Commit Graph

613 Commits

Author SHA1 Message Date
Oliver Kunz
9ab20c5411 Implements the ability to control who is allowed to enable unrestricted networking.
PiperOrigin-RevId: 529309275
Change-Id: Icd88a4469b0c36af96638d44f9e909085c7120d5
2023-05-03 23:29:34 -07:00
Sandboxed API Team
f6fd27618b Automated rollback of commit 8c53262539.
PiperOrigin-RevId: 529101664
Change-Id: Ica452c6ee8f54b78be09fa830a09d6a89800cf44
2023-05-03 08:45:11 -07:00
Kevin Hamacher
8c53262539 Allow forkserver to use waitpid as alternative to sa_nochldwait
PiperOrigin-RevId: 529074278
Change-Id: If63015586673610e111ee589995e5264523be7a7
2023-05-03 06:41:07 -07:00
Wiktor Garbacz
0caa3e740c Do not expose forkserver.h
PiperOrigin-RevId: 520562657
Change-Id: I89fbe3012a5e63a50c46fd4f1e4ade8d36616c0b
2023-03-30 00:49:44 -07:00
Wiktor Garbacz
5efae5cdf5 Do not exit from within ForkServer to get more precise coverage data
PiperOrigin-RevId: 520273079
Change-Id: I3f37d9eacc2c284c45f37842e1e63364cf64faf2
2023-03-29 02:22:16 -07:00
Wiktor Garbacz
a4d602298b Dump coverage prior to execveat
PiperOrigin-RevId: 520002416
Change-Id: Ic792b0b71b8e7b2f00b669db9b6831acd8341c5c
2023-03-28 05:50:43 -07:00
Wiktor Garbacz
1755ba08e1 Internal Code Change
PiperOrigin-RevId: 519725866
Change-Id: Ibac005b875127ae68e28346fb78e74e789cff01e
2023-03-27 08:14:10 -07:00
Sandboxed API Team
9f2ba9d6a1 Comms constructor for non abstract sockets
Allows to create a Comms with unix domain sockets that are not abstract. This allows to use Comms to talk across network namespaces

PiperOrigin-RevId: 518854724
Change-Id: I4fd65466bba9512f448b73bde367f38a0fbb584d
2023-03-23 07:34:32 -07:00
Sandboxed API Team
18894d57f9 Add a helper method to allow the eventfd* family of syscalls.
PiperOrigin-RevId: 518565738
Change-Id: I2a3efe069ab1da65dd5f7cdcd3762637b7274b49
2023-03-22 07:46:56 -07:00
Wiktor Garbacz
b50bc23138 Remove no longer needed friend declaration
Drive-by dependencies cleanup

PiperOrigin-RevId: 518551045
Change-Id: I132dfc42945f500e8efec58a4d58d3bee4d1f191
2023-03-22 06:27:21 -07:00
Wiktor Garbacz
8a38e4de47 Copy environ in sandbox2_test to get better coverage data
PiperOrigin-RevId: 518544187
Change-Id: Id13a5503060817e1dead7ee4a5e310d322de3a5e
2023-03-22 05:47:00 -07:00
Wiktor Garbacz
99931c2ad6 Move abort into ExecuteProcess and mark it noreturn
PiperOrigin-RevId: 518528953
Change-Id: Ieaa03af484188bb35f9734d69d987eabbdcc23ab
2023-03-22 04:07:10 -07:00
Sandboxed API Team
b62d103426 Internal change
PiperOrigin-RevId: 518204712
Change-Id: Idcb8cc7b20198dcc0f3692aa0c89e9c620b9d65d
2023-03-21 01:49:22 -07:00
Wiktor Garbacz
9867ce3beb Make SAPI_RAW_LOG(FATAL, ...) noreturn
PiperOrigin-RevId: 517941912
Change-Id: I655aaf7101c566f8f01c1a5296539186701a10de
2023-03-20 05:43:28 -07:00
Wiktor Garbacz
10b89d4d33 Add missing LOAD_SYSCALL_NR
PiperOrigin-RevId: 516777043
Change-Id: Icccb8260c7e54299c5aa2ddfee4086232e2b8ffb
2023-03-15 03:29:56 -07:00
Wiktor Garbacz
690b31a038 Fix the poll in wait_for_sandboxee branch
PiperOrigin-RevId: 516544270
Change-Id: Ibb10611b9b7713ac6513199b6213c15d22772ea5
2023-03-14 09:19:30 -07:00
Wiktor Garbacz
5a2bdd436d Fix poll in unotify monitor
Fixes incorrect timeout calculation and increases the wakeup interval.
Also makes poll behave correctly in presence of signals.

PiperOrigin-RevId: 516514260
Change-Id: I035701e1bb351f9ad26157b59b13b4f300cc229a
2023-03-14 07:04:18 -07:00
Wiktor Garbacz
cb63dfead5 Add tests for util.cc
PiperOrigin-RevId: 516439597
Change-Id: I2ac88b6188738e47f0e0bdb04382a50aa5aa9366
2023-03-14 00:04:14 -07:00
Wiktor Garbacz
10d44614fd Partial support for sandbox2::Notify in UnotifyMonitor
PiperOrigin-RevId: 515562555
Change-Id: Ie73c34bc7e35942b307c458cfef80510e0b734c3
2023-03-10 00:59:37 -08:00
Wiktor Garbacz
a31584ff49 Add explicit cast to fix build error
PiperOrigin-RevId: 515263097
Change-Id: Ib5b6c28587be889b5e2ef8d013fa57cbb0d8ffd3
2023-03-09 01:03:36 -08:00
Wiktor Garbacz
e031c11bdc Update naming and lambda capture for stack size
PiperOrigin-RevId: 515254988
Change-Id: I394dc039bcfcbd2ccd7c705a91974f4183b28c39
2023-03-09 00:14:39 -08:00
Wiktor Garbacz
0d3d5d4bcb Seccomp_unotify based monitor
Unotify based monitor should bring big performance wins
if the sandboxee heavily uses threading or signals.
Some of the features are not supported in that mode:
- execveat is always allowed instead of just the initial one
- stack traces are not collected on normal exit or if the process is terminated by signal

