Commit Graph

251 Commits

Author SHA1 Message Date
Sandboxed API Team
6332df5ef6 Fix or ignore type errors generated by the next release of pytype.
The next release contains one major change: for function parameter annotations,
pytype will no longer treat (x: X = None) as equivalent to
(x: Optional[X] = None). This pytype behavior was based on an outdated version
of the type-checking spec. Annotations that were relying on the behavior now
need to explicitly declare themselves as Optional.

PiperOrigin-RevId: 297065077
Change-Id: Iade679e5928bb3839485e8b8571945456ba6e982
2020-02-25 01:15:54 -08:00
bielec
5a4e3f3d29 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 296206385
Change-Id: I53b23122abece1fe318ed4c6a7e37bf3228c8f5f
2020-02-20 07:45:44 -08:00
Christian Blichmann
5d81c822d8 Automated rollback of commit e56f562fe2.
PiperOrigin-RevId: 296178631
Change-Id: I0f871aeecd70e9d2f99c7d52d94c6043a1668325
2020-02-20 04:26:37 -08:00
Maciej Szawłowski
fc514451e0 Internal BUILD changes
PiperOrigin-RevId: 296174640
Change-Id: I94c8e36d76d6cbb2b9d65f35d8700018b62d3db1
2020-02-20 04:26:23 -08:00
Sandboxed API Team
e56f562fe2 Automated rollback of commit 4eede550e7.
PiperOrigin-RevId: 295946052
Change-Id: Ie8c23fe8eec99ab52245ae7f482f1e6b99ec010e
2020-02-19 05:19:15 -08:00
Christian Blichmann
4eede550e7 Prepare for upcoming changes in Abseil
- Move canonical errors into status.

PiperOrigin-RevId: 295941935
Change-Id: I9408d21b6d34239b0ef3f3cd24975f39f1405505
2020-02-19 04:43:29 -08:00
Christian Blichmann
d578b18c22 Modernize the transaction API
PiperOrigin-RevId: 295712938
Change-Id: Iaf4c9668bb0b48555679fef822fe424277540d1f
2020-02-18 05:27:38 -08:00
Wiktor Garbacz
5b1119aa6d Internal change
PiperOrigin-RevId: 295579669
Change-Id: I2488a87a78cf76f0d4ddf73d115e443bd801e420
2020-02-17 06:54:52 -08:00
Sandboxed API Team
05280287e0 Automated rollback of commit 800339d672.
PiperOrigin-RevId: 294644781
Change-Id: I88ad35abd96468476294039a41b6f2a8234db6ca
2020-02-17 10:39:08 +01:00
bielec
800339d672 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 294640297
Change-Id: I4c6520685a658f8b7762af238588830f71b3f54a
2020-02-17 10:38:44 +01:00
Wiktor Garbacz
f1ce6fcb87 Internal change
PiperOrigin-RevId: 292529030
Change-Id: Ie6b315d9edd5f253386474be4afff1a59e24a91e
2020-01-31 05:39:25 -08:00
Sandboxed API Team
daa1c7a64e Allow sandboxee to read from /proc when sanitizers are allowed.
Sanitizers read from /proc. For example:
69445f095c/lib/sanitizer_common/sanitizer_linux.cpp (L1101)

