Commit Graph

436 Commits

Author SHA1 Message Date
Kevin Hamacher
4b018757c3 Use absl::flat_hash_set + Status in favor of std::set in the sanitizer API
PiperOrigin-RevId: 395061068
Change-Id: I31548eb6fc9f27f55acf25bd6d3d0b941a529e63
2021-09-06 03:15:39 -07:00
Kevin Hamacher
eb2c5a66f4 Rework GetListOfFDs API
PiperOrigin-RevId: 395043959
Change-Id: I77ce13f0c786d3644971ed239f3106319667e979
2021-09-06 01:01:19 -07:00
Christian Blichmann
289adcff06 Internal change.
For OSS, this change should be mostly a no-op. Visible edits are due to
changed order of code and/or includes.

PiperOrigin-RevId: 394177395
Change-Id: I1d32f9fd175579e8f05c051b1307953b249d139d
2021-09-01 01:28:19 -07:00
Catalin Patulea
9ab330dc7a 'Map' symbols: add pgoff to disambiguate multiple mappings on same object.
PiperOrigin-RevId: 391520785
Change-Id: Icb05e60f778acfb9fe6f519911ce54bec65fc4ff
2021-08-18 07:14:31 -07:00
Wiktor Garbacz
59f5fa8042 Allow collecting stacktraces on normal process exit
This mainly a debugging facility.
It makes diagnosing problems where sandboxed process just randomly exits whereas unsandboxed one runs to completion due to differences in the setup/environment much easier.

PiperOrigin-RevId: 391005548
Change-Id: Ia19fe6632748da93c1f4291bb55e895f50a4e2b0
2021-08-16 03:13:15 -07:00
Sandboxed API Team
7b31deaed8 Delete deprecated sapi::Sandbox::IsActive and its remaining call sites.
PiperOrigin-RevId: 390412024
Change-Id: Iab3853b3c40dd4e9b0ff31532e8c41c2583ebc4e
2021-08-12 11:00:51 -07:00
Sandboxed API Team
dae91ff082 Fix Symbolize* tests.
PiperOrigin-RevId: 390372065
Change-Id: I1ddc9dd9238795eb0674e04c20a5c91a68582027
2021-08-12 08:03:52 -07:00
Sandboxed API Team
d631154ce5 Delete deprecated sapi::Sandbox::GetRpcChannel and its remaining call sites.
PiperOrigin-RevId: 389968873
Change-Id: Ia72e0064fa57679180f9c406f96266473f8461c2
2021-08-10 13:50:15 -07:00
Wiktor Garbacz
773dc6b18b Do not fail-hard in global forkserver startup
PiperOrigin-RevId: 389816114
Change-Id: Icd672028ff224cf01095d6590fe1cc2adb312316
2021-08-10 00:33:29 -07:00
Sandboxed API Team
165c155a08 Delete deprecated sapi::Sandbox::GetComms and its remaining call sites.
PiperOrigin-RevId: 389716023
Change-Id: I092bc37f3f3bb40554b627f9dd528525b60d67a1
2021-08-09 13:49:45 -07:00
Sandboxed API Team
3f0875798d Delete deprecated sapi::Sandbox::GetPid and its remaining call sites.
PiperOrigin-RevId: 389713115
Change-Id: I1832e759016a581e10bf5bd8b5b70244b40ecd69
2021-08-09 13:36:15 -07:00
Wiktor Garbacz
0621e06a9c Allow recovering from global forkserver failure
PiperOrigin-RevId: 389164847
Change-Id: I40bc3b6d3bea28ee8954ea2a11a0427a6c05da35
2021-08-06 06:54:05 -07:00
Wiktor Garbacz
fe709502f4 Wait for global forkserver when shutting it down
Otherwise starting forkserver multiple times will result in zombie processes lingering around.

PiperOrigin-RevId: 388926497
Change-Id: Ia9947cce3d9e909edd709b0d3525e1ae8b8bbc51
2021-08-05 07:07:35 -07:00
Wiktor Garbacz
e88755256d Use FDCloser in Executor extensively
Also really own `exec_fd_` as previously if the executor is destructed without calling `StartSubProcess` the file descriptor would leak.

