Commit Graph

1307 Commits

Author SHA1 Message Date
Oliver Kunz
eaa175c8d2 Sandbox2: Remove file sealing for in-memory files.
The `CreateMemFd` function sets the `MFD_ALLOW_SEALING` flag which enables seals to be set and creating an empty file seal.

PiperOrigin-RevId: 550850108
Change-Id: I1a84b7b14cc9396144048bbeb8995f2f7eca9fb7
2023-07-25 05:04:52 -07:00
Oliver Kunz
04ed89906b Adding AllowOpen to AllowLlvmSanitizers to avoid having to add AllowOpen in addition when it's only needed for running under the sanitizers.
In cases where SAPI users overwrite the default policy instead of extending it, the sandbox will fail with an `openat` violation. This is automatically inherited in the default policy.

The advantage with this implementation is that we don't expose the open* syscalls when not running under the sanitizers.

PiperOrigin-RevId: 550845188
Change-Id: I151d467848983b00b71ec8447d662394fa7176db
2023-07-25 04:38:43 -07:00
Wiktor Garbacz
9d1d4b7fd3 Disallow AddPolicyForSyscalls with an empty list
PiperOrigin-RevId: 549887306
Change-Id: I05a97b39a2c92ad5ab2002c7af7e83a8184392cf
2023-07-21 02:24:44 -07:00
Wiktor Garbacz
e86462db77 Remove redundant buffer test
It tested Comms rather than different Buffer functionality.

PiperOrigin-RevId: 549880115
Change-Id: I095464540fa21cc4b3bee1d87e1e046807b6f18c
2023-07-21 01:53:54 -07:00
Wiktor Garbacz
7683f6995b Do not use GIT in FetchContent_Declare
This causes whole repo (with history) to be fetched.
Protobuf repo is especially big (>200MiB).

PiperOrigin-RevId: 549285765
Change-Id: Ifb5e3a549a014adb51e6e5eef41e72abf0149558
2023-07-19 05:20:28 -07:00
Wiktor Garbacz
25f27ef935 Allow replacing a read-only node with writable for same target
PiperOrigin-RevId: 548942347
Change-Id: I4b22740ca27772831afcddb69d515c84aca04c51
2023-07-18 02:45:13 -07:00
Chris Kennelly
4ba75ea0a2 Allow TCMalloc users access to the possible cpus list.
This is to facilitate online/offline core counting for an accurate count of the
maximum CPU ID that may be seen.

PiperOrigin-RevId: 548715133
Change-Id: I159c0d51b9800fa633172986ba4f8eca352ae336
2023-07-17 09:31:22 -07:00
Wiktor Garbacz
f0e85cea13 Introduce AddFile(At)IfNamespaced/AddDirectory(At)IfNamespaced
Use the new interface in AllowRestartableSequences.

PiperOrigin-RevId: 548619728
Change-Id: I1f8aeb9a1cb412c50391d65a3cd148f77b46bd6f
2023-07-17 01:58:46 -07:00
Sandboxed API Team
39026f7678 Internal Code Change
PiperOrigin-RevId: 548043988
Change-Id: Iba4a828eeb53205f28dae85fc179cee21b104632
2023-07-14 00:30:56 -07:00
Sandboxed API Team
a3fa7d27d5 Internal Code Change
PiperOrigin-RevId: 547689091
Change-Id: I76ddcaefcc50f8ce706d59dae99877ca6f28544d
2023-07-12 22:13:27 -07:00
Sandboxed API Team
619030326c Internal Code Change
PiperOrigin-RevId: 547420866
Change-Id: I7b80e96531a234281a323c03903b922704019135
2023-07-12 01:09:40 -07:00
Oliver Kunz
5dd7584e55 Propagate compatible_with through sapi_library.
If a sandboxing target sets a `compatible_with` constraint, the current sapi.bzl doesn't propagate this to the subsequent target generations.

We implement the forwarding similarly to the `visibility` attribute.

PiperOrigin-RevId: 546838438
Change-Id: I8a0b2623ee3aa91ffe7e6f4b001177c03806f532
2023-07-10 05:07:23 -07:00
Sandboxed API Team
a94b17d821 Use Protobuf's AbslStringify to stringify protos.
Protobuf DebugString APIs will be deprecated.

