StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity
99 Commits 1 Branch 3 Tags 144 MiB
4d891de31b
Commit Graph

86 Commits

Author SHA1 Message Date
Christian Blichmann
4d891de31b Internal change 
PiperOrigin-RevId: 252609329
Change-Id: I46a05641456144e7967e01905c60e18aef164b3f
 2019-06-11 06:49:45 -07:00
Sandboxed API Team
970257d87b Allow two madvise calls for asan & tsan builds. 
bbfa21f177/lib/sanitizer_common/sanitizer_posix_libcdep.cc (L71)

PiperOrigin-RevId: 252048323
Change-Id: I457e708f0b024fd9db4ad39265cb904777ca52b5
 2019-06-07 07:53:10 -07:00
Christian Blichmann
dfbfb5cc43 Add CMake builds for the examples 
PiperOrigin-RevId: 252045309
Change-Id: I57ffc3debbe64010b1f20b2e6df900b9916fa37f
 2019-06-07 07:27:33 -07:00
Christian Blichmann
f2c7f976cf Add minimal Bazel CI config 
PiperOrigin-RevId: 252043934
Change-Id: I29222d770c44522b21560bb736b1f5fd55cb0da0
 2019-06-07 07:14:07 -07:00
Christian Blichmann
24c3e34344 Implement a GetDataDependencyFilepath() for CMake (non-Bazel really). 
This code assumes, like Bazel's runfiles that the data dependency to access
exists in the same sub-tree as the binary:

WORKSPACE
+- sandboxed_api/sandbox2/examples/crc4
                                   +- crc4bin
                                   +- crc4sandbox

The code requires the directory structure to exist, so that in the example
above, crc4sandbox can use
  GetDataDependencyFilepath("sandboxed_api/sandbox2/examples/crc4/crc4bin")

regardless of how it was called.

PiperOrigin-RevId: 251834480
Change-Id: I6470b62ce9b403297116481a0c17c070992f2e81
 2019-06-06 05:44:32 -07:00
Christian Blichmann
9b78e331fa Use newer gflags namespace for command-line flags 
PiperOrigin-RevId: 251639941
Change-Id: I3037ce9510a3bc62cf5c899c64f2e7d344a8b4ee
 2019-06-05 07:39:38 -07:00
Sandboxed API Team
1b2b83676b Internal Change 
PiperOrigin-RevId: 251637952
Change-Id: I532201ec1ba16a4cae71c671ffe2bd34e13a5391
 2019-06-05 07:24:16 -07:00
Christian Blichmann
ffd4e1270a Internal change 
PiperOrigin-RevId: 251590551
Change-Id: Ic69f8f5f798006c0d096357b7a746cdc4ce530a3
 2019-06-05 00:26:14 -07:00
Christian Blichmann
a3b0949949 Internal change 
PiperOrigin-RevId: 251411359
Change-Id: Ifbed8afa72d130ae803ed71a6a43ac3c9d8755f9
 2019-06-04 04:07:21 -07:00
Christian Blichmann
719cd24933 Fix sandbox2 tests when run with CTest 
This test runs, but fails due to a different problem:
  StackTraceTest.ForkEnterNsLibunwindDoesNotLeakFDs

PiperOrigin-RevId: 251218516
Change-Id: If06cdbcb71fad84ebd9d934ff173d7ef1a1eebc0
 2019-06-03 06:27:59 -07:00
Sandboxed API Team
dd2a84b980 Clarify behavior of Buffer::CreateFromFd 
PiperOrigin-RevId: 250834142
Change-Id: I7aac739c9b590adc0599926e3246bc87e21d951a
 2019-05-30 23:50:54 -07:00
Sandboxed API Team
6666f41ba2 Fix unnecessary unique_ptr in LogServer. 
PiperOrigin-RevId: 250050562
Change-Id: I6840e68504c741de1e66489279237f4a4a6bc533
 2019-05-26 08:47:38 -07:00
Wiktor Garbacz
08ff939ea7 Call DisableNamespaces where needed 
PiperOrigin-RevId: 249637351
Change-Id: I5105d89ea0e8cfb2fca1e5ac342fa67e9caac930
 2019-05-23 07:21:03 -07:00
Wiktor Garbacz
85059ef40d Add DisableNamespaces to PolicyBuilder 
Currently mostly no-op, but this is the first step to turn namespaces on
by default.

PiperOrigin-RevId: 249439158
Change-Id: I5eeb1216dc868c660f62ad50c34f626afbf7db61
 2019-05-22 06:54:12 -07:00
Wiktor Garbacz
71a317e65f Do not emit an error on ESRCH in PTRACE_CONT 
Process might be killed between waitpid and PTRACE_CONT,
even though a PTRACE_EVENT_EXIT will be gererated, continuing
will fail with ESRCH in that case.