PiperOrigin-RevId: 515040101
Change-Id: Ia5574d34b4ff7e91e3601edb8c9cb913e011fbf6
2023-03-08 08:09:34 -08:00
Sandboxed API Team
80cc894c39 Allow sched_getaffinity with sanitizers
PiperOrigin-RevId: 515024410
Change-Id: I7c48d701b0c3ecab41c3363f8cb46a1c8fa6d97e
2023-03-08 06:51:19 -08:00
Wiktor Garbacz
e3b2d232b4 Add test for bpf disassembler
Also always handle the new return values.

PiperOrigin-RevId: 514698931
Change-Id: Ib4ce06e4f17c438271a0452053d3b0bc368e9970
2023-03-07 05:04:09 -08:00
Wiktor Garbacz
e46a526865 Add explicit casts to avoid build failures
PiperOrigin-RevId: 514698583
Change-Id: I0ebf2c14a74330ead3a362a48d1776060ea70fbe
2023-03-07 05:02:45 -08:00
Wiktor Garbacz
a8db8bfcf7 PTHREAD_STACK_MIN is not always a constexpr
PiperOrigin-RevId: 514695823
Change-Id: Iecf16f0bd563d85f80b0697d14293ff2d3133aef
2023-03-07 04:47:53 -08:00
Wiktor Garbacz
9f657e6a62 Consistently exclude examples from coverage runs
PiperOrigin-RevId: 514443652
Change-Id: Ia020371928e94d8b9bd98a9318c5d884f96c9f86
2023-03-06 10:03:12 -08:00
Christian Blichmann
17553b2206 syscall_trap: Add missing includes use C++ ones
PiperOrigin-RevId: 514385399
Change-Id: Iceca365c862ce7ee03a61153eb1da2a9571a9719
2023-03-06 07:11:24 -08:00
Wiktor Garbacz
526401166e Migrate namespaces related tests out of policybuilder_test
PiperOrigin-RevId: 514325688
Change-Id: I9c581d14da3ac9fe5c3c0b43e156d8ad8d90c73f
2023-03-06 07:08:49 -08:00
Wiktor Garbacz
64b52ff3b5 Fix stack_trace_test for ARM64
When symbolize.cc is built with unwind tables function from the lib calling into symbolize.cc might be duplicated in stack trace (libunwind fallback to LR)

PiperOrigin-RevId: 514324815
Change-Id: I76ee4ccf5aaf388924714284d9896fa367f5f752
2023-03-06 07:07:55 -08:00
Wiktor Garbacz
550b26587f Implement DangerDefaultAllowAll using DefaultAction(AllowAllSyscalls())
PiperOrigin-RevId: 513861597
Change-Id: I6e4038648a005bbe57ca33a4c0466f5af2184da8
2023-03-03 10:26:32 -08:00
Wiktor Garbacz
e09c2bc215 Run more tests with coverage and sanitizers contd
PiperOrigin-RevId: 513815467
Change-Id: I31d0df2c69b20eb126aaa8dde7f45fa7c0e1e6a8
2023-03-03 06:51:06 -08:00
Wiktor Garbacz
6827dc0059 Remove superfluous set_rlimit_as(RLIM64_INFINITY)
Address space limit is set to infinite by default.

PiperOrigin-RevId: 513755637
Change-Id: I42e79b21bc9b0f4b52e461994fef2ed104752957
2023-03-03 01:14:31 -08:00
Wiktor Garbacz
cd945565f5 Run more tests with coverage and sanitizers
Running with a permissive test policy should not interfere with sanitizers
or coverage.
Most tests should run with such a permissive policy.
The exception are tests which actually tests policy enforcement.

PiperOrigin-RevId: 513548936
Change-Id: I9a4c2cc8074997cff08cc22d15f4736219ce4d63
2023-03-02 08:46:07 -08:00
Wiktor Garbacz
a613dda7f2 Test stack unwinding more thoroughly
Check unwinding recursive calls.
Verify we can unwind in absence of unwind tables.

PiperOrigin-RevId: 513506498
Change-Id: Ib87240b7481dae3a4513c944e17a7924a54926e9
2023-03-02 05:09:49 -08:00
Wiktor Garbacz
0033c4563f Remove unused UnwindResult.ip, reuse RunLibUnwindAndSymbolizer
PiperOrigin-RevId: 513482530
Change-Id: I50b24619af77a245088d489052f41f370a4d720b
2023-03-02 02:40:15 -08:00
Wiktor Garbacz
d74dac096a Rework stack_trace_test
PiperOrigin-RevId: 513467290
Change-Id: Iab630412052fa5e7333514f3864ebdfb7f10e1ef
2023-03-02 01:25:38 -08:00
Wiktor Garbacz
5a8a25e9ac Change the default action instead of appending ALLOW
Also create a visibility restricted version of the function.

PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c
2023-03-01 05:36:24 -08:00
Wiktor Garbacz
fbfbd13adf Add frame pointer unwinding fallback
PiperOrigin-RevId: 513193320
Change-Id: I0ade55e0d1fae6d33794ccd064766a18f0c86cd6
2023-03-01 03:55:15 -08:00
Juan Vazquez
e11109c9ee Internal change
PiperOrigin-RevId: 512922245
Change-Id: Ibc6d769f2f6b15971b95878c8fdb8d4664fbf2df
2023-02-28 07:01:07 -08:00
Juan Vazquez
6aa97f5394 Internal changes
PiperOrigin-RevId: 512905076
Change-Id: I780e8d6bfcfc94da5e8744146e6c1de153c329f9
2023-02-28 05:34:07 -08:00
Juan Vazquez
bd14f6818d Add field to track policy source location
PiperOrigin-RevId: 512070278
Change-Id: I959a57e296d9b999c4ee3086bc814d7d55484722
2023-02-24 07:55:23 -08:00
Wiktor Garbacz
e1246332d1 Rename and move CreateDirRecursive
PiperOrigin-RevId: 510186053
Change-Id: I0e68cc8fff44780ab98f1d57f829ff900790eed5
2023-02-16 10:44:01 -08:00
Wiktor Garbacz
6db17e7ab3 Use namespaced policy in most tests
Drive-by some test cleanups.

PiperOrigin-RevId: 510134967
Change-Id: I40328a644690865c5cc0a0eb265222ebf7ff83e0
2023-02-16 07:12:46 -08:00
Wiktor Garbacz
71692bb50b Decouple sandboxed stack tracing
This allows to split monitor & stack_trace related targets.
Also move stack traces related functionality into MonitorBase.

PiperOrigin-RevId: 510112916
Change-Id: I60eabf9c9b3204dc369713edd8ae05fded306875
2023-02-16 06:07:15 -08:00
Wiktor Garbacz
d2dbbbae76 Remove redundant tests
UID/GID is checked in namespace test and open fds in santizier test

PiperOrigin-RevId: 510084559
Change-Id: I1aac4d30d44aa2390447f24d228afbb1c3b04e2b
2023-02-16 02:28:52 -08:00
Wiktor Garbacz
3f53e81d0b Remove unused dependency
PiperOrigin-RevId: 509890467
Change-Id: I0189fca5efa93a9e67f6f07eac44793cd17dcfc3
2023-02-15 11:35:14 -08:00
Wiktor Garbacz
e4c0d91e69 Remove leftover debug log
PiperOrigin-RevId: 509473001
Change-Id: I37e1ca609489ed9e2f3303efda3d955ad8408237
2023-02-14 02:51:21 -08:00
Wiktor Garbacz
a5d12903dd Extract SandboxeeProcess and move it down the call chain
PiperOrigin-RevId: 507718207
Change-Id: Ia1f6fc2f09abbde5311f8dc0f596aa605989140d
2023-02-07 02:22:45 -08:00
Wiktor Garbacz
f289855867 Update IfThenChange after monitor split
PiperOrigin-RevId: 506591092
Change-Id: Idf3c0d00e88c622a565fe056b2b12fca27c4b819
2023-02-02 05:17:03 -08:00
Wiktor Garbacz
34b2f6bc90 Remove AllowUnsafeKeepCapabilities()
PiperOrigin-RevId: 506586347
Change-Id: I859a1f695ffbcf3b982a26df425c6b4e03c62da1
2023-02-02 04:47:02 -08:00
Wiktor Garbacz
8f24f2a4f0 Split PtraceMonitor into separate file
PiperOrigin-RevId: 505660957
Change-Id: I6b8fcbb86c9fef294b6d19e2d1ec7120415f843b
2023-01-30 05:09:20 -08:00
Wiktor Garbacz
97d67019d2 Split out policybuilder target
PiperOrigin-RevId: 505053801
Change-Id: Ic0ea4aa2334394e310af6d3a11f961bd4866f9dc
2023-01-27 01:24:51 -08:00
Wiktor Garbacz
4450c5513f Bazel: Do not expose regs.h
PiperOrigin-RevId: 505047592
Change-Id: I207cf46c3f75d0a24cf753888e0cdba53d4193b0
2023-01-27 00:43:38 -08:00
Wiktor Garbacz
f636cd86d6 Split PtraceMonitor out of Monitor
This is a preparatory step to introduce a Sandbox2 mode that does not use ptrace.

PiperOrigin-RevId: 503919613
Change-Id: I446adecc66e697c592ad938627fbfdbea12516e1
2023-01-23 01:42:28 -08:00
Sandboxed API Team
8c107936da Internal BUILD changes
PiperOrigin-RevId: 503417314
Change-Id: Ib368f5600ef39d2ee37fc8c71108d6d11f109328
2023-01-20 05:14:47 -08:00
Sandboxed API Team
adb90a14a0 Internal BUILD changes
PiperOrigin-RevId: 503412719
Change-Id: Idecf094c8c7c8956a9f000204c90ed83d6df599d
2023-01-20 04:43:10 -08:00
Wiktor Garbacz
8bf9868ec3 Protobuf doesn't directly support heterogeneous lookup with absl::string_view
If the platform does not have `std::string_view` (i.e. `absl::string_view` is not an alias of `std::string_view`) the lookup will cause build failure.

PiperOrigin-RevId: 503159858
Change-Id: Ide8229ae0219d1cb6f3b36aba26da8d53183bc4b
2023-01-19 07:32:03 -08:00
Wiktor Garbacz
2f64d3d925 stack_trace: pass fd to sandboxee's memory instead of using process_vm_readv
Libunwind sandbox no longer needs to join sandboxee's userns.
This cleans up a lot of special handling for the libunwind sandbox.

PiperOrigin-RevId: 503140778
Change-Id: I020ea3adda05ae6ff74137b668a5fa7509c138f8
2023-01-19 05:44:50 -08:00
Wiktor Garbacz
f87b6feb18 stack_trace: do not add common libraries when not a custom fork-server
Avoids duplicate entries warnings and tightens the namespace.
Drive-by: modernize the policy.
PiperOrigin-RevId: 503108939
Change-Id: If34d23dd83ca39682799dfb36bd0b9b9ceb19fdc
2023-01-19 02:47:49 -08:00
Sandboxed API Team
bc6937ac82 Add logging of stack traces of all threads that were terminated by a signal or
when the sandboxee did not exit normally.
Disabled by default, enabled with a flag.