PiperOrigin-RevId: 543355252
Change-Id: Ieea97e87fc592c023cb2f965be3926f52192ffe4
2023-06-26 00:33:33 -07:00
Christian Blichmann
64ac98bf4d Sandbox2: Remove commented out include
PiperOrigin-RevId: 542784635
Change-Id: Ie763ff5606e2241b2a5e3f89d57ed8d3e1c1ee63
2023-06-23 00:46:59 -07:00
Oliver Kunz
0463298780 Sandbox2: Improve logging of syscall information.
- If --sandbox2_danger_danger_permit_all_and_log is set, we write to a logfile (passed via the flag).

- If --sandbox2_danger_danger_permit_all is set, we do not write any log information.

This change introduces a means to also see the syscall information on stderr by passing --v=1 and --alsologtostderr.

PiperOrigin-RevId: 542232271
Change-Id: Ie4d30f0d8e25bb1de7c60bb37736b27b89406336
2023-06-21 06:11:57 -07:00
Sandboxed API Team
cf43c0f02c Allow prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...) with tcmalloc
PiperOrigin-RevId: 540905937
Change-Id: I9275b193ff42b4741925c3cf825841ca9a4071db
2023-06-16 09:34:07 -07:00
Kevin Hamacher
93c1423b15 sandbox2: Provide sandboxee rusage when using unotify monitor
PiperOrigin-RevId: 540841898
Change-Id: Icc635e107c138ac67e2b948eadbbcb4234f6c7f8
2023-06-16 04:37:18 -07:00
Kevin Hamacher
66aeb6e59d Error out if invalid custom forkserver path is specified
PiperOrigin-RevId: 540526350
Change-Id: Id7f4ea9290074c15c700c27c2d252b9f54a282bd
2023-06-15 03:17:02 -07:00
Christian Blichmann
04cb14791e Clang tool: Enable incremental pre-processing
This avoids doing extra work when processing multiple input files.

PiperOrigin-RevId: 539884025
Change-Id: I8e48495f33c09bc53e70f4d5c1d730fe7c1202b2
2023-06-13 01:04:38 -07:00
Christian Blichmann
f2048d028f Clang tool: Force-undefine feature preprocessor defines
To avoid code that is being parsed to include the intrinsics headers, undefine
a few key preprocessor defines.

PiperOrigin-RevId: 539878995
Change-Id: I8afb7cbdadcab3214c943c0acb9006e8bcc30611
2023-06-13 00:38:05 -07:00
Wiktor Garbacz
654668fc4e stack_trace: avoid copying /proc/{pid}/exe if possible
The executable might not be inside the mount tree.

PiperOrigin-RevId: 539564862
Change-Id: I94e748608a36c8e9203ffe4b6de443e026e4546a
2023-06-12 00:14:40 -07:00
Christian Blichmann
045ace8dcb Update Google dependencies
- Abseil
- Protobuf
- Benchmark
- Googletest

In turn, some code changes were necessary:
- Use absolute imports in `sapi_generator.py` when invoked by Bazel
- Add Abseil's source dir as include dir in generated proto `.cc` files
- Bazel: Use `@rules_proto` for `proto_library` and use native `cc_proto_library`

Drive-by:
- Update year in `README.md`
- Look for clang versions 16, 15, 14, and 13 as well in `code.py`
PiperOrigin-RevId: 539032012
Change-Id: Ib9cd1d7fb38409d884eb45e1fa08927f6af83a21
2023-06-09 03:22:00 -07:00
Christian Blichmann
4034fd6240 GitHub Actions: Add workflow to auto-create a pre-release on push
This also uploads the clang tool based header generator as an asset.

PiperOrigin-RevId: 538781230
Change-Id: I50d0e22af1f3bab1e461ae2dd2b64a3e479ce7d1
2023-06-08 07:39:48 -07:00
Christian Blichmann
67d5f1b23f GitHub Actions: Upload artifact for header generator
A follow-up can then upload to a draft release.

PiperOrigin-RevId: 538718585
Change-Id: Ic6dccce6d2127a685b52e465d0e651dbfdef2cb8
2023-06-08 01:38:22 -07:00
Christian Blichmann
b0547f3506 GitHub workflows: Migrate to turtlesec-no/get-ninja
This does not depend on the deprecated Node.js v12.