PiperOrigin-RevId: 292363903
Change-Id: Icc383ededcad363b4e96f5551f140f012b07b495
2020-01-30 09:30:42 -08:00
Sandboxed API Team
b9c866410d Replace deprecated thread annotations macros.
PiperOrigin-RevId: 292326427
Change-Id: Iebd745bf0c6b0b14e090462a9df44ebd7d374c7d
2020-01-30 05:07:40 -08:00
Sandboxed API Team
54cd192442 Replace deprecated thread annotations macros.
PiperOrigin-RevId: 292326369
Change-Id: I47cb8416b198872c96921207e257745451285680
2020-01-30 05:06:55 -08:00
Wiktor Garbacz
539d1cac34 Replace if (!cond) { LOG(FATAL, msg) } with CHECK(cond, msg)
PiperOrigin-RevId: 291916344
Change-Id: Ib522a3f202b20bf8f1ab4ca5774952d4b8f43e91
2020-01-28 05:59:33 -08:00
Wiktor Garbacz
d88c9f7598 Log mount flags in human readable format
PiperOrigin-RevId: 291690800
Change-Id: I6c4acdad93aeed29616d1ea44f797dad6fc7f277
2020-01-27 03:19:56 -08:00
Wiktor Garbacz
d74215d30d Properly test read-only mounts
PiperOrigin-RevId: 291337704
Change-Id: I806d0d09051ab205813d6626ea70e9e57a28a7a5
2020-01-24 02:38:11 -08:00
Wiktor Garbacz
e3d638466d Internal change
PiperOrigin-RevId: 290621061
Change-Id: I4b575ac65a9c225453552db74416eed45f1f4ebd
2020-01-20 08:35:24 -08:00
Wiktor Garbacz
bd22a18f87 Internal change
PiperOrigin-RevId: 290586117
Change-Id: I637ca27121ef541d48a717903496cab256214a0a
2020-01-20 02:55:04 -08:00
Christian Blichmann
441201884a Update license header with recommended best practices
PiperOrigin-RevId: 290250533
Change-Id: Ic34b253446463cf971a055b70a242df93a598ee3
2020-01-17 05:05:29 -08:00
Wiktor Garbacz
96d9ce90e5 Properly set mount flags
PiperOrigin-RevId: 290052082
Change-Id: I35222d25a24c3d641a998b2734b90bd178759df6
2020-01-16 06:05:11 -08:00
Wiktor Garbacz
c2bd47e978 Change mount propagation to private
PiperOrigin-RevId: 289639932
Change-Id: Iac976134d5f43dcdfe895446d7caab463cc70d1a
2020-01-14 06:32:23 -08:00
Christian Blichmann
18776b6f16 Refactor syscall definitions to rely less on macros
PiperOrigin-RevId: 288478535
Change-Id: I56bf8b8817f31d60db4726b2847f8400215b7b8c
2020-01-07 05:27:21 -08:00
Sandboxed API Team
3e442b252c Allow stack trace collection when namespaces are disabled, if sandbox_libunwind_crash_handler==false.
PiperOrigin-RevId: 288267119
Change-Id: I5fce1b28521d3d685186717f153f20fb498c94e2
2020-01-06 02:34:03 -08:00
Sandboxed API Team
aea1ecd58d Improve diagnostics when dynamically linked binary is sandboxed, but can't be exec'd.
PiperOrigin-RevId: 286391400
Change-Id: I016deb34eb895480131da24bc95a6244d92f3710
2019-12-19 07:48:32 -08:00
Wiktor Garbacz
e969deea33 Global deadline for ptrace attach instead of per process
PiperOrigin-RevId: 286196033
Change-Id: Ic456b881c18518c4b52ca051fa5c58590794da17
2019-12-18 08:23:55 -08:00
Wiktor Garbacz
7125458c5d forkserver: Remove order dependent tests
Sending -1 as fd will fail and take forkserver down.
This should not happen normally so turned it into a check.

PiperOrigin-RevId: 285391908
Change-Id: Idbb05004c36cb0be57be1bd26df1c57cecfb0019
2019-12-13 06:59:01 -08:00
Sandboxed API Team
4608a7baea Explicitly export files needed by other packages
PiperOrigin-RevId: 283942197
Change-Id: If1287d2544b2161e3087fb7f5f5395f69a2eb741
2019-12-05 03:33:32 -08:00
Christian Blichmann
072636f67e Force build in C++17 mode without a custom CROSSTOOL
PiperOrigin-RevId: 283706006
Change-Id: I0b6ddd36725ccf165a446ae94a16898146199d29
2019-12-04 01:03:21 -08:00
Wiktor Garbacz
ece90e0bda Fix resource leak
Resulted in a lot of zombie processes.