PiperOrigin-RevId: 502807175
Change-Id: Icb5236cbfac0168a2d855c68967f7a1e8bd13fe3
2023-01-18 01:45:01 -08:00
Wiktor Garbacz
58c3f80d57 Allow MADV_HUGEPAGE used by tcmalloc
PiperOrigin-RevId: 501815420
Change-Id: I22d6408e4e6ca375823b7b9448547cc082fe5421
2023-01-13 04:41:22 -08:00
Wiktor Garbacz
2ae5370cfb Full syscall info in Result::ToString
PiperOrigin-RevId: 501522999
Change-Id: I90c63984c053a5e7deaf4b7619e70c360cc892bb
2023-01-12 03:57:44 -08:00
Sandboxed API Team
1871b173c4 Add __NR_faccessat2 to the list of syscalls allowed by AllowAccess().
PiperOrigin-RevId: 500105471
Change-Id: Ic43c608a511617ba9ca8c2cba440cd709ae80a19
2023-01-06 00:16:46 -08:00
Sandboxed API Team
756176f206 On new process, check for the clone3 syscall.
PiperOrigin-RevId: 499918752
Change-Id: I7279e76593976c224a15be901834bf6225aebe85
2023-01-05 10:02:09 -08:00
Sandboxed API Team
90ee0a7464 Update clients of PolicyBuilder to support architectures other than x86_64.
PiperOrigin-RevId: 499424110
Change-Id: I6e7ed7436db84a65b1920f78dfc00cb2f9894b3c
2023-01-04 01:44:20 -08:00
Wiktor Garbacz
00d42577d5 Use CLONE_VM for starting the global forkserver
PiperOrigin-RevId: 499192311
Change-Id: I054385e9cab5e4987b0f34ab3b763244356405c2
2023-01-03 05:36:40 -08:00
Wiktor Garbacz
2d52191c24 Define PR_SET_VMA* if undefined
PiperOrigin-RevId: 497161397
Change-Id: I65fc11a7ccf34ffe225a03a0444275145fa43b4f
2022-12-22 07:39:44 -08:00
Wiktor Garbacz
fc721da2b9 More precise sycall_defs
PiperOrigin-RevId: 497137823
Change-Id: I374054659ce94e6b53819b999d9ed25df18b4ebd
2022-12-22 05:00:48 -08:00
Wiktor Garbacz
89a8f35f0e Use new helpers in policy_test
PiperOrigin-RevId: 496904765
Change-Id: Id2e4a901ed29c780542423608c55d01ef19eee9a
2022-12-21 06:17:07 -08:00
Wiktor Garbacz
7625c3dd24 Use AllowDup helper in AddNetworkProxyPolicy
PiperOrigin-RevId: 496898835
Change-Id: I76968c5c9b25a9e41865b3fad20463661195f581
2022-12-21 05:36:28 -08:00
Sandboxed API Team
aff27f4559 Update PolicyBuilder to include wrappers for more syscall families that differ between platforms.
New wrappers:

- `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`)
- `AllowInotifyInit` (`inotify_init`, `inotify_init1`)
- `AllowSelect` (`select`, `pselect6`)
- `AllowDup` (`dup`, `dup2`, `dup3`)
- `AllowPipe` (`pipe`, `pipe2`)
- `AllowChmod` (`chmod`, `fchmod`, `fchmodat`)
- `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`)
- `AllowReadlink` (`readlink`, `readlinkat`)
- `AllowLink` (`link`, `linkat`)
- `AllowSymlink` (`symlink`, `symlinkat`)
- `AllowMkdir` (`mkdir`, `mkdirat`)
- `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`)
- `AllowAlarm` (`alarm`, `setitimer`)
- `AllowGetPGIDs` (`getpgid`, `getpgrp`)
- `AllowPoll` (`poll`, `ppoll`)

Updated wrappers:

- `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms.
- `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident.
- `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms.

PiperOrigin-RevId: 495045432
Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
2022-12-13 09:32:17 -08:00
Wiktor Garbacz
5b3450ac8d Internal change
PiperOrigin-RevId: 494153465
Change-Id: Ice7f3e7b95f8de1348ccb281bbfa6fc7164b3353
2022-12-09 06:14:19 -08:00
Wiktor Garbacz
ee58a410d9 Handle S2 unwinding by trapping ptrace
PiperOrigin-RevId: 491893277
Change-Id: I427a2e485173c73fffead43e29511460c58c4f04
2022-11-30 06:00:29 -08:00
Wiktor Garbacz
bd5769d40a Use SyscallTrap in NetworkProxy
PiperOrigin-RevId: 491891500
Change-Id: I2e70dbc44aa264247c217ca88a4de1c0867383fd
2022-11-30 05:47:44 -08:00
Wiktor Garbacz
5bf9b1aef0 Introduce SyscallTrap helper class
PiperOrigin-RevId: 491887840
Change-Id: I5b189969da33e042a3ba38fe14025a758103f160
2022-11-30 05:21:12 -08:00
Wiktor Garbacz
77c80b7213 unwind: Skip Mapping Symbols on ARM
ARM documentation for Mapping Symbols:
https://developer.arm.com/documentation/dui0803/a/Accessing-and-managing-symbols-with-armlink/About-mapping-symbols

PiperOrigin-RevId: 491836684
Change-Id: I2e259e66f2253d80902aa763f2637f3f6fdea414
2022-11-30 00:16:37 -08:00
Wiktor Garbacz
755f29b35e Correct unwinding stop condition
On successful completion, `unw_step()` returns a positive value
  if the updated cursor refers to a valid stack frame,
  or `0` if the previous stack frame was the last frame in the
  chain. On error, the negative value of one of the error-codes
  below is returned.

