StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Treat libunwind sandbox as a ~regular sandboxee

Browse Source 
This removes dependency on unwind from forkserver,
which should reduce binary size for all the custom forkservers (also the SAPI generated ones).
Unwind was only ever used by the global forkserver anyhow

PiperOrigin-RevId: 557921074
Change-Id: Iea4904da0506fee5a00f970538f512cba7b02326
This commit is contained in:
Wiktor Garbacz 2023-08-17 13:32:10 -07:00 committed by Copybara-Service
parent 6a64659fac
commit b258535161
6 changed files with 14 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sandboxed_api/sandbox2/BUILD.bazel
View File

@ -256,9 +256,11 @@ cc_binary(
copts = sapi_platform_copts(), copts = sapi_platform_copts(),
stamp = 0, stamp = 0,
deps = [ deps = [
":client",
":comms", ":comms",
":forkserver", ":forkserver",
":sanitizer", ":sanitizer",
"//sandboxed_api/sandbox2/unwind",
"//sandboxed_api/util:raw_logging", "//sandboxed_api/util:raw_logging",
"@com_google_absl//absl/log:globals", "@com_google_absl//absl/log:globals",
], ],
@ -614,7 +616,6 @@ cc_library(
":sanitizer", ":sanitizer",
":syscall", ":syscall",
":util", ":util",
"//sandboxed_api/sandbox2/unwind",
"//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:fileops", "//sandboxed_api/util:fileops",
"//sandboxed_api/util:raw_logging", "//sandboxed_api/util:raw_logging",

2
sandboxed_api/sandbox2/CMakeLists.txt
View File

@ -219,6 +219,7 @@ target_link_libraries(sandbox2_forkserver_bin PRIVATE
sandbox2::comms sandbox2::comms
sandbox2::forkserver sandbox2::forkserver
sandbox2::sanitizer sandbox2::sanitizer
sandbox2::unwind
sandbox2::util sandbox2::util
sapi::base sapi::base
sapi::raw_logging sapi::raw_logging
@ -572,7 +573,6 @@ target_link_libraries(sandbox2_forkserver
sapi::strerror sapi::strerror
sandbox2::sanitizer sandbox2::sanitizer
sandbox2::syscall sandbox2::syscall
sandbox2::unwind
sandbox2::util sandbox2::util
sapi::base sapi::base
sapi::raw_logging sapi::raw_logging

4
sandboxed_api/sandbox2/executor.cc
View File

@ -132,9 +132,7 @@ absl::StatusOr<SandboxeeProcess> Executor::StartSubProcess(int32_t clone_flags,
// //
// Otherwise, it's either sandboxing pre- or post-execve with the global // Otherwise, it's either sandboxing pre- or post-execve with the global
// Fork-Server. // Fork-Server.
if (libunwind_sbox_for_pid_ != 0) { if (exec_fd_.get() == -1) {
request.set_mode(FORKSERVER_FORK_JOIN_SANDBOX_UNWIND);
} else if (exec_fd_.get() == -1) {
request.set_mode(FORKSERVER_FORK); request.set_mode(FORKSERVER_FORK);
} else if (enable_sandboxing_pre_execve_) { } else if (enable_sandboxing_pre_execve_) {
request.set_mode(FORKSERVER_FORK_EXECVE_SANDBOX); request.set_mode(FORKSERVER_FORK_EXECVE_SANDBOX);