PiperOrigin-RevId: 283545337
Change-Id: Ia6b2fd24fc6fc0eed4a7aa415e264618739e8234
2019-12-03 07:59:18 -08:00
Wiktor Garbacz
035965060a Create initial namespaces on demand
PiperOrigin-RevId: 283321826
Change-Id: I746ce726b834273fd8a8e0de36b311c46e42d57a
2019-12-02 05:31:42 -08:00
Sandboxed API Team
44443779bc Internal change
PiperOrigin-RevId: 282945153
Change-Id: I26d4a9d21574fad2751708fe4bb9b38ecdd8131f
2019-11-28 08:07:00 -08:00
Christian Blichmann
02912f8eff Disable ABI warning about passing long double unions when using Bazel
PiperOrigin-RevId: 282349626
Change-Id: Ieb3df661f215450e750c586b2470047b1575c156
2019-11-25 07:03:24 -08:00
Christian Blichmann
5c38f62ba7 Fix unused warning for IsFdOpen()
PiperOrigin-RevId: 282346983
Change-Id: I7010caf0e6f3ddb420ef992f6aa2554d540667a3
2019-11-25 06:44:14 -08:00
Christian Blichmann
4f892864c8 Update dependencies to newer version
- Same upstream dependency versions for CMake and Bazel
- Use maybe() from build_defs to conditionally define Bazel repositories

PiperOrigin-RevId: 282331418
Change-Id: I8a7db84a1d3115f3c1f31cc1dfcc8c29fe391a62
2019-11-25 04:32:01 -08:00
Kevin Hamacher
3cbd871454 Allow sandboxee c-strings to be read as std::string
PiperOrigin-RevId: 281960106
Change-Id: I54256dda2b6b0374d0f2ce3f762370478b912683
2019-11-22 07:00:03 -08:00
Kevin Hamacher
a193cb4ed7 sandboxed_api: Expose strlen in the rpc channel
PiperOrigin-RevId: 281958333
Change-Id: If15d7d5b915fec3c5521ef53ee44c58d7482d1bc
2019-11-22 06:44:31 -08:00
Christian Blichmann
d9d45bcfe5 Fix generator not finding libclang
PiperOrigin-RevId: 281745276
Change-Id: I8c55b142a72265f577d6d1e3b673890529428c21
2019-11-21 07:33:03 -08:00
Christian Blichmann
d47c066112 Enable sapi_test target in CMake, add Benchmark dependency
PiperOrigin-RevId: 281719298
Change-Id: Idd2570fff4907c81cdab1070bd1f3e41e29c76f6
2019-11-21 04:04:14 -08:00
Christian Blichmann
6dd97f5073 Move dependency on libdl into build defs, like CMake
PiperOrigin-RevId: 281699435
Change-Id: Iced13e98578b2c36a1eeac71fd02a6d7ed87a8fb
2019-11-21 01:36:34 -08:00
Christian Blichmann
ae2954f598 Build in C++17 mode.
Practically all current compilers fully support C++17 by now, with the exception of `filesystem` (which we won't use).

PiperOrigin-RevId: 281494879
Change-Id: Ia0ef650ede4e5907e4a6421b8ad11743c8bae88f
2019-11-20 04:40:09 -08:00
Wiktor Garbacz
8a7d0d1cb3 Use a nested userns&mntns to pre-pivot_root
This addresses a latency issue - chroot_fs_refs called inside pivot_root
in the kernel can take several milliseconds on machines with many threads
running.
This might not always reduce latency for custom forkservers, as additional
fork can be more costly than pivot_root.

PiperOrigin-RevId: 281306284
Change-Id: If503ac76a70e5438e94caf708d79cb0219c66def
2019-11-19 09:02:28 -08:00
Wiktor Garbacz
1673ade4e4 Remount chroot as read-only
PiperOrigin-RevId: 280394655
Change-Id: I1490b7dfbbca3d91f5efb4dd5800397c9da57da8
2019-11-14 03:51:26 -08:00
Wiktor Garbacz
a1b291d44a Fix mount entries listing for tmpfs
PiperOrigin-RevId: 276447076
Change-Id: Ia5873e34327c281e5c9fb66f5f58a0dd49ba10b0
2019-10-24 02:37:54 -07:00
Sandboxed API Team
282f2d65e7 Fix a file descriptor leak in sandbox2::Executor.
PiperOrigin-RevId: 276294193
Change-Id: I9def39a41704db9948735c259e435ccfc71bacc5
2019-10-23 09:52:07 -07:00
Kevin Hamacher
4da8f68aa8 Rework stacktrace mounttree logic
The previous one was not quite correct in cases where the outside binary path
did not match the inside path. This should be fixed with this.