PiperOrigin-RevId: 388901766
Change-Id: I6bbb15ced37a0a832ec5a5228452a3d54ef46ee9
2021-08-05 04:16:11 -07:00
Wiktor Garbacz
80ad7bb2b0 Replace a CHECK with a warning
PiperOrigin-RevId: 388893117
Change-Id: I0b0ccf2045aea09d31ae1605b205aab456bd8550
2021-08-05 03:03:24 -07:00
Christian Blichmann
8b1dfd7343 Fix factory method sapi:✌️:Proto<>::FromMessage
This was missing a friend declaration in order to actually compile.
It's now being used in the "stringop" example, so we test it as well.

Drive-by:
- Do not copy the proto's bytes the constructor, but use `std::move`
PiperOrigin-RevId: 387774353
Change-Id: Ic8824af911ac744e2e68130e1f4673c4dddd4939
2021-07-30 03:55:17 -07:00
Christian Blichmann
fd20eb0b4d Reorder error logging before Terminate()
Calling `Terminate()` issues additional syscalls that may clobber the `errno`
value. Reordering the log statements ensures we actually log the initial error
in `read()`/`write()`.

PiperOrigin-RevId: 387576942
Change-Id: I0f9c8c6001e6dc4ca098abe02cd251029f92a737
2021-07-29 07:12:02 -07:00
Christian Blichmann
f14aeee0ad Internal change.
PiperOrigin-RevId: 387565158
Change-Id: I7b5293b614fae74abae1f9a347b0ef414028b8ea
2021-07-29 05:52:19 -07:00
Christian Blichmann
85c58dc2d7 Reduce logspam: Log Tomoyo LSM check only with VLOG
PiperOrigin-RevId: 387114844
Change-Id: Ib670799e3327fcc991ad012ccee20b96089c2f48
2021-07-27 08:32:10 -07:00
Christian Blichmann
ccd7b03026 Introduce sapi::OsErrorMessage() for error handling
This should make handling OS error less repetetive.

PiperOrigin-RevId: 387074642
Change-Id: I09b8c5e37e7f7b08341e22ba01ccda21a916a4bc
2021-07-27 04:10:04 -07:00
Paul Wankadia
bb6ae1d4ab Introduce AllowRestartableSequencesWithProcFiles() and tidy up.
1. In many cases, sandboxes need to allow /proc/stat and /proc/cpuinfo so that
get_nprocs(3) will work; otherwise, per-CPU logic can't determine how many CPUs
there are. Unfortunately, some of those sandboxes also disable namespaces. The
solution is to provide two functions: AllowRestartableSequencesWithProcFiles(),
which allows syscalls and files; and AllowRestartableSequences(), which allows
syscalls only. Sandboxes should usually call the former; sandboxes that disable
namespaces should instead call the latter and are responsible for allowing the
files via the deprecated Fs mechanism.

2. Make the mmap(2) policy evaluate prot AND flags, not prot OR flags.

3. Order the code and the comments identically for better readability.

PiperOrigin-RevId: 386414028
Change-Id: I016b1854ed1da9c9bcff7b351c5e0041093b8193
2021-07-23 02:23:22 -07:00
Christian Blichmann
9c21744460 Revert memfd file sealing for embeded files
Ideally, we'd seal the embedded SAPI binary using fcntl(). However, in rare
cases, adding the file seals `F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW |
F_SEAL_WRITE` results in `EBUSY` errors.

This is likely because of an interaction of `SEAL_WRITE` with pending writes
to the mapped memory region (see `memfd_wait_for_pins()` in Linux'
`mm/memfd.c`). Since `fsync()` is a no-op on memfds, it doesn't help to
ameliorate the problem.

On systems where it is enabled, ksmd might also be a source of pending writes.

