Use SyscallTrap in NetworkProxy
PiperOrigin-RevId: 491891500 Change-Id: I2e70dbc44aa264247c217ca88a4de1c0867383fdpull/171/head
parent
5bf9b1aef0
commit
bd5769d40a
|
@ -43,11 +43,10 @@ cc_library(
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
visibility = ["//visibility:public"],
|
visibility = ["//visibility:public"],
|
||||||
deps = [
|
deps = [
|
||||||
"//sandboxed_api:config",
|
|
||||||
"//sandboxed_api/sandbox2:comms",
|
"//sandboxed_api/sandbox2:comms",
|
||||||
|
"//sandboxed_api/sandbox2/util:syscall_trap",
|
||||||
"//sandboxed_api/util:status",
|
"//sandboxed_api/util:status",
|
||||||
"@com_google_absl//absl/log",
|
"@com_google_absl//absl/log",
|
||||||
"@com_google_absl//absl/log:check",
|
|
||||||
"@com_google_absl//absl/status",
|
"@com_google_absl//absl/status",
|
||||||
"@com_google_absl//absl/synchronization",
|
"@com_google_absl//absl/synchronization",
|
||||||
],
|
],
|
||||||
|
|
|
@ -49,12 +49,11 @@ add_library(sandbox2_network_proxy_client ${SAPI_LIB_TYPE}
|
||||||
)
|
)
|
||||||
add_library(sandbox2::network_proxy_client ALIAS sandbox2_network_proxy_client)
|
add_library(sandbox2::network_proxy_client ALIAS sandbox2_network_proxy_client)
|
||||||
target_link_libraries(sandbox2_network_proxy_client PRIVATE
|
target_link_libraries(sandbox2_network_proxy_client PRIVATE
|
||||||
absl::check
|
|
||||||
absl::strings
|
absl::strings
|
||||||
absl::synchronization
|
absl::synchronization
|
||||||
absl::log
|
absl::log
|
||||||
sandbox2::comms
|
sandbox2::comms
|
||||||
sapi::config
|
sandbox2::syscall_trap
|
||||||
sapi::strerror
|
sapi::strerror
|
||||||
sapi::base
|
sapi::base
|
||||||
sapi::status
|
sapi::status
|
||||||
|
|
|
@ -18,50 +18,18 @@
|
||||||
#include <linux/seccomp.h>
|
#include <linux/seccomp.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <syscall.h>
|
#include <syscall.h>
|
||||||
#include <ucontext.h>
|
|
||||||
|
|
||||||
#include <cerrno>
|
#include <cerrno>
|
||||||
#include <iostream>
|
#include <iostream>
|
||||||
#include <memory>
|
#include <memory>
|
||||||
|
|
||||||
#include "absl/log/check.h"
|
|
||||||
#include "absl/log/log.h"
|
#include "absl/log/log.h"
|
||||||
#include "absl/status/status.h"
|
#include "absl/status/status.h"
|
||||||
#include "sandboxed_api/config.h"
|
#include "sandboxed_api/sandbox2/util/syscall_trap.h"
|
||||||
#include "sandboxed_api/util/status_macros.h"
|
#include "sandboxed_api/util/status_macros.h"
|
||||||
|
|
||||||
namespace sandbox2 {
|
namespace sandbox2 {
|
||||||
|
|
||||||
#ifndef SYS_SECCOMP
|
|
||||||
constexpr int SYS_SECCOMP = 1;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(SAPI_X86_64)
|
|
||||||
constexpr int kRegResult = REG_RAX;
|
|
||||||
constexpr int kRegSyscall = REG_RAX;
|
|
||||||
constexpr int kRegArg0 = REG_RDI;
|
|
||||||
constexpr int kRegArg1 = REG_RSI;
|
|
||||||
constexpr int kRegArg2 = REG_RDX;
|
|
||||||
#elif defined(SAPI_PPC64_LE)
|
|
||||||
constexpr int kRegResult = 3;
|
|
||||||
constexpr int kRegSyscall = 0;
|
|
||||||
constexpr int kRegArg0 = 3;
|
|
||||||
constexpr int kRegArg1 = 4;
|
|
||||||
constexpr int kRegArg2 = 5;
|
|
||||||
#elif defined(SAPI_ARM64)
|
|
||||||
constexpr int kRegResult = 0;
|
|
||||||
constexpr int kRegSyscall = 8;
|
|
||||||
constexpr int kRegArg0 = 0;
|
|
||||||
constexpr int kRegArg1 = 1;
|
|
||||||
constexpr int kRegArg2 = 2;
|
|
||||||
#elif defined(SAPI_ARM)
|
|
||||||
constexpr int kRegResult = 0;
|
|
||||||
constexpr int kRegSyscall = 8;
|
|
||||||
constexpr int kRegArg0 = 0;
|
|
||||||
constexpr int kRegArg1 = 1;
|
|
||||||
constexpr int kRegArg2 = 2;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
int NetworkProxyClient::ConnectHandler(int sockfd, const struct sockaddr* addr,
|