PiperOrigin-RevId: 276075886
Change-Id: I1c7c4fa0191960437a2d2360b805c7098b1407c9
2019-10-22 09:05:33 -07:00
Christian Blichmann
254abe04fe Use unified diff for zlib patch
PiperOrigin-RevId: 276075544
Change-Id: Icf06e360a400834e7304c2bde34954dbc71f135f
2019-10-22 09:04:29 -07:00
Wiktor Garbacz
a7cfbb92a6 Remove uneeded read-only remount
Caused failures if root is mounted as nodev, nosuid etc.
Root is pivoted and unmounted right after this anyhow.

PiperOrigin-RevId: 273707731
Change-Id: I75f1edaf2877c096e4f5bb7dc1b2bb8eb5c437a3
2019-10-09 02:47:38 -07:00
Kristj?n J?nsson
78824353d1 Make PolicyBuilder a value class.
This makes the class more ergonomic because
* You don't have to heap allocate the builder.
* You can create a policy builder "template" and re-use it across sandboxes to avoid repetitive work.

PiperOrigin-RevId: 273555679
Change-Id: I4084ee9c74f95ebfde873eb0dc021b3b3cdc5ea2
2019-10-08 10:45:45 -07:00
Sandboxed API Team
9931593fdc Corrects typo in link
PiperOrigin-RevId: 273248066
Change-Id: I37682d1b82fbe0b0e06d43dfe511da0d6aaa8c5a
2019-10-07 02:36:35 -07:00
Christian Blichmann
c6b8e301e4 This fixes broken _proto_cc_cc_proto build target suffixes.
These where inadvertently introduced in an internal cleanup change.

This change also removes a C++17-ism in var_proto.h. To make things easier for
downstream projects, we should stick to C++11 for the time being.

PiperOrigin-RevId: 271117700
Change-Id: I4eaacec88be16e1a561d3f77a61acce0a1af0b9d
2019-09-25 07:13:58 -07:00
Sandboxed API Team
ce46cb3fef internal BUILD file cleanup.
PiperOrigin-RevId: 270906748
Change-Id: I6a79c2f84a1d8a9fcb91061caa5f9e538fa83cba
2019-09-24 08:12:21 -07:00
Kevin Hamacher
1cf9bf8ab6 Internal change
PiperOrigin-RevId: 270878802
Change-Id: I4c946fdb5f566909eaead35a3050a99ab9047553
2019-09-24 04:50:18 -07:00
Kevin Hamacher
c337ea117e Return descriptive string if stack-traces are disabled
PiperOrigin-RevId: 270876245
Change-Id: I899a4628541712a212aa24d3a01d48d9b070c734
2019-09-24 04:27:09 -07:00
Kevin Hamacher
51d1a0e8ba Rollback of an internal change
PiperOrigin-RevId: 270874732
Change-Id: I69538a0a37ba008a41220fe9d77b3e59f8d06610
2019-09-24 04:11:52 -07:00
Sandboxed API Team
6131774256 internal BUILD file cleanup
PiperOrigin-RevId: 270833113
Change-Id: Ie8b2ab2486b7ca224f37d5fc3a07674d15e1b458
2019-09-23 22:24:27 -07:00
Sandboxed API Team
b390354794 internal BUILD file cleanup
PiperOrigin-RevId: 270833110
Change-Id: Ifc075bd59cf9e25d0c4ecc165592906f05875ee8
2019-09-23 22:23:57 -07:00
Sandboxed API Team
cee4ac35ae Internal BUILD file cleanup
PiperOrigin-RevId: 270672739
Change-Id: I752113fc1fa5fa3f1585b918c89ca68c058db098
2019-09-23 07:33:08 -07:00
Sandboxed API Team
a6285716f1 Internal cleanup
PiperOrigin-RevId: 270653397
Change-Id: I495a30cffdfa932da045ebed626bf97f1cb68bb2
2019-09-23 05:14:00 -07:00
Sandboxed API Team
ad2521a1e8 Internal cleanup
PiperOrigin-RevId: 270631972
Change-Id: Ifd8db261bd5380fd14357a283fb9fd67c7d25fa0
2019-09-23 02:31:54 -07:00
Wiktor Garbacz
d43d09c746 fail soft if sandboxee exits before init is ptraced
PiperOrigin-RevId: 270254470
Change-Id: Ifa13f4fe0e7ae91b79fc689e1d7dcb2a49b09cde
2019-09-20 06:13:44 -07:00
Sandboxed API Team
0aec7a511b Don't try to parse "[vsyscall]" as an ELF image.
PiperOrigin-RevId: 269811752
Change-Id: I2118badab9b5392eae7bfd36583384a33ab8a7d5
2019-09-18 08:32:11 -07:00
Wiktor Garbacz
846717def1 Fix coverage for network and network_proxy tests
PiperOrigin-RevId: 269314101
Change-Id: I65f15261a22f8f5b6250396e41d76ef40a90ef94
2019-09-16 05:43:06 -07:00
Christian Blichmann
0aa7183502 Refactor the tests and strings example a bit
PiperOrigin-RevId: 268865491
Change-Id: Ie16e5f17e2eb22e25821c34edf0068cb81bcc2fe
2019-09-13 02:28:42 -07:00
Wiktor Garbacz
d6ca9d9564 Use proper return code for static_sandbox example
Also bump FSIZE limit to make it less likely to fail.