PiperOrigin-RevId: 538672875
Change-Id: Ie26e3adfc67626d53ad5a3d12d48099efd4fe827
2023-06-07 21:00:53 -07:00
Christian Blichmann
72452e1582 Mostly internal change: Optimize OSS transforms
This should only affect the Bazel `BUILD.bazel` files and their formatting.

PiperOrigin-RevId: 538426054
Change-Id: I0162726d3fb4bcb4d7938cddc6f39e0d9f2b4a3d
2023-06-07 02:23:18 -07:00
Wiktor Garbacz
6cd83d68de Fix deadlock in forkserver if setting ns fails
Also make sure we don't kill everything (with a `kill(-1, SIGKILL)`) if reading the pid fails.

PiperOrigin-RevId: 536371566
Change-Id: I17f6ae36b73ec43735709ff16d276abaebb00d44
2023-05-30 05:49:40 -07:00
Christian Blichmann
1c7dfdac12 Bazel: Remove obsolete WORKSPACE dependencies
PiperOrigin-RevId: 536368855
Change-Id: Ied2eb8bdaebb9d780691563198799ae240146d73
2023-05-30 05:34:47 -07:00
Wiktor Garbacz
7ba0a794d1 Fix check for init process
PiperOrigin-RevId: 532473530
Change-Id: Ia5f84073e372a63f70425d0fa68ac178019e80be
2023-05-16 08:51:15 -07:00
Christian Blichmann
340ca4f37a GitHub Worklows: Update OS/compiler matrix, deprecate GCC 6 and 7
To fix Python related errors, explicitly install `libclang1-dev` and `clang`
PIP packages that match.

PiperOrigin-RevId: 532411402
Change-Id: I448a5db4e7d802b7929d93844827906f4e4413de
2023-05-16 04:23:32 -07:00
Christian Blichmann
cc8b5fb4fc GitHub Workflows: Prefix worklow names with OS name
This makes workflows easier to distingiush in the GitHub UI.

PiperOrigin-RevId: 532407546
Change-Id: I827c6f4750cd0fcbd0e670e06703cd3ffd46b59d
2023-05-16 04:06:15 -07:00
Christian Blichmann
434de99233 GitHub Workflows: Update to actions/checkout@v3
This avoids Node.js deprecation warnings during the build.

PiperOrigin-RevId: 532406855
Change-Id: I0577051565432ed885034ac70e09be58777537cd
2023-05-16 04:03:53 -07:00
Christian Blichmann
1bf9437f95 Add GitHub workflow to build Clang tool based header generator
Drive-by:
- Add flags to link libgcc and libstdc++ statically into the binary, making it
  "mostly static"
PiperOrigin-RevId: 532349354
Change-Id: I0a86eb29b6a40aec4cec3cffeaf9511726ee4dc8
2023-05-15 23:45:57 -07:00
Sandboxed API Team
70e3d9f560 ...remove deprecated SetWallTimeLimit variant.
PiperOrigin-RevId: 531477563
Change-Id: I84ca9823ae5f7a0002049ac69b42527872a7ce66
2023-05-12 05:22:52 -07:00
Christian Blichmann
b6cc0ce80d CMake: Make the path to the Clang tool configurable
Set `SAPI_CLANG_TOOL_EXECUTABLE` to specify the location of a pre-built Clang
tool based header generator.

PiperOrigin-RevId: 531425738
Change-Id: I723d19122cc738d9906c8c568d156d44c58d9746
2023-05-12 00:29:55 -07:00
Christian Blichmann
4925df5419 CMake: Add option to link the Clang libraries statically into the header generator
Tested on Debian 10.13 with `LLVM-{11,12,13,14,15,16,17}` packages from https://apt.llvm.org/.

PiperOrigin-RevId: 531211601
Change-Id: I91babb5d85be2a22a4b17d757a5f626de6c03881
2023-05-11 08:36:11 -07:00
Christian Blichmann
9299156727 CMake: Use toolchain info for system includes
CMake already provides `CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES`, so there's
no need to invoke the compiler to determine system include directories.

For the Clang tool based header generator, adding the includes from the
current toolchain is strictly more correct than having it try and figure them
out itself (which will favor files from any installed libc++ and/or Clang).