int NetworkProxyClient::ConnectHandler(int sockfd, const struct sockaddr* addr,
|
||||||
socklen_t addrlen) {
|
socklen_t addrlen) {
|
||||||
absl::Status status = Connect(sockfd, addr, addrlen);
|
absl::Status status = Connect(sockfd, addr, addrlen);
|
||||||
|
@ -124,104 +92,52 @@ absl::Status NetworkProxyClient::ReceiveRemoteResult() {
|
||||||
return absl::OkStatus();
|
return absl::OkStatus();
|
||||||
}
|
}
|
||||||
|
|
||||||
namespace {
|
NetworkProxyClient* NetworkProxyHandler::network_proxy_client_ = nullptr;
|
||||||
|
|
||||||
static NetworkProxyHandler* g_network_proxy_handler = nullptr;
|
|
||||||
|
|
||||||
void SignalHandler(int nr, siginfo_t* info, void* void_context) {
|
|
||||||
g_network_proxy_handler->ProcessSeccompTrap(nr, info, void_context);
|
|
||||||
}
|
|
||||||
|
|
||||||
} // namespace
|
|
||||||
|
|
||||||
absl::Status NetworkProxyHandler::InstallNetworkProxyHandler(
|
absl::Status NetworkProxyHandler::InstallNetworkProxyHandler(
|
||||||
NetworkProxyClient* npc) {
|
NetworkProxyClient* npc) {
|
||||||
if (g_network_proxy_handler) {
|
if (network_proxy_client_ != nullptr) {
|
||||||
return absl::AlreadyExistsError(
|
return absl::AlreadyExistsError(
|
||||||
"Network proxy handler is already installed");
|
"Network proxy handler is already installed");
|
||||||
}
|
}
|
||||||
g_network_proxy_handler = new NetworkProxyHandler(npc);
|
network_proxy_client_ = npc;
|
||||||
|
if (!SyscallTrap::Install([](int nr, SyscallTrap::Args args, uintptr_t* rv) {
|
||||||
|
return ProcessSeccompTrap(nr, args, rv);
|
||||||
|
})) {
|
||||||
|
return absl::InternalError("Could not install syscall trap");
|
||||||
|
}
|
||||||
return absl::OkStatus();
|
return absl::OkStatus();
|
||||||
}
|
}
|
||||||
|
|
||||||
void NetworkProxyHandler::InvokeOldAct(int nr, siginfo_t* info,
|
bool NetworkProxyHandler::ProcessSeccompTrap(int nr, SyscallTrap::Args args,
|
||||||
void* void_context) {
|
uintptr_t* rv) {
|
||||||
if (oldact_.sa_flags & SA_SIGINFO) {
|
|
||||||
if (oldact_.sa_sigaction) {
|
|
||||||
oldact_.sa_sigaction(nr, info, void_context);
|
|
||||||
}
|
|
||||||
} else if (oldact_.sa_handler == SIG_IGN) {
|
|
||||||
return;
|
|
||||||
} else if (oldact_.sa_handler == SIG_DFL) {
|
|
||||||
sigaction(SIGSYS, &oldact_, nullptr);
|
|
||||||
raise(SIGSYS);
|
|
||||||
} else if (oldact_.sa_handler) {
|
|
||||||
oldact_.sa_handler(nr);
|
|
||||||
}
|
|
||||||
} // namespace sandbox2
|
|
||||||
|
|
||||||
void NetworkProxyHandler::ProcessSeccompTrap(int nr, siginfo_t* info,
|
|
||||||
void* void_context) {
|
|
||||||
if (info->si_code != SYS_SECCOMP) {
|
|
||||||
InvokeOldAct(nr, info, void_context);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
auto* ctx = static_cast<ucontext_t*>(void_context);
|
|
||||||
if (!ctx) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
#if defined(SAPI_X86_64)
|
|
||||||
auto* registers = ctx->uc_mcontext.gregs;
|
|
||||||
#elif defined(SAPI_PPC64_LE)
|
|
||||||
auto* registers = ctx->uc_mcontext.gp_regs;
|
|
||||||
#elif defined(SAPI_ARM64)
|
|
||||||
auto* registers = ctx->uc_mcontext.regs;
|
|
||||||
#elif defined(SAPI_ARM)
|
|
||||||
auto* registers = &ctx->uc_mcontext.arm_r0;
|
|
||||||
#endif
|
|
||||||
int syscall = registers[kRegSyscall];
|
|
||||||
|
|
||||||
int sockfd;
|
int sockfd;
|
||||||
const struct sockaddr* addr;
|
const struct sockaddr* addr;
|
||||||
socklen_t addrlen;
|
socklen_t addrlen;
|
||||||
|
|
||||||
if (syscall == __NR_connect) {
|
if (nr == __NR_connect) {
|
||||||
sockfd = static_cast<int>(registers[kRegArg0]);
|
sockfd = static_cast<int>(args[0]);
|
||||||
addr = reinterpret_cast<const struct sockaddr*>(registers[kRegArg1]);
|
addr = reinterpret_cast<const struct sockaddr*>(args[1]);