PiperOrigin-RevId: 268857718
Change-Id: I955ed4a10d8a49585ae330ab668a0bd891bb6ed6
2019-09-13 01:22:36 -07:00
Wiktor Garbacz
2e22b13b39 Enable namespaces by default
PiperOrigin-RevId: 268417712
Change-Id: I496d76e8a90665627b9be2bb5f9872a5df1c84e4
2019-09-11 02:39:49 -07:00
Christian Blichmann
4034f1235e Revert accidental deletion of the sandbox image
PiperOrigin-RevId: 267141212
Change-Id: I1aa0edf6f3ebeb19975fdead241e91927e7679f7
2019-09-04 06:33:29 -07:00
Christian Blichmann
ea1a934d51 Migrate Sandboxed API docs to developer.google.com/sandboxed-api
This change removes the in-tree documentation in favor of the one hosted on
the Google's Developer site. This makes it easier to maintain for the
sandbox team, as there is now only a single source of truth for both internal
and external documentation.

If you find errors/bugs in the documentation, please file regular GitHub
issues.

PiperOrigin-RevId: 267132623
Change-Id: I4c950fcef77da0b361cb35b99aa2f187efe6f320
2019-09-04 05:22:03 -07:00
Wiktor Garbacz
daa3defac0 Internal change
PiperOrigin-RevId: 266889781
Change-Id: Ibea87a7bb5fafb50ae3d09f7b0df876beecaf087
2019-09-04 05:21:47 -07:00
Wiktor Garbacz
da3c6c138e Fail in monitor if init process pid not received
PiperOrigin-RevId: 266886637
Change-Id: I4e896ebda8d9e15d0aefcb4139c8dc07ab938502
2019-09-03 02:37:09 -07:00
Sandboxed API Team
84702e6c97 No public change.
PiperOrigin-RevId: 265663675
Change-Id: I6ffcf796a13cddaea4f8b8a0ca20b92cc8e316a7
2019-08-27 05:36:35 -07:00
Christian Blichmann
2dd7d27952 Fix unused variable warning in monitor
PiperOrigin-RevId: 265439933
Change-Id: Idc62e0e1640bd2b866bd1a6f3c60370ae1b70592
2019-08-26 06:03:03 -07:00
Christian Blichmann
276b7efc92 Internal change.
PiperOrigin-RevId: 265057217
Change-Id: Id00c867b373dbe8c9112c23ef4b0300ed3ca9e5b
2019-08-23 08:08:51 -07:00
Christian Blichmann
d91879f752 Ensure compatibility with CMake 3.10
This fixes some CMake-3.12+-isms, like `list(JOIN ...)` and setting link
properties on OBJECT libraries.