19
sandboxed_api/sandbox2/forkserver.cc
View File

@ -56,7 +56,6 @@
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/sanitizer.h" #include "sandboxed_api/sandbox2/sanitizer.h"
#include "sandboxed_api/sandbox2/syscall.h" #include "sandboxed_api/sandbox2/syscall.h"
#include "sandboxed_api/sandbox2/unwind/unwind.h"
#include "sandboxed_api/sandbox2/util.h" #include "sandboxed_api/sandbox2/util.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h" #include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/util/fileops.h" #include "sandboxed_api/util/fileops.h"
@ -340,8 +339,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
absl::StrCat("sending pid: ", status.message()).c_str()); absl::StrCat("sending pid: ", status.message()).c_str());
} }
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX || if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) {
request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
// Sandboxing can be enabled either here - just before execve, or somewhere // Sandboxing can be enabled either here - just before execve, or somewhere
// inside the executed binary (e.g. after basic structures have been // inside the executed binary (e.g. after basic structures have been
// initialized, and resources acquired). In the latter case, it's up to the // initialized, and resources acquired). In the latter case, it's up to the
@ -358,13 +356,9 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
// that we can set up the envp after we received the file descriptors but // that we can set up the envp after we received the file descriptors but
// before we enable the syscall filter. // before we enable the syscall filter.
std::vector<int> preserved_fds; std::vector<int> preserved_fds;
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) { preserved_fds.push_back(execve_fd);
preserved_fds.push_back(execve_fd);
}
c.PrepareEnvironment(&preserved_fds); c.PrepareEnvironment(&preserved_fds);
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX) { execve_fd = preserved_fds[0];
execve_fd = preserved_fds[0];
}
if (client_comms.GetConnectionFD() != Comms::kSandbox2ClientCommsFD) { if (client_comms.GetConnectionFD() != Comms::kSandbox2ClientCommsFD) {
envs.push_back(absl::StrCat(Comms::kSandbox2CommsFDEnvVar, "=", envs.push_back(absl::StrCat(Comms::kSandbox2CommsFDEnvVar, "=",
@ -377,12 +371,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
util::CharPtrArray envp = util::CharPtrArray::FromStringVector(envs); util::CharPtrArray envp = util::CharPtrArray::FromStringVector(envs);
c.EnableSandbox(); c.EnableSandbox();
if (request.mode() == FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) { ExecuteProcess(execve_fd, argv.data(), envp.data());
exit(RunLibUnwindAndSymbolizer(&client_comms) ? EXIT_SUCCESS
: EXIT_FAILURE);
} else {
ExecuteProcess(execve_fd, argv.data(), envp.data());
}
} }
if (will_execve) { if (will_execve) {

3
sandboxed_api/sandbox2/forkserver.proto
View File

@ -29,8 +29,7 @@ enum Mode {
FORKSERVER_FORK_EXECVE = 2; FORKSERVER_FORK_EXECVE = 2;
// Just fork // Just fork
FORKSERVER_FORK = 3; FORKSERVER_FORK = 3;
// Special internal case: join a user namespace prior to unwinding reserved 4;
FORKSERVER_FORK_JOIN_SANDBOX_UNWIND = 4;
} }
enum MonitorType { enum MonitorType {

8
sandboxed_api/sandbox2/forkserver_bin.cc
View File

@ -20,9 +20,11 @@
#include <cstdlib> #include <cstdlib>
#include "absl/log/globals.h" #include "absl/log/globals.h"
#include "sandboxed_api/sandbox2/client.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/forkserver.h" #include "sandboxed_api/sandbox2/forkserver.h"
#include "sandboxed_api/sandbox2/sanitizer.h" #include "sandboxed_api/sandbox2/sanitizer.h"
#include "sandboxed_api/sandbox2/unwind/unwind.h"
#include "sandboxed_api/util/raw_logging.h" #include "sandboxed_api/util/raw_logging.h"
int main() { int main() {
@ -64,9 +66,9 @@ int main() {
while (!fork_server.IsTerminated()) { while (!fork_server.IsTerminated()) {
pid_t child_pid = fork_server.ServeRequest(); pid_t child_pid = fork_server.ServeRequest();
if (child_pid == 0) { if (child_pid == 0) {
// FORKSERVER_FORK sent to the global forkserver. This case does not make sandbox2::Client client(&comms);
// sense, we thus kill the process here. client.SandboxMeHere();
_Exit(0); exit(sandbox2::RunLibUnwindAndSymbolizer(&comms));
} }
} }
SAPI_RAW_VLOG(1, "ForkServer Comms closed. Exiting"); SAPI_RAW_VLOG(1, "ForkServer Comms closed. Exiting");