PiperOrigin-RevId: 249245726
Change-Id: Ib673529229a306d2266fa60caa3039b6bcd80a65
 2019-05-21 07:30:56 -07:00
Wiktor Garbacz
15993a34e2 Log stack traces with INFO instead of ERROR 
PiperOrigin-RevId: 249035379
Change-Id: Ie62366f45f29741ee0c8b25369d0bb169275ccfd
 2019-05-20 06:16:50 -07:00
Wiktor Garbacz
207b2d9a95 Remove stale comment 
PiperOrigin-RevId: 248715509
Change-Id: I7aa3f4388920e39a79ac349890de403ac3384504
 2019-05-17 07:21:31 -07:00
Wiktor Garbacz
34d17b77ac Remove dead code 
IPC always creates comms object from a fd.

PiperOrigin-RevId: 248683525
Change-Id: Ib4285ec0494d551257237c12f92f983b943205cb
 2019-05-17 02:02:03 -07:00
Wiktor Garbacz
8678af23d0 Extract GetRlimitName into util 
PiperOrigin-RevId: 248682931
Change-Id: I702533a8d36465de956a1a90a40c634434b7a671
 2019-05-17 01:55:35 -07:00
Wiktor Garbacz
6e1c3c3055 Fix prlimit error message 
PiperOrigin-RevId: 248491089
Change-Id: Id4116939d02b6a592c74218955675acf2e3c70fe
 2019-05-16 02:24:59 -07:00
Wiktor Garbacz
7294e9976e Replace custom synchronization with absl::Notification 
PiperOrigin-RevId: 248334969
Change-Id: I7614a3792babd399912c5d5a167ab5e0a0574d20
 2019-05-15 08:09:56 -07:00
Wiktor Garbacz
42761c8b72 Add a resource starvation test 
PiperOrigin-RevId: 248334209
Change-Id: Iff0f0b3024c67a767c429a547695cc48a2d02a30
 2019-05-15 08:04:58 -07:00
Wiktor Garbacz
6588aa2a68 Reintroduce monitor changes. 
Signal handling in Monitor::MainLoop was fixed.

PiperOrigin-RevId: 248331692
Change-Id: I0f85d319802258632d2074742c53597bb922555a
 2019-05-15 07:46:49 -07:00
Sandboxed API Team
d8f7d861d2 Log the progress of dynamic libraries being resolved while creating a sandboxee's virtual FS chroot. This provides valuable insight while debugging problems with dynamically linked sandoxed binaries. 
PiperOrigin-RevId: 247625021
Change-Id: I9bf77af7410deb8766fd49910c8564e148020601
 2019-05-10 09:41:07 -07:00
Christian Blichmann
5f3c7171b7 Use Abseil's flag library released in aa468ad75539619b47979911297efbb629c52e44 
PiperOrigin-RevId: 247424939
Change-Id: I22a4696f705f9dcfa7394b329c78bd126f42bd16
 2019-05-09 07:57:55 -07:00
Christian Blichmann
7800fd7402 Disable compiler warnings for consistency with internal settings. 
PiperOrigin-RevId: 247405215
Change-Id: I236170f7b47d9ecd32324db907ef7afc2e797d9a
 2019-05-09 05:21:34 -07:00
Sandboxed API Team
63f0adbfbb Revert of monitor code update. 
PiperOrigin-RevId: 247255592
Change-Id: I3656ea1628418321b1b8b02660b6a51a58c2c61f
 2019-05-08 11:34:26 -07:00
Wiktor Garbacz
3f5360a7bc Simplify monitor code. 
Make setting result code the condition for main loop exit.

PiperOrigin-RevId: 247218505
Change-Id: I8699012683bc301e8a9f4f41cd5ab018e3cd514c
 2019-05-08 08:34:56 -07:00
Christian Blichmann
a412383d61 Fix build failure with Bazel v0.25.0+ (#25) 
PiperOrigin-RevId: 247206409
Change-Id: Ic6d4d1fea42ea5746613d3ef3de67f61e72848a6
 2019-05-08 07:07:29 -07:00
Sandboxed API Team
f29a5a81ed Print final FS mounts in sandboxee's chroot 
After all requested filesystem mounts are fully mounted under a sandboxee's virtual chroot, print a list of the outside paths and a list of the inside chroot paths that the outside paths are mapped to. This provides a valuable insight while debugging sandboxed binaries.

