
||||
}
|
||||
execve_fd = preserved_fds[0];
|
||||
|
||||
if (client_comms.GetConnectionFD() != Comms::kSandbox2ClientCommsFD) {
|
||||
envs.push_back(absl::StrCat(Comms::kSandbox2CommsFDEnvVar, "=",
|
||||
|
@ -377,12 +371,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
|
|||
util::CharPtrArray envp = util::CharPtrArray::FromStringVector(envs);
|
||||
|
||||
c.EnableSandbox();
|
||||
if (request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
|
||||
exit(RunLibUnwindAndSymbolizer(&client_comms) ? EXIT_SUCCESS
|
||||
: EXIT_FAILURE);
|
||||
} else {
|
||||
ExecuteProcess(execve_fd, argv.data(), envp.data());
|
||||
}
|
||||
ExecuteProcess(execve_fd, argv.data(), envp.data());
|
||||
}
|
||||
|
||||
if (will_execve) {
|
||||
|
|
|
@ -29,8 +29,7 @@ enum Mode {
|
|||
FORKSERVER_FORK_EXECVE = 2;
|
||||
// Just fork
|
||||
FORKSERVER_FORK = 3;
|
||||
// Special internal case: join a user namespace prior to unwinding
|
||||
FORKSERVER_FORK_JOIN_SANDBOX_UNWIND = 4;
|
||||
reserved 4;
|
||||
}
|
||||
|
||||
enum MonitorType {
|
||||
|
|
|
@ -20,9 +20,11 @@
|
|||
#include <cstdlib>
|
||||
|
||||
#include "absl/log/globals.h"
|
||||
#include "sandboxed_api/sandbox2/client.h"
|
||||
#include "sandboxed_api/sandbox2/comms.h"
|
||||
#include "sandboxed_api/sandbox2/forkserver.h"
|
||||
#include "sandboxed_api/sandbox2/sanitizer.h"
|
||||
#include "sandboxed_api/sandbox2/unwind/unwind.h"
|
||||
#include "sandboxed_api/util/raw_logging.h"
|
||||
|
||||
int main() {
|
||||
|
@ -64,9 +66,9 @@ int main() {
|
|||
while (!fork_server.IsTerminated()) {
|
||||
pid_t child_pid = fork_server.ServeRequest();
|
||||
if (child_pid == 0) {
|
||||
// FORKSERVER_FORK sent to the global forkserver. This case does not make
|
||||
// sense, we thus kill the process here.
|
||||
_Exit(0);
|
||||
sandbox2::Client client(&comms);
|
||||
client.SandboxMeHere();
|
||||
exit(sandbox2::RunLibUnwindAndSymbolizer(&comms));
|
||||
}
|
||||
}
|
||||
SAPI_RAW_VLOG(1, "ForkServer Comms closed. Exiting");
|
||||
|
|
Loading…
Reference in New Issue
Block a user