StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

PtraceMonitor: Add a hard deadline for waiting for kill to take effect

Browse Source 
PiperOrigin-RevId: 563064233
Change-Id: Id340ba3793b82737f1976638a57df513c3d4136c
This commit is contained in:
Wiktor Garbacz 2023-09-06 04:28:43 -07:00 committed by Copybara-Service
parent 98d7f91b4d
commit f6ec787902
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
sandboxed_api/sandbox2/monitor_ptrace.cc
View File

@ -29,7 +29,9 @@
#include <ctime> #include <ctime>
#include <deque> #include <deque>
#include <fstream> #include <fstream>
#include <ios>
#include <memory> #include <memory>
#include <sstream>
#include <string> #include <string>
#include <utility> #include <utility>
#include <vector> #include <vector>
@ -55,6 +57,7 @@
#include "sandboxed_api/sandbox2/client.h" #include "sandboxed_api/sandbox2/client.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/notify.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/regs.h" #include "sandboxed_api/sandbox2/regs.h"
#include "sandboxed_api/sandbox2/result.h" #include "sandboxed_api/sandbox2/result.h"
@ -242,6 +245,10 @@ bool PtraceMonitor::KillSandboxee() {
SetExitStatusCode(Result::INTERNAL_ERROR, Result::FAILED_KILL); SetExitStatusCode(Result::INTERNAL_ERROR, Result::FAILED_KILL);
return false; return false;
} }
constexpr absl::Duration kGracefullKillTimeout = absl::Milliseconds(1000);
if (hard_deadline_ == absl::InfiniteFuture()) {
hard_deadline_ = absl::Now() + kGracefullKillTimeout;
}
return true; return true;
} }
@ -315,6 +322,13 @@ void PtraceMonitor::Run() {
// All possible still running children of main process, will be killed due to // All possible still running children of main process, will be killed due to
// PTRACE_O_EXITKILL ptrace() flag. // PTRACE_O_EXITKILL ptrace() flag.
while (result().final_status() == Result::UNSET) { while (result().final_status() == Result::UNSET) {
if (absl::Now() >= hard_deadline_) {
LOG(WARNING) << "Hard deadline exceeded (timed_out=" << timed_out_
<< ", external_kill=" << external_kill_
<< ", network_violation=" << network_violation_ << ").";
SetExitStatusCode(Result::TIMEOUT, 0);
break;
}
int64_t deadline = deadline_millis_.load(std::memory_order_relaxed); int64_t deadline = deadline_millis_.load(std::memory_order_relaxed);
if (deadline != 0 && absl::Now() >= absl::FromUnixMillis(deadline)) { if (deadline != 0 && absl::Now() >= absl::FromUnixMillis(deadline)) {
VLOG(1) << "Sandbox process hit timeout due to the walltime timer"; VLOG(1) << "Sandbox process hit timeout due to the walltime timer";

2
sandboxed_api/sandbox2/monitor_ptrace.h
View File

@ -156,6 +156,8 @@ class PtraceMonitor : public MonitorBase {
// Syscalls that are running, whose result values we want to inspect. // Syscalls that are running, whose result values we want to inspect.
absl::flat_hash_map<pid_t, Syscall> syscalls_in_progress_; absl::flat_hash_map<pid_t, Syscall> syscalls_in_progress_;
sigset_t sset_; sigset_t sset_;
// Deadline after which sandboxee get terminated via PTRACE_O_EXITKILL.
absl::Time hard_deadline_ = absl::InfiniteFuture();
// Monitor thread object. // Monitor thread object.
std::unique_ptr<std::thread> thread_; std::unique_ptr<std::thread> thread_;