PiperOrigin-RevId: 491588164
Change-Id: Ie361023ef69eed6c895856832a8208f2791f644d
2022-11-29 03:24:31 -08:00
Sandboxed API Team
11b89c0317 Internal compatible_with change
PiperOrigin-RevId: 491371995
Change-Id: I3f0430d6678992642557320a8fa3cf738a7c5fab
2022-11-28 09:55:57 -08:00
Christian Blichmann
c3889ce379 Fix command-line handling in sandbox2tool
This addresses #164.

PiperOrigin-RevId: 483675926
Change-Id: I1461c9bb2c3865d86cd99f9285e51ce20ac460b8
2022-10-25 08:05:23 -07:00
Christian Blichmann
6fbfb8f9bd Remove Tag constructor, add standard comment for absl::WrapUnique(new T)
PiperOrigin-RevId: 483654433
Change-Id: I16b058a6b186f764f45bc5540f3f49d5a294ddeb
2022-10-25 06:20:51 -07:00
Christian Blichmann
8d04efa62d contrib: Replace uses of CHECK_NOTNULL
Abseil's standard name for this is `ABSL_DIE_IF_NULL`.

PiperOrigin-RevId: 483648443
Change-Id: I9d6826443be72b30f71c18972436fa5f9c05048a
2022-10-25 05:50:59 -07:00
Christian Blichmann
4c87556901 Use Abseil's log/flags instead of glog/gflags
Follow-up changes might be required to fully fix up the contrib sandboxes.

PiperOrigin-RevId: 482475998
Change-Id: Iff631eb838a024b2f047a1be61bb27e35a8ff2f4
2022-10-20 06:48:51 -07:00
Christian Blichmann
79b6784b82 #Cleanup: Consistently use std::make_unique
PiperOrigin-RevId: 480597371
Change-Id: I145586382ad7a7694384cc672986132376a47465
2022-10-12 05:23:42 -07:00
Wiktor Garbacz
cb8efdc270 Sandbox2: Graciously handle mapping over Comms/Exec fds
Try to move the affected FDs transparently to avoid conflict.

PiperOrigin-RevId: 480105375
Change-Id: I0cd093fce120505d1cd4a1d081b3c0e63bf0210a
2022-10-10 09:39:01 -07:00
Christian Blichmann
b9c2830ebc Use new sandbox2::Comms ctor for default connection params
This change allows Sandbox2 to change how the default FD for comms is chosen.

PiperOrigin-RevId: 479526309
Change-Id: I69add85a244bc0385eaa164ab0ea3b036503c6d3
2022-10-07 02:08:20 -07:00
Wiktor Garbacz
3198ff06d3 Explicit Comms constructor with default params
This is to abstract the FD number away, so that we can change the way the FD number is chosen/communicated.

PiperOrigin-RevId: 479282707
Change-Id: Ic6726bcd0a17e97bde60804476ecbca2ffbf6525
2022-10-06 04:56:18 -07:00
Christian Blichmann
5b61445de9 Internal change
We have removed an internal-only sandbox mechanism that has been deprecated
for years. Some formatting/include changes may leak into the OSS version.

PiperOrigin-RevId: 475230500
Change-Id: Ib4efdf3282529ea50e8302e5ef7acfdd7d4c68e5
2022-09-19 01:58:32 -07:00
Wiktor Garbacz
d2c8c70d8e Internal change
PiperOrigin-RevId: 475224729
Change-Id: Id7c05c7542c44f58e7f4027c6932acd42f3a7857
2022-09-19 01:17:22 -07:00
Christian Blichmann
8de530036f Internal change.
Some includes may leak to OSS.

PiperOrigin-RevId: 474748898
Change-Id: Iff9dc4f91af211572ff4bbcf57330b36d7a957ab
2022-09-16 00:37:02 -07:00
Sandboxed API Team
75c7081622 For the SECCOMP event, check if the event msg is in the range of one of the known architectures.
If it isn't, assume that the process has exited and the event msg contains an exit code.

PiperOrigin-RevId: 471258449
Change-Id: I44408c30fe7fb39e20b55cea871f3efb68fcde67
2022-08-31 08:09:37 -07:00
Sandboxed API Team
e541f79abd forkserver_bin is usually embedded via cc_embed_data. So there is no real reason why it should be stamped.
PiperOrigin-RevId: 470013947
Change-Id: I7ff11fafdebb49e14c2b5dcae48c31fda6da2833
2022-08-25 09:54:24 -07:00
Christian Blichmann
7008aa21b6 Remove leftover definition from move to SyscallTable
PiperOrigin-RevId: 467930784
Change-Id: Id149fe9ef85718f28fcb396b03b574c32dc846d8
2022-08-16 08:24:56 -07:00
Sandboxed API Team
28504f1817 Make code not have a -Warray-parameter warning.
PiperOrigin-RevId: 467842322
Change-Id: Ic262a3f98fa823ef524ac02d08b2f5b8f4adf71d
2022-08-15 22:55:51 -07:00
Sandboxed API Team
deb3c8e77b Batch threads waiting for the monitor's attention.
Instead of doing waitpid() and processing one thread at a time, gather all waiting threads and then process them.

This avoids starving older threads when newer threads raise a lot of events.