PiperOrigin-RevId: 531207747
Change-Id: Icfcf7b495a0a5782c21a665984d9039d365db898
2023-05-11 08:20:16 -07:00
Christian Blichmann
a078043f8e CMake: Increase minimum required LLVM version to 11
LLVM 11 is now preseent in all major stable Linux distributions.

PiperOrigin-RevId: 531204137
Change-Id: I6f20aea425915023ea6113c17ff5a038a74aa919
2023-05-11 08:04:59 -07:00
Christian Blichmann
bfa0186f72 CMake: Rename option to enable the Clang tool based header generator
`SAPI_ENABLE_GENERATOR` => `SAPI_ENABLE_CLANG_TOOL`

This prepares further changes in this area.

PiperOrigin-RevId: 531201213
Change-Id: I56bd450e6ed2dd1dbbf45db2825a75c56d277037
2023-05-11 07:52:50 -07:00
Christian Blichmann
4ec1c6be64 CMake: Update policy settings to 3.26
This avoids a warning in newer CMake versions. For `CMP0083`, we still need to
explicitly select `NEW` behavior. `check_pie_supported()` will error if it is
unset even on later CMake versions.

PiperOrigin-RevId: 531200735
Change-Id: Icb17a00cac087bd6888f8a9b9f8dd837358a6090
2023-05-11 07:50:52 -07:00
Wiktor Garbacz
9b307fc204 Remove leftover stack_trace sources from sandbox2 target
PiperOrigin-RevId: 531168602
Change-Id: Ib9c0942e5ba9cf0d577f88a6091245ca02d5674e
2023-05-11 04:59:29 -07:00
Wiktor Garbacz
5b12071ba0 Remove WaitForSanitizers from ptrace monitor & add to global forkserver
This makes should ensure global forkserver will be single threaded before forking the sandboxees as it does not go through WaitAndFork.

Waiting for sanitizers is not needed in the monitor and should reduce latency
by 1 second for all sanitizer builds. Currently it'll always wait up to 1 seconds for the process to become single-threaded, which will never happen as monitor itself is running in a separate thread.

PiperOrigin-RevId: 530878018
Change-Id: Ie9f663848502f2738721861b0ba2dc6f3cc9f1c9
2023-05-10 05:06:18 -07:00
Kevin Hamacher
fb1571c801 Automated rollback of commit f6fd27618b.
PiperOrigin-RevId: 529395980
Change-Id: I6a5d451ed84f8d4a522777815c6cc2d7d7a8923c
2023-05-04 06:53:48 -07:00
Christian Blichmann
7e9f6c3df3 Fix typo
PiperOrigin-RevId: 529325261
Change-Id: Ia663900a55d51805e330d989ed0965dc4e8f9b17
2023-05-04 00:46:53 -07:00
Oliver Kunz
9ab20c5411 Implements the ability to control who is allowed to enable unrestricted networking.
PiperOrigin-RevId: 529309275
Change-Id: Icd88a4469b0c36af96638d44f9e909085c7120d5
2023-05-03 23:29:34 -07:00
Sandboxed API Team
f6fd27618b Automated rollback of commit 8c53262539.
PiperOrigin-RevId: 529101664
Change-Id: Ica452c6ee8f54b78be09fa830a09d6a89800cf44
2023-05-03 08:45:11 -07:00
Kevin Hamacher
8c53262539 Allow forkserver to use waitpid as alternative to sa_nochldwait
PiperOrigin-RevId: 529074278
Change-Id: If63015586673610e111ee589995e5264523be7a7
2023-05-03 06:41:07 -07:00
Wiktor Garbacz
a5bad44fac Fix wrong pytype annotation
PiperOrigin-RevId: 520972266
Change-Id: Ib5775e01bf3389e7d123480b3bb3b7a4f33a07b0
2023-03-31 11:30:33 -07:00
Wiktor Garbacz
0caa3e740c Do not expose forkserver.h
PiperOrigin-RevId: 520562657
Change-Id: I89fbe3012a5e63a50c46fd4f1e4ade8d36616c0b
2023-03-30 00:49:44 -07:00
Wiktor Garbacz
5efae5cdf5 Do not exit from within ForkServer to get more precise coverage data
PiperOrigin-RevId: 520273079
Change-Id: I3f37d9eacc2c284c45f37842e1e63364cf64faf2
2023-03-29 02:22:16 -07:00