PiperOrigin-RevId: 385741435
Change-Id: I21bd6a9039be4b6298774e837ce3628180ed91a8
2021-07-20 02:29:21 -07:00
Christian Blichmann
7b711b85e8 Rename static singleton accessor
PiperOrigin-RevId: 384699374
Change-Id: I674baffc77bc6b3815f94512058a14d37d164c6f
2021-07-14 08:00:59 -07:00
Wiktor Garbacz
34c7be759a Another round of file descriptor handling fixes
PiperOrigin-RevId: 384646707
Change-Id: Ia1b51a348bcb2a1426ba26a4ed045b0522168745
2021-07-14 01:33:34 -07:00
Christian Blichmann
5267d14248 Take a vector in Policy::AllowUnsafeKeepCapabilities()
The existing function signature took a `unique_ptr<>` owning a vector, and
took `nullptr` to mean an empty set of capabilities. This is more naturally
modeled by taking the vector directly and `std::move`-ing it.

PiperOrigin-RevId: 384214849
Change-Id: I177f04a06803ae00429b19a1f3f12e7be04d2908
2021-07-12 05:43:21 -07:00
Christian Blichmann
002cb9ae01 More efficient fork request handling and #Cleanup
- Assign to `*mutable_XXX()` instead of looping
- Use a const ref for capabilities

PiperOrigin-RevId: 384192675
Change-Id: I4db3d0c8ce0d7f6acc9fd486a2409962516b5fe7
2021-07-12 02:37:42 -07:00
Paul Wankadia
372b8e2696 Fix constant name in log message
PiperOrigin-RevId: 384187707
Change-Id: I3d322f6d00fa63fc7a2b33f8c7844c4291e4fef1
2021-07-12 01:56:42 -07:00
Christian Blichmann
a290ffc8bc Seal memfd in embed_file.cc
PiperOrigin-RevId: 383358851
Change-Id: I839a9b816f9c7f486908fbccdc3ecd621bd1c402
2021-07-07 00:58:57 -07:00
Wiktor Garbacz
424c543eb7 Automated rollback of commit 4a38f59728.
PiperOrigin-RevId: 381815277
Change-Id: I344c9bb1a505cc0a0dcf7e9ff979c172c484d963
2021-06-28 02:03:06 -07:00
Wiktor Garbacz
fe2ee5dfac Do not expose stack_trace.h in public API
PiperOrigin-RevId: 381412175
Change-Id: I30729c5af378c358e6400e4b7366d435518ae7d7
2021-06-25 00:03:54 -07:00
Wiktor Garbacz
fe08d724e4 Simplify the dup fix and add better error handling
Original fix might fail if RLIMIT_NOFILE is set to 1024.

PiperOrigin-RevId: 381034115
Change-Id: I39e33a90083533cf85eb04072604665c299b861f
2021-06-23 08:14:01 -07:00
Sandboxed API Team
4a38f59728 Automated rollback of commit a850aa44d2.
PiperOrigin-RevId: 380897565
Change-Id: Iacc50697a5ff25b79272a1549291bbf32152d3f6
2021-06-22 14:50:33 -07:00
Wiktor Garbacz
0ec4f07f96 Fix rare failure while starting the global forkserver
This bug only manifests if a lot of fds are open when global forkserver is started.
If the allocated exec_fd number was equal Comms::kSandbox2ClientCommsFD then it would be replaced by the comms fd and result in EACCESS at execveat.