PiperOrigin-RevId: 466366533
Change-Id: I81a878f038feac86407a8e961ecba181004f0f8a
2022-08-09 08:28:03 -07:00
Sandboxed API Team
78ee270388 Remove information about in-progress syscalls on process exit.
PiperOrigin-RevId: 463091104
Change-Id: I402cb61e9e816a20a87274ea874cddf91c101e14
2022-07-25 08:28:25 -07:00
Sandboxed API Team
4d906e7143 Fix visibility
PiperOrigin-RevId: 461617454
Change-Id: Id77bfbec2cc095005a434251c056b19c3c6a64c4
2022-07-18 07:44:38 -07:00
Wiktor Garbacz
1e4cf06f69 Block installing user notify inside Sandbox2
PiperOrigin-RevId: 458781163
Change-Id: Ifcaf940d8a70a9a4ab5b24aefdaaae622cfce4f3
2022-07-03 11:20:31 -07:00
Sandboxed API Team
e5bc3e69cd "Stack traces have been disabled" message goes to VLOG instead of INFO.
PiperOrigin-RevId: 456755121
Change-Id: I7eb7badcd5901a33dd2b2afc0833f00eeedacada
2022-06-23 06:42:35 -07:00
Sandboxed API Team
81871a98f7 Internal-only change.
PiperOrigin-RevId: 455553721
Change-Id: I923ab39b9bcd92a6a8e0dd8f95b01cc135ace919
2022-06-17 00:37:39 -07:00
Oliver Kunz
598b00103a This change introduces internal experimental support for Android.
PiperOrigin-RevId: 453669315
Change-Id: I6c3278804071caa2bb347cfeb584975339cb50d5
2022-06-08 06:51:41 -07:00
Oliver Kunz
546fda8f1e Internal change
PiperOrigin-RevId: 451384097
Change-Id: Ib1177bbb147074dfff8719a0733417f4f1afc9da
2022-05-27 06:45:58 -07:00
Sandboxed API Team
5513e560eb Add option to block the ptrace system call instead of denying it.
PiperOrigin-RevId: 451347905
Change-Id: Iaed0f6f116bca3be4e6e7009dddd4dd6267823bb
2022-05-27 02:57:37 -07:00
Sandboxed API Team
65487bca39 Fix typo.
PiperOrigin-RevId: 451345082
Change-Id: Id443348448fa4cb6e682d18be64d39e363e20e0c
2022-05-27 02:42:14 -07:00
Wiktor Garbacz
88b0a9e2e5 Fix possible crash when multiple termination conditions occur simultaneously
E.g. a failed `KillSandboxee` for a timeout would already set the exit status code while there could be an external kill pending at the same time which would try to `KillSandboxee` again and thus set exit status code again.

PiperOrigin-RevId: 448464765
Change-Id: Ic5744a576c4255504bfb1d5c4f33253b5bb32b6f
2022-05-13 04:35:27 -07:00
Wiktor Garbacz
5e61ce0853 More permissive ptrace handling in edge cases
This should make multithreaded sandboxees that exec (or send `SIGKILL`) behave more reliably.

PiperOrigin-RevId: 447458426
Change-Id: Ifdace340462199dc24c8cdf25d589ef6b24991e1
2022-05-09 06:58:27 -07:00
Sandboxed API Team
84673bbe3e Allow readlinkat with sanitizers
Required after https://reviews.llvm.org/D124212

PiperOrigin-RevId: 445551132
Change-Id: I140c67544d0cf18ee6c75aa9407777bd3414d929
2022-04-29 18:23:59 -07:00
Christian Blichmann
51799f99ae Introduce a transitional logging utility library
Instead of calling `google::InitGoogleLogging()` directly, introduce an
indirection via a new utility library. After this change, Sandboxed API
should consistently use `sapi::InitLogging()` everywhere.

For now, `sapi::InitLogging()` simply calls its glog equivalent. However,
this enables us to migrate away from the gflags dependency and use Abseil
flags. Once a follow-up change lands, `sapi::InitLogging()` will instead
initialize the google logging library with flags defined from Aseil.

Later still, once Abseil releases logging, we can then drop the glog
dependency entirely.

PiperOrigin-RevId: 445363592
Change-Id: Ia23a7dc88b8ffe65a422ea4d5233bba7bdd1303a
2022-04-29 02:14:06 -07:00
Oliver Kunz
905c252e71 Remove AllowStaticStartup because AllowDynamicStartup calls this as well
PiperOrigin-RevId: 445349786
Change-Id: I28686ede2e22e641a8f90caacedf289b2d5c9a2e
2022-04-29 00:48:37 -07:00
Christian Blichmann
6cbde854d6 #Cleanup: Consistently use char* argv[] instead of char**
PiperOrigin-RevId: 444782296
Change-Id: If8e7647be28f794392675ae001abbe9b809da0ac
2022-04-27 00:43:51 -07:00
Christian Blichmann
ff9009458c Disable deprecation warnings
Internally, we rely on clang-tidy to warn about using deprecated declarations.
And for using deprecated declarations within SAPI itself, we should not warn.

Drive-by:
- Fix warning in `mounts_test.cc`
PiperOrigin-RevId: 443634512
Change-Id: I7ef66f0ba77201026490baab07766510c1c55c6a
2022-04-22 04:58:02 -07:00
Christian Blichmann
a60ff1a95c Remove OsErrorMessage in favor of Abseil's new ErrnoToStatus
#Cleanup

PiperOrigin-RevId: 443359044
Change-Id: I2b3e385a1846feac79edd28fcbf6e85b1429a44a
2022-04-21 06:15:38 -07:00
Christian Blichmann
839914d6dd cmake: Rename build options to follow Abseil naming
`BUILD_TESTING` is a CMake provided option and we should use similar naming,
just like how Abseil does it.

- `SAPI_ENABLE_TESTS` -> `SAPI_BUILD_TESTING`
- `SAPI_ENABLE_CONTRIB_TESTS` -> `SAPI_CONTRIB_BUILD_TESTING`
- `SAPI_ENABLE_EXAMPLES` -> `SAPI_BUILD_EXAMPLES`

Drive-by:
- Fix option name in GitHub action
PiperOrigin-RevId: 443305932
Change-Id: Ice2b42be1229a0f9ae7c2ceda9ce87187baf22c4
2022-04-21 01:17:39 -07:00
Christian Blichmann
c0cfeed925 cmake: Include CTest in all projects, honor BUILD_TESTING setting
Including the `CTest` modules ensures that the `BUILD_TESTING` option is
defined and automatically calls `enable_testing()` if needed. It does not
change the default or introduce any dependencies on its own.