|
||||||
addrlen = static_cast<socklen_t>(registers[kRegArg2]);
|
addrlen = static_cast<socklen_t>(args[2]);
|
||||||
#if defined(SAPI_PPC64_LE)
|
#if defined(SAPI_PPC64_LE)
|
||||||
} else if (syscall == __NR_socketcall &&
|
} else if (nr == __NR_socketcall &&
|
||||||
static_cast<int>(registers[kRegArg0]) == SYS_CONNECT) {
|
static_cast<int>(args[0]) == SYS_CONNECT) {
|
||||||
auto* connect_args = reinterpret_cast<uint64_t*>(registers[kRegArg1]);
|
auto* connect_args = reinterpret_cast<uint64_t*>(args[1]);
|
||||||
sockfd = static_cast<int>(connect_args[0]);
|
sockfd = static_cast<int>(connect_args[0]);
|
||||||
addr = reinterpret_cast<const struct sockaddr*>(connect_args[1]);
|
addr = reinterpret_cast<const struct sockaddr*>(connect_args[1]);
|
||||||
addrlen = static_cast<socklen_t>(connect_args[2]);
|
addrlen = static_cast<socklen_t>(connect_args[2]);
|
||||||
#endif
|
#endif
|
||||||
} else {
|
} else {
|
||||||
InvokeOldAct(nr, info, void_context);
|
return false;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
absl::Status result = network_proxy_client_->Connect(sockfd, addr, addrlen);
|
absl::Status result = network_proxy_client_->Connect(sockfd, addr, addrlen);
|
||||||
if (result.ok()) {
|
if (result.ok()) {
|
||||||
registers[kRegResult] = 0;
|
*rv = 0;
|
||||||
} else {
|
} else {
|
||||||
registers[kRegResult] = -errno;
|
*rv = -errno;
|
||||||
}
|
}
|
||||||
}
|
return true;
|
||||||
|
|
||||||
void NetworkProxyHandler::InstallSeccompTrap() {
|
|
||||||
sigset_t mask;
|
|
||||||
sigemptyset(&mask);
|
|
||||||
sigaddset(&mask, SIGSYS);
|
|
||||||
|
|
||||||
struct sigaction act = {};
|
|
||||||
act.sa_sigaction = &SignalHandler;
|
|
||||||
act.sa_flags = SA_SIGINFO;
|
|
||||||
|
|
||||||
CHECK_EQ(sigaction(SIGSYS, &act, &oldact_), 0);
|
|
||||||
CHECK_EQ(sigprocmask(SIG_UNBLOCK, &mask, nullptr), 0);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
} // namespace sandbox2
|
} // namespace sandbox2
|
||||||
|
|
|
@ -16,11 +16,11 @@
|
||||||
#define SANDBOXED_API_SANDBOX2_NETWORK_PROXY_CLIENT_H_
|
#define SANDBOXED_API_SANDBOX2_NETWORK_PROXY_CLIENT_H_
|
||||||
|
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <signal.h>
|
|
||||||
|
|
||||||
#include "absl/status/status.h"
|
#include "absl/status/status.h"
|
||||||
#include "absl/synchronization/mutex.h"
|
#include "absl/synchronization/mutex.h"
|
||||||
#include "sandboxed_api/sandbox2/comms.h"
|
#include "sandboxed_api/sandbox2/comms.h"
|
||||||
|
#include "sandboxed_api/sandbox2/util/syscall_trap.h"
|
||||||
|
|
||||||
namespace sandbox2 {
|
namespace sandbox2 {
|
||||||
|
|
||||||
|
@ -57,17 +57,9 @@ class NetworkProxyHandler {
|
||||||
// if this connection is allowed and sends the connected socket to us.
|
// if this connection is allowed and sends the connected socket to us.
|
||||||
static absl::Status InstallNetworkProxyHandler(NetworkProxyClient* npc);
|
static absl::Status InstallNetworkProxyHandler(NetworkProxyClient* npc);
|
||||||
|
|
||||||
void ProcessSeccompTrap(int nr, siginfo_t* info, void* void_context);
|
static bool ProcessSeccompTrap(int nr, SyscallTrap::Args args, uintptr_t* rv);
|
||||||
|
|
||||||
private:
|
static NetworkProxyClient* network_proxy_client_;
|
||||||
NetworkProxyHandler(NetworkProxyClient* npc) : network_proxy_client_(npc) {
|
|
||||||
InstallSeccompTrap();
|
|
||||||
}
|
|
||||||
void InvokeOldAct(int nr, siginfo_t* info, void* void_context);
|
|
||||||
void InstallSeccompTrap();
|
|
||||||
|
|
||||||
struct sigaction oldact_;
|
|
||||||
NetworkProxyClient* network_proxy_client_;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
} // namespace sandbox2
|
} // namespace sandbox2
|
||||||
|
|
Loading…
Reference in New Issue