PiperOrigin-RevId: 265033725
Change-Id: I0ee1ec0e1b1097ea8226ad6fdeff794a97c2881b
2019-08-23 05:08:55 -07:00
Christian Blichmann
df83f19d49 Fix broken include in client.cc
PiperOrigin-RevId: 261864188
Change-Id: I247455085764373d9a004d85fbfe37cadf7ed6eb
2019-08-06 01:36:12 -07:00
Sandboxed API Team
35d9d0c60a Internal change.
PiperOrigin-RevId: 261197411
Change-Id: Ic3c388af3f807bc039ad137267e17dc9fc666c84
2019-08-01 14:26:07 -07:00
Christian Blichmann
b7cbc36071 Follow-up to 3c51348 fixing linker issues with gflags and glog
The temporary solution for binaries/tests that fully statically linked is to
link against `gflags` using `-Wl,--whole-archive`. This will no longer be
necessary, once Abseil ships with logging. Then we can (finally) use Abseil
flags and use a logging library that does not depend on a different flags
library.

PiperOrigin-RevId: 260705702
Change-Id: I8562faaff59f9c3e0e1d331186d2806d387438fb
2019-07-30 06:48:38 -07:00
Christian Blichmann
1be24d945c Improve formatting of the generated code
PiperOrigin-RevId: 260142999
Change-Id: Id170e212012c7e10e3525d031d620a01f90fb388
2019-07-26 07:47:02 -07:00
Christian Blichmann
3c51348aaf Enable CMake projects to consume Sandboxed API via add_subdirectory()
This change moves away from a classical superbuild which downloads and builds
at build time. Instead, we now follow a "Fetch Content" workflow (available as
FetchContent in CMake 3.11+) and download dependencies at config time.

Rationale: Superbuild projects have the disadvantage that projects cannot
directly access their individual declared targets. This is not a problem with
regular libraries, as those are usually/supposed to be installed. With
Sandboxed API, this is not desirable, as it has dependencies like Abseil and
glog, which are almost always consumed by including their source tree using
add_subdirectory().

Fixes #10 and makes external embedding easier.

PiperOrigin-RevId: 260129870
Change-Id: I70f295f29a6e4fc8c330512c94b01ef10c017166
2019-07-26 05:51:08 -07:00
Christian Blichmann
db0ebe3650 Support empty package names in filewrapper tool
PiperOrigin-RevId: 259943587
Change-Id: I14d95dcd7d839903ebd12f4032e05e29bca17204
2019-07-25 07:36:57 -07:00
Christian Blichmann
1b93745d00 Honor SAPI_ENABLE_TESTS in examples
PiperOrigin-RevId: 259927061
Change-Id: I7ae2156630c60e54ba0d9933d03816d750db31f3
2019-07-25 05:11:58 -07:00
bielec
ef7592cfdd Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added
PiperOrigin-RevId: 259512665
Change-Id: I2747c7548ab24c7d2c90abb303fd783c11fed6f4
2019-07-23 04:41:08 -07:00
Sandboxed API Team
ae9836e6bf Add dependencies on @com_google_absl//absl/base:log_severity
to targets including "absl/base/log_severity.h"

PiperOrigin-RevId: 259483071
Change-Id: Ide51ea54ca18ce466be863c1e7755098618801c0
2019-07-23 00:31:55 -07:00
Wiktor Garbacz
2300141bdb Require namespaces to be disabled explicitly
PiperOrigin-RevId: 258730797
Change-Id: I5a1df23c5176a3cecd5a343483500550f27adf44
2019-07-18 02:18:26 -07:00
Wiktor Garbacz
691104c851 Extract RunInitProcess and SendPid/RecvPid
Also properly check status of send and use one-byte messages
to avoid issues with partial send, receive.

PiperOrigin-RevId: 258362495
Change-Id: I889b4699c100c80d15b129bf3a254f5442405bc2
2019-07-16 07:23:17 -07:00
Wiktor Garbacz
2349325e2b Move root chdir to namespace setup
PiperOrigin-RevId: 258361265
Change-Id: Ifa065559e36606afa7111ef6d8e2d5d621b57426
2019-07-16 07:13:17 -07:00
Sandboxed API Team
418ad07086 Initialize std::atomic_flag members
PiperOrigin-RevId: 258309720
Change-Id: Id9cb6ee627c0aea11bbbabfcab10731e2235e534
2019-07-15 23:59:24 -07:00
Wiktor Garbacz
8a4e665cba Remove redundant process setup
PR_SET_PDEATHSIG is already issued for init process in SanitizeCurrentProcess
Same for setsid