PiperOrigin-RevId: 380805414
Change-Id: I31427fa929abfc60890477b55790cc14c749f7f5
2021-06-22 07:48:58 -07:00
Wiktor Garbacz
a850aa44d2 Better error handling in stacktraces
PiperOrigin-RevId: 380789060
Change-Id: I655428fd45bf305f787b75cc925d31c6ab60c074
2021-06-22 05:52:15 -07:00
Wiktor Garbacz
e5cfce71a3 Add new x86-64 syscalls
PiperOrigin-RevId: 377460610
Change-Id: I06833ca7fcc88447ed482e9e6914b9113781a114
2021-06-04 01:01:34 -07:00
Wiktor Garbacz
e87a052e61 Fix restarting global forkserver
PiperOrigin-RevId: 376643949
Change-Id: I5811e8b8a9f5e74cab21d021c8e83b2a4b91818a
2021-05-31 02:19:28 -07:00
Sandboxed API Team
aa568597b0 Add rt_sigprocmask to AllowLogForwarding
PiperOrigin-RevId: 376142747
Change-Id: I6470a6eea8a4e85b0921de6dc332097a6c9440a4
2021-05-27 04:40:28 -07:00
Christian Blichmann
d73f80cfa5 Enable AArch64 syscalls in examples
PiperOrigin-RevId: 375923215
Change-Id: I9523a074579975379b1a9d4644497268781499e1
2021-05-26 05:47:37 -07:00
Sandboxed API Team
f159359f65 Automated rollback of commit 5bb161b0db.
PiperOrigin-RevId: 375047066
Change-Id: I09ce8aafa92337c79a61f0f757ec66be2b2cefdc
2021-05-21 02:59:34 -07:00
Sandboxed API Team
5bb161b0db Automated rollback of commit e97ecfb955.
PiperOrigin-RevId: 375044368
Change-Id: Ib8bcf5d67e70fb37ef330c1433056343674a9f14
2021-05-21 02:38:05 -07:00
Christian Blichmann
e97ecfb955 Internal change
PiperOrigin-RevId: 375038366
Change-Id: I9180c2dc544d5ba12a73a67f5613e0c44e962505
2021-05-21 01:44:47 -07:00
Christian Blichmann
ab469deac3 Internal change
PiperOrigin-RevId: 374874118
Change-Id: Id669e3f099e058ada3effa62f9569daaf5b36f63
2021-05-20 08:17:10 -07:00
Wiktor Garbacz
78d749380b Fix a data race in Comms
PiperOrigin-RevId: 374397564
Change-Id: I630a7587242b7b25364aa66158d86d53aff5c343
2021-05-18 05:48:54 -07:00
Wiktor Garbacz
a986278550 Raw logging should not allocate memory
PiperOrigin-RevId: 374396461
Change-Id: I709103c7834d4803a26a0b292f342a3d629d332c
2021-05-18 05:37:38 -07:00
Christian Blichmann
2d3a040f64 Minor cleanup/formatting changes
PiperOrigin-RevId: 374164136
Change-Id: I505cbc3ac9f899ed965cde66aaae1aba55a90c64
2021-05-17 04:07:08 -07:00
Christian Blichmann
ca6ec4337d Add workaround for active Tomoyo LSM
Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.

As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace

Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729

To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:

```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```

The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.

PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
2021-05-10 07:04:04 -07:00
Christian Blichmann
5c7903ecd9 Check for either violate() or ViolateIndirect() in stack trace
Depending on architecture and optimization level, the compiler may choose to
not generate full stack frames, even with no-inline and no tail-call
attributes.

PiperOrigin-RevId: 372339987
Change-Id: I42043131bbb6092ff234e80ae9047f7a2bf31161
2021-05-06 07:36:13 -07:00
Christian Blichmann
0750216bc1 Make stack trace test more resilient against optimizer
This fixes tests for PPC, where the tail-call optimization would consistently
remove 'violate()' from the stack trace.

PiperOrigin-RevId: 371103794
Change-Id: Ifb1a7d588a455041a6b0f3c763276ed44de47e60
2021-04-29 06:01:24 -07:00
Christian Blichmann
00a7cc5a33 Use sapi::file::GetContents() and light Mini-ELF refactoring
Plus some style fixes.

PiperOrigin-RevId: 370901533
Change-Id: If4f9d7c3157fdfc2ca4302b06cd95e96e7a8ebdd
2021-04-28 07:49:17 -07:00
Christian Blichmann
08e1e733a0 Update third-party dependencies
Also include-what-you-use the `signal.h` header.

PiperOrigin-RevId: 370433834
Change-Id: I934fe6fbf65091e365127db0fc4544499720841c
2021-04-26 05:00:30 -07:00