diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel index eb172df..798deb3 100644 --- a/sandboxed_api/sandbox2/BUILD.bazel +++ b/sandboxed_api/sandbox2/BUILD.bazel @@ -256,9 +256,11 @@ cc_binary( copts = sapi_platform_copts(), stamp = 0, deps = [ + ":client", ":comms", ":forkserver", ":sanitizer", + "//sandboxed_api/sandbox2/unwind", "//sandboxed_api/util:raw_logging", "@com_google_absl//absl/log:globals", ], @@ -614,7 +616,6 @@ cc_library( ":sanitizer", ":syscall", ":util", - "//sandboxed_api/sandbox2/unwind", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:fileops", "//sandboxed_api/util:raw_logging", diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt index 57cd0a2..d7e932f 100644 --- a/sandboxed_api/sandbox2/CMakeLists.txt +++ b/sandboxed_api/sandbox2/CMakeLists.txt @@ -219,6 +219,7 @@ target_link_libraries(sandbox2_forkserver_bin PRIVATE sandbox2::comms sandbox2::forkserver sandbox2::sanitizer + sandbox2::unwind sandbox2::util sapi::base sapi::raw_logging @@ -572,7 +573,6 @@ target_link_libraries(sandbox2_forkserver sapi::strerror sandbox2::sanitizer sandbox2::syscall - sandbox2::unwind sandbox2::util sapi::base sapi::raw_logging diff --git a/sandboxed_api/sandbox2/executor.cc b/sandboxed_api/sandbox2/executor.cc index 278d628..97d8d8a 100644 --- a/sandboxed_api/sandbox2/executor.cc +++ b/sandboxed_api/sandbox2/executor.cc @@ -132,9 +132,7 @@ absl::StatusOr Executor::StartSubProcess(int32_t clone_flags, // // Otherwise, it's either sandboxing pre- or post-execve with the global // Fork-Server. - if (libunwind_sbox_for_pid_ != 0) { - request.set_mode(FORKSERVER_FORK_JOIN_SANDBOX_UNWIND); - } else if (exec_fd_.get() == -1) { + if (exec_fd_.get() == -1) { request.set_mode(FORKSERVER_FORK); } else if (enable_sandboxing_pre_execve_) { request.set_mode(FORKSERVER_FORK_EXECVE_SANDBOX); diff --git a/sandboxed_api/sandbox2/forkserver.cc b/sandboxed_api/sandbox2/forkserver.cc index 6d54cf3..7505d38 100644 --- a/sandboxed_api/sandbox2/forkserver.cc +++ b/sandboxed_api/sandbox2/forkserver.cc @@ -56,7 +56,6 @@ #include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/sanitizer.h" #include "sandboxed_api/sandbox2/syscall.h" -#include "sandboxed_api/sandbox2/unwind/unwind.h" #include "sandboxed_api/sandbox2/util.h" #include "sandboxed_api/sandbox2/util/bpf_helper.h" #include "sandboxed_api/util/fileops.h" @@ -340,8 +339,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd, absl::StrCat("sending pid: ", status.message()).c_str()); } - if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX || - request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) { + if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) { // Sandboxing can be enabled either here - just before execve, or somewhere // inside the executed binary (e.g. after basic structures have been // initialized, and resources acquired). In the latter case, it's up to the @@ -358,13 +356,9 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd, // that we can set up the envp after we received the file descriptors but // before we enable the syscall filter. std::vector preserved_fds; - if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) { - preserved_fds.push_back(execve_fd); - } + preserved_fds.push_back(execve_fd); c.PrepareEnvironment(&preserved_fds); - if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) { - execve_fd = preserved_fds[0]; - } + execve_fd = preserved_fds[0]; if (client_comms.GetConnectionFD() != Comms::kSandbox2ClientCommsFD) { envs.push_back(absl::StrCat(Comms::kSandbox2CommsFDEnvVar, "=", @@ -377,12 +371,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd, util::CharPtrArray envp = util::CharPtrArray::FromStringVector(envs); c.EnableSandbox(); - if (request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) { - exit(RunLibUnwindAndSymbolizer(&client_comms) ? EXIT_SUCCESS - : EXIT_FAILURE); - } else { - ExecuteProcess(execve_fd, argv.data(), envp.data()); - } + ExecuteProcess(execve_fd, argv.data(), envp.data()); } if (will_execve) { diff --git a/sandboxed_api/sandbox2/forkserver.proto b/sandboxed_api/sandbox2/forkserver.proto index 1c35242..3caffe3 100644 --- a/sandboxed_api/sandbox2/forkserver.proto +++ b/sandboxed_api/sandbox2/forkserver.proto @@ -29,8 +29,7 @@ enum Mode { FORKSERVER_FORK_EXECVE = 2; // Just fork FORKSERVER_FORK = 3; - // Special internal case: join a user namespace prior to unwinding - FORKSERVER_FORK_JOIN_SANDBOX_UNWIND = 4; + reserved 4; } enum MonitorType { diff --git a/sandboxed_api/sandbox2/forkserver_bin.cc b/sandboxed_api/sandbox2/forkserver_bin.cc index 7967937..edb9bb3 100644 --- a/sandboxed_api/sandbox2/forkserver_bin.cc +++ b/sandboxed_api/sandbox2/forkserver_bin.cc @@ -20,9 +20,11 @@ #include #include "absl/log/globals.h" +#include "sandboxed_api/sandbox2/client.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/forkserver.h" #include "sandboxed_api/sandbox2/sanitizer.h" +#include "sandboxed_api/sandbox2/unwind/unwind.h" #include "sandboxed_api/util/raw_logging.h" int main() { @@ -64,9 +66,9 @@ int main() { while (!fork_server.IsTerminated()) { pid_t child_pid = fork_server.ServeRequest(); if (child_pid == 0) { - // FORKSERVER_FORK sent to the global forkserver. This case does not make - // sense, we thus kill the process here. - _Exit(0); + sandbox2::Client client(&comms); + client.SandboxMeHere(); + exit(sandbox2::RunLibUnwindAndSymbolizer(&comms)); } } SAPI_RAW_VLOG(1, "ForkServer Comms closed. Exiting");