PiperOrigin-RevId: 258142844
Change-Id: Iad9e94bd402d576c1b24caab0b03efc50e2df07e
2019-07-15 05:36:27 -07:00
Wiktor Garbacz
9f36bd80d2 Fix double EnableNamespaces
PiperOrigin-RevId: 258142629
Change-Id: Ied76490e51278371fd51e117053599cce52991f1
2019-07-15 05:34:31 -07:00
Christian Blichmann
6d33c1f908 Add CMake options to exclude examples and tests from build
PiperOrigin-RevId: 258136393
Change-Id: Ifb2d7a24f93cd1d2782b4e4d6ac2c34a0d1c2bff
2019-07-15 04:42:58 -07:00
Christian Blichmann
99ac7fa60d Refactor CMake files
* Move add_sapi_library() into a build defs file
* Override protobuf_generate_cpp() instead of naming it sapi_protobuf_generate_cpp()
* Factor out inclusion/find_package() calls of external dependencies

PiperOrigin-RevId: 258133422
Change-Id: Ibdbab0c735157eac0ed6122ab78f9d583c6905cc
2019-07-15 04:13:15 -07:00
Christian Blichmann
b219661be0 Add basic CMake support for SAPI, build examples
* Implement add_sapi_library() similar to the Bazel rule
* Fix SuperBuild so that glog properly depends on gflags (needed for --logtostderr)
* Raise minimum required version of CMake to 3.10 (Ubuntu 18.04 LTS)
* Update sum sandbox policy to allow to get IDs and PIDs

PiperOrigin-RevId: 258124160
Change-Id: I64c2f8b27a3e842874adca9100bfce20a2b74f17
2019-07-15 02:53:43 -07:00
Christian Blichmann
686c6d254f Fix documentation link to zlib example
PiperOrigin-RevId: 257793227
Change-Id: I9c43c3814d75c5b79affd4854212eec07dc14f77
2019-07-12 06:38:49 -07:00
Christian Blichmann
ab35eb49af Make embedding the sandbox code the default
PiperOrigin-RevId: 257778382
Change-Id: Ib6dc472355092c08b905e42978efe7f47703c128
2019-07-12 04:07:11 -07:00
Christian Blichmann
6b24025860 CMake targets for SAPI, add find_package() support for libffi
This change adds CMake targets for the actual Sandboxed API library. On its
own, this is not very useful, as there is no CMake equivalent to the
sapi_library() rule, yet. This will be worked on next.

PiperOrigin-RevId: 257177362
Change-Id: Ic06c945ab534b27306021d970a83691aae2e7e60
2019-07-09 06:13:08 -07:00
Wiktor Garbacz
d170bc3c80 Deflake namespace_test
When fetching exit status only lower 8-bits will be read.
Thus if getpid()&0xff == 0 the test can fail.

PiperOrigin-RevId: 257163766
Change-Id: I690c645fde33d1205578fd8873c5fc2974352ada
2019-07-09 04:11:07 -07:00
Christian Blichmann
6d06df1b86 Break out executor into its own build target
PiperOrigin-RevId: 257147090
Change-Id: I34c5e86ca68f865fdae42e4077c52c6168672c06
2019-07-09 01:53:56 -07:00
Christian Blichmann
747ccb57e8 Rename stack-trace{.h,.cc,._test.cc} to use underscores
PiperOrigin-RevId: 257144753
Change-Id: I4ce0dffad552c25b61102adfb1c03b8aea427dd9
2019-07-09 01:32:25 -07:00
Christian Blichmann
2da6dad120 Internal change
PiperOrigin-RevId: 257141595
Change-Id: Ic34799290fa88be62ecba38f8f60200a1e55f065
2019-07-09 01:32:09 -07:00
Christian Blichmann
c7f7666d9d Do not leak macro definitions in stack-trace.h
Since we use glog, we need to still rely on gFlags for as long as Abseil
logging is not yet released. To do this, we have the util/flag.h header in
SAPI, faking the newer style API of Abseil's flags library.
The rationale behind this is that glog includes/builds with gflags for
command line flag parsing and having more than one flag parsing library
active at the same time is asking for trouble.

PiperOrigin-RevId: 256982667
Change-Id: I9c5406cb9ef4458daebfec0b0713f9bddbf5c3ad
2019-07-08 08:25:17 -07:00