This follows what Abseil already does in their top-level `CMakeLists.txt`.

PiperOrigin-RevId: 443305646
Change-Id: If067c17470f497437c7748aab4aab5227c26e84f
2022-04-21 01:15:34 -07:00
Christian Blichmann
456d9f341e Sandbox2: Check for substring in CRC4 test
PiperOrigin-RevId: 442793060
Change-Id: If2483e13a9bdab5803e949bc4b568caa9569a818
2022-04-19 06:15:34 -07:00
Sandboxed API Team
ce5da915a2 Add default member initializer for sandbox2::Executor::Process members
PiperOrigin-RevId: 440877694
Change-Id: I0899393b05d064cd8318e11eef796f89b3c0ad0e
2022-04-11 06:59:17 -07:00
Sandboxed API Team
1db315207a Allow access to /sys/devices/system/cpu/
PiperOrigin-RevId: 439506287
Change-Id: I5d41ed234860f02329c960144b1da725e24549dd
2022-04-05 00:29:08 -07:00
Oliver Kunz
ed853afbe5 Extend ValidateInterpreter with Android_Arm64 interpreter
PiperOrigin-RevId: 438325813
Change-Id: I13fc285f19ff333e56ef018a77ec5c789d8b09ff
2022-03-30 09:45:58 -07:00
Oliver Kunz
c1ac5c3833 Changes to comms_test module to run unittests with --config=android_arm64
PiperOrigin-RevId: 438017732
Change-Id: I10a8ec154793f57f194a265e590f39b36c3d3043
2022-03-29 07:16:43 -07:00
Christian Blichmann
f928f1dd7c Fix stack traces on Fedora
This fixes the main issue (#118) with stack traces on Fedora, which uses a
`/lib64` and `/usr/lib64`.

PiperOrigin-RevId: 437717858
Change-Id: I6986aa84c2be57ae1d9f8d0cb9b508768d27f1c1
2022-03-28 04:05:36 -07:00
Oliver Kunz
44cd37c94e Make use of the new AllowPrctlSetName convenience function.
PiperOrigin-RevId: 436727461
Change-Id: Iab1945c422b8db98a220cdeacdec7c9868ea9e84
2022-03-23 06:59:40 -07:00
Oliver Kunz
ab9c4afb15 Create a convencience function to set the name of a thread/process
PiperOrigin-RevId: 436661002
Change-Id: Ia66cef2f3eda829c65bc07e2ac43a0b2c878eb7b
2022-03-22 23:39:06 -07:00
Sandboxed API Team
df8a2f77eb Automated rollback of commit 809fb49341.
PiperOrigin-RevId: 436285752
Change-Id: I0607d9db08343e23d22ba9cb945cb6ef74739a14
2022-03-21 13:09:36 -07:00
Oliver Kunz
809fb49341 Create a convencience function to set the name of a thread/process
PiperOrigin-RevId: 436215084
Change-Id: I17dc8930a117fe67bd1b87e2ae3d4652875780df
2022-03-21 08:36:01 -07:00
Oliver Kunz
d0f5f547cb Patch sandbox2/comms module to build for Android.
PiperOrigin-RevId: 435318451
Change-Id: If0e40bab30f3cb68d7e79f26d2336c638742f1ac
2022-03-17 05:27:07 -07:00
Oliver Kunz
ee11d9fdb7 Migration of remaining protobufs from proto2 to proto3
PiperOrigin-RevId: 434973223
Change-Id: I5518aa3944cab94d33ce0538bed8ee82f90d4b3a
2022-03-16 00:43:46 -07:00
Oliver Kunz
206547591b Migrate forkserver.proto to proto3 syntax
PiperOrigin-RevId: 434458725
Change-Id: I277f76a1a5ebd3eed15c6b3f3e7f849bf6edacea
2022-03-14 07:28:23 -07:00
Oliver Kunz
68eaa815ce Migrate to proto3, change is_ro to is_rw (default value is false), and rename mounttree.proto
PiperOrigin-RevId: 434435260
Change-Id: Ie4cfe04bf1a9357e63b6159c3d5a8b95388b5292
2022-03-14 05:15:15 -07:00
Wiktor Garbacz
50c55e8ac0 Provide clearer error message when global forkserver is chrooted
PiperOrigin-RevId: 433686276
Change-Id: Ieb01f9dcafdce7bcb548807169f429cc8a181e56
2022-03-10 01:32:55 -08:00
Wiktor Garbacz
52d1ea8984 Avoid hard failures in StartSubProcess
PiperOrigin-RevId: 433453289
Change-Id: Ib8b08ddd31c4daa9a377960d52f0a7eb7b17de19
2022-03-09 05:17:15 -08:00
Oliver Kunz
c5565241c1 Rewrite IsEquivalentNode without the use of MessageDifferencer
PiperOrigin-RevId: 433422767
Change-Id: I891a8f5f027115898590a43bed5d25c51c1db944
2022-03-09 01:56:50 -08:00
Wiktor Garbacz
612ff57913 Replace deprecated SetWalltimeLimit call
PiperOrigin-RevId: 433414976
Change-Id: I0597a2d8215d4b228794da409e3533651972a98c
2022-03-09 01:01:49 -08:00
Wiktor Garbacz
20edaae54f Add an option to allow mount propagation
PiperOrigin-RevId: 433211924
Change-Id: I653f000d44de10b668b375fd2dfff3c668cbf673
2022-03-08 08:01:19 -08:00
Oliver Kunz
2650834d7c Add unittest for IsEquivalentNode
PiperOrigin-RevId: 433172902
Change-Id: Ie6fb44e682be947fb9f8b856c5e804aa91647a6d
2022-03-08 04:04:57 -08:00
Wiktor Garbacz
8a5740fbb1 Better handle invalid read-write mounts
PiperOrigin-RevId: 433136095
Change-Id: I17eb347c0a5cfef5e05c3717dfdd83055d967e35
2022-03-07 23:57:57 -08:00
Sandboxed API Team
32d19f9e57 Disable compress_stack_depot in sandbox
The feature is pure optimization, but it requires
additional syscalls.