PiperOrigin-RevId: 247130923
Change-Id: I42b4b3db68d826587c0fe8127aabbead38bc6f20
 2019-05-07 18:30:13 -07:00
Christian Blichmann
6bfa83befe CMake support for Sandbox2 
- Add a superbuild in cmake/SuperBuild.cmake that downloads and builds
  dependencies
- Builds for sandbox2/ and a its tests
- Helper CMake function to strip proto paths
- Module to find libcap
- Custom build for libunwind that wraps its symbols
- Fix environment so that CTest executes tests similar to Bazel
- Filewrapper functionality, like Bazel's cc_embed_data()
- Build forkserver with embedded binary
- Enable ASM language so that libunwind builds correctly
- Allow glog target to propagate transitively (to propagate its include dirs)

Signed-off-by: Christian Blichmann <cblichmann@google.com>
 2019-05-06 14:03:29 +02:00
Christian Blichmann
7753cded13 Replace non-alphanumeric, non-underscore characters in filewrapper 
PiperOrigin-RevId: 246320238
Change-Id: I08454dc19b6227e4ce2c1b7677b916706e7be5a5
 2019-05-02 08:11:50 -07:00
Wiktor Garbacz
64cfb949f4 Internal change 
PiperOrigin-RevId: 245410078
Change-Id: I9ef7680885927b23734c02e063a617c9dbc3b856
 2019-05-02 05:21:32 -07:00
Wiktor Garbacz
3a2829bafc Fix minielf test 
PiperOrigin-RevId: 245409987
Change-Id: I5c728f012776105b7070e88d77bba27a205d56f1
 2019-04-26 06:22:31 -07:00
Wiktor Garbacz
e8ef753821 Internal change 
PiperOrigin-RevId: 245409914
Change-Id: I20f23a997e09ce4cc2fe9353ac6f341a641e2263
 2019-04-26 06:20:43 -07:00
Wiktor Garbacz
b1aa95fcde Internal change 
PiperOrigin-RevId: 245409846
Change-Id: Ic9f398146a4c0d72592f5bb7b46a01333303ba12
 2019-04-26 06:20:05 -07:00
Wiktor Garbacz
523620f8ab Internal change 
PiperOrigin-RevId: 245409785
Change-Id: I37b1611bed459522803fa1e49c4252d2cad80076
 2019-04-26 06:18:59 -07:00
Wiktor Garbacz
5e645a9190 Fix build 
PiperOrigin-RevId: 245400890
Change-Id: I899ef49edd8e371b8714478fa3c911cfb771419b
 2019-04-26 04:42:52 -07:00
Sandboxed API Team
f3c9c6e388 Internal change 
PiperOrigin-RevId: 245377524
Change-Id: If41601b2d68c6ff0f7d3f37811aac62c32441d1f
 2019-04-26 00:46:11 -07:00
Sandboxed API Team
afec50fdb5 automated internal change 
PiperOrigin-RevId: 245070237
Change-Id: Ib6b0d9201f8b603e185eb91c1bc9f500f1af1ed6
 2019-04-24 10:31:13 -07:00
Christian Blichmann
feba2c35d7 Apply special whole-archive linker options only where necessary 
PiperOrigin-RevId: 245038294
Change-Id: I99367e7c982a340a88acf730619a467d34d53203
 2019-04-24 07:07:14 -07:00
Wiktor Garbacz
c6d16a58eb Internal change 
PiperOrigin-RevId: 244882748
Change-Id: I0342f445df8f60f864d3e7f56145051b821a86e0
 2019-04-23 10:47:34 -07:00
Wiktor Garbacz
53d85ab4f2 Internal change 
PiperOrigin-RevId: 244882228
Change-Id: I506b92326fa83f214b1e7fab6c5b2e0889f8b197
 2019-04-23 10:46:58 -07:00
Wiktor Garbacz
63006c1476 Internal change 
PiperOrigin-RevId: 244881751
Change-Id: I3f3200c4d85906058ac17ed941e69ea22d9a4090
 2019-04-23 10:42:14 -07:00
Wiktor Garbacz
0fd468be7c Internal change 
PiperOrigin-RevId: 244879634
Change-Id: Ifa63ef7b0cc10e87d18f17b85cce55af03cd37cf
 2019-04-23 10:31:51 -07:00
Wiktor Garbacz
6cbaaead8b Make StatusMatcher more flexible 
PiperOrigin-RevId: 244879203
Change-Id: I5f7994130a898e84f041b18c0b5313d7e8b32780
 2019-04-23 10:30:45 -07:00
Sandboxed API Team
726b1fb451 n/a 
PiperOrigin-RevId: 244836017
Change-Id: I034cfb1af4835256aa9b8b7ac3e80a341e9a9271
 2019-04-23 05:14:22 -07:00
Kevin Hamacher
8ad4fcd0a8 minielf: Increase maximum amount of symbols loaded 
PiperOrigin-RevId: 243775723
Change-Id: I5398ec23bd76be01c48c69bd4decb015a48386fc
 2019-04-16 03:00:28 -07:00
Kevin Hamacher
af44845246 Try to demangle c++ symbols when logging the stacktrace 
PiperOrigin-RevId: 243612828
Change-Id: I09c748da0c119ba2024b2906802858b5b9bcfeb0
 2019-04-15 07:37:23 -07:00
Chris Kennelly
d90b2c6328 Allow TCMalloc to access the rseq syscall. 
PiperOrigin-RevId: 243441655
Change-Id: I82918459c20f164b56cc0c5b621b004315a011ec
 2019-04-13 13:45:35 -07:00