PiperOrigin-RevId: 432954277
Change-Id: I1f345f8a26c86e09611fd575cb6ee080f24cc717
2022-03-07 08:43:42 -08:00
Wiktor Garbacz
d1995bdca5 Add a helper for allowing epoll
PiperOrigin-RevId: 432879710
Change-Id: I7cc991358ce25729b002210a04bacb3ae91d8a1f
2022-03-07 00:54:21 -08:00
Sandboxed API Team
8e82b900f4 Automated rollback of commit 5f34d11e77.
PiperOrigin-RevId: 432491462
Change-Id: Id92eabbb140df85b7b48f6f107ef9f44c3c6dff5
2022-03-04 11:19:19 -08:00
Wiktor Garbacz
5f34d11e77 Add a helper for allowing epoll
PiperOrigin-RevId: 432387441
Change-Id: I52865ab4abd4ebaf9842859b5f2718b204f4c6ea
2022-03-04 01:24:55 -08:00
Wiktor Garbacz
1cf2d840dd Add PolicyBuilder::OverridableBlockSyscallWithErrno
PiperOrigin-RevId: 432201719
Change-Id: I5cac1a03a7ec95598bae87ff13d38e4bedf62beb
2022-03-03 08:37:04 -08:00
Oliver Kunz
077203fcf2 Change to proto2::MessageLite and resolve reflextion for mobile builds
PiperOrigin-RevId: 432164927
Change-Id: I0821cf443393b0bb16a68fc5750a9633a3f27725
2022-03-03 04:48:30 -08:00
Sandboxed API Team
e1a9513783 Move few policies from tsan to All section.
munmap is widely used by sanitizer, but it
probably works for Asan/Msan because it's enabled
by unrelated Allow* call.

Move mprotect to shared part as well. It will be
needed for compress_stack_depot.

PiperOrigin-RevId: 431989551
Change-Id: I7695a2de81d8d0b2112d3308778b2e9a9c7cb596
2022-03-02 11:38:35 -08:00
Sandboxed API Team
546365655d Introduce commandline flag to pass forkserver_bin path for Android builds.
PiperOrigin-RevId: 431942480
Change-Id: I5382b4fc8e8a66bb823dda597e1b812421364212
2022-03-02 08:12:21 -08:00
Sandboxed API Team
3f042fa54f Fix monitor for Android-ARM64
PiperOrigin-RevId: 431926820
Change-Id: Ie5adc1ec6accc7e68782c26b65fac0c32cded498
2022-03-02 06:42:42 -08:00
Sandboxed API Team
9a7ba28ea7 Allow sanitizer to print reports
PiperOrigin-RevId: 430271415
Change-Id: Ieb23663aa6ff5997ce0a6b1e81dcb2385ac4b509
2022-02-22 12:33:55 -08:00
Wiktor Garbacz
a2daa0a275 Fix BlockSyscallsWithErrno
PiperOrigin-RevId: 429982218
Change-Id: I42b187e678542b295542ca44882945c7695178e1
2022-02-21 00:46:50 -08:00
Christian Blichmann
befdb09597 Link more complex test cases dynamically
Linking glibc in fully static mode is mostly unsupported. While such binaries
can easily be produced, conflicting symbols will often make them crash at
runtime. This happens because glibc will always (try to) load some dynamically
linked libraries, even when statically linked. This includes things like the
resolver, unicode/locale handling and others.

Internally at Google, this is not a concern due to the way glibc is being built
there. But in order to make all of our tests run in the open-source version of
this code, we need to change strategy a bit.

As a rule of thumb, glibc can safely be linked statically if a program is
resonably simple and does not use any networking of locale dependent
facilities. Calling syscalls directly instead of the corresponding libc
wrappers works as well, of course.

This change adjusts linker flags and sandbox policies to be more compatible
with regular Linux distributions.

Tested:
- `ctest -R '[A-Z].*'` (all SAPI/Sandbox2 tests)
PiperOrigin-RevId: 429025901
Change-Id: I46b677d9eb61080a8fe868002a34a77de287bf2d
2022-02-16 05:59:13 -08:00
Christian Blichmann
aefdb94575 Update zlib examples
- Link `zipe.c` statically (safe)
- Update policy to allow any use of `stat()`

PiperOrigin-RevId: 428971638
Change-Id: Ib0f5f496ea2389582986b41a8830592e6c1d4390
2022-02-16 00:08:28 -08:00
Christian Blichmann
e8cadf8f7d Allow mprotect(_, _, PROT_READ) for all static binaries
Newer toolchains/libcs will use this syscall on x86-64 as well.

PiperOrigin-RevId: 428705078
Change-Id: I705efe37db9ebdd922036b39e4fb3c22dc749a1a
2022-02-15 00:14:25 -08:00
Christian Blichmann
36d0f928c6 Apply page offset during stack unwinding/symbolization
This fixes a couple of tests in the open source version of the code.
Internally, since we are using a different ELF loader, the page offset
will always be zero. Hence we never notices this was broken.

PiperOrigin-RevId: 427996428
Change-Id: I44c5b5610b074cf69b9f0c5eeb051be50923e351
2022-02-11 07:19:34 -08:00