Commit Graph

70 Commits

Author SHA1 Message Date
Wiktor Garbacz
56d11ae733 Client::PrepareEnvironment simplify by supporting just a single preserved fd
PiperOrigin-RevId: 558133382
Change-Id: I043985fcf331761b424ce720791711e5ea1f4fb9
2023-08-18 06:52:45 -07:00
Wiktor Garbacz
b258535161 Treat libunwind sandbox as a ~regular sandboxee
This removes dependency on unwind from forkserver,
which should reduce binary size for all the custom forkservers (also the SAPI generated ones).
Unwind was only ever used by the global forkserver anyhow

PiperOrigin-RevId: 557921074
Change-Id: Iea4904da0506fee5a00f970538f512cba7b02326
2023-08-17 13:32:44 -07:00
Wiktor Garbacz
77fbfa7f5f forkserver: use eventfd instead pipe for initial namespace creation
PiperOrigin-RevId: 557764601
Change-Id: I146c67bc6d4ba68f17c2117b1ca4d6bc71d30ffa
2023-08-17 03:02:19 -07:00
Wiktor Garbacz
7a57d32711 forkserver: Remove waitpid flag
It was superseded by sandboxee rusage when using unotify monitor

PiperOrigin-RevId: 557396642
Change-Id: I41f84149227f62d4b7727030f9359834a9b61dbc
2023-08-16 01:33:12 -07:00
Wiktor Garbacz
1c2596785b Clearer logs on execveat failures
Drive-by: remove redundant log prefix (PLOG prepends filename and line)
PiperOrigin-RevId: 557367980
Change-Id: Id7cc945969e0ae06a451ca3dd0f3e288402b9136
2023-08-15 23:30:44 -07:00
Kevin Hamacher
93c1423b15 sandbox2: Provide sandboxee rusage when using unotify monitor
PiperOrigin-RevId: 540841898
Change-Id: Icc635e107c138ac67e2b948eadbbcb4234f6c7f8
2023-06-16 04:37:18 -07:00
Wiktor Garbacz
6cd83d68de Fix deadlock in forkserver if setting ns fails
Also make sure we don't kill everything (with a `kill(-1, SIGKILL)`) if reading the pid fails.

PiperOrigin-RevId: 536371566
Change-Id: I17f6ae36b73ec43735709ff16d276abaebb00d44
2023-05-30 05:49:40 -07:00
Kevin Hamacher
fb1571c801 Automated rollback of commit f6fd27618b.
PiperOrigin-RevId: 529395980
Change-Id: I6a5d451ed84f8d4a522777815c6cc2d7d7a8923c
2023-05-04 06:53:48 -07:00
Sandboxed API Team
f6fd27618b Automated rollback of commit 8c53262539.
PiperOrigin-RevId: 529101664
Change-Id: Ica452c6ee8f54b78be09fa830a09d6a89800cf44
2023-05-03 08:45:11 -07:00
Kevin Hamacher
8c53262539 Allow forkserver to use waitpid as alternative to sa_nochldwait
PiperOrigin-RevId: 529074278
Change-Id: If63015586673610e111ee589995e5264523be7a7
2023-05-03 06:41:07 -07:00
Wiktor Garbacz
5efae5cdf5 Do not exit from within ForkServer to get more precise coverage data
PiperOrigin-RevId: 520273079
Change-Id: I3f37d9eacc2c284c45f37842e1e63364cf64faf2
2023-03-29 02:22:16 -07:00
Wiktor Garbacz
a4d602298b Dump coverage prior to execveat
PiperOrigin-RevId: 520002416
Change-Id: Ic792b0b71b8e7b2f00b669db9b6831acd8341c5c
2023-03-28 05:50:43 -07:00
Wiktor Garbacz
99931c2ad6 Move abort into ExecuteProcess and mark it noreturn
PiperOrigin-RevId: 518528953
Change-Id: Ieaa03af484188bb35f9734d69d987eabbdcc23ab
2023-03-22 04:07:10 -07:00
Wiktor Garbacz
a31584ff49 Add explicit cast to fix build error
PiperOrigin-RevId: 515263097
Change-Id: Ib5b6c28587be889b5e2ef8d013fa57cbb0d8ffd3
2023-03-09 01:03:36 -08:00
Wiktor Garbacz
0d3d5d4bcb Seccomp_unotify based monitor
Unotify based monitor should bring big performance wins
if the sandboxee heavily uses threading or signals.
Some of the features are not supported in that mode:
- execveat is always allowed instead of just the initial one
- stack traces are not collected on normal exit or if the process is terminated by signal

PiperOrigin-RevId: 515040101
Change-Id: Ia5574d34b4ff7e91e3601edb8c9cb913e011fbf6
2023-03-08 08:09:34 -08:00
Wiktor Garbacz
34b2f6bc90 Remove AllowUnsafeKeepCapabilities()
PiperOrigin-RevId: 506586347
Change-Id: I859a1f695ffbcf3b982a26df425c6b4e03c62da1
2023-02-02 04:47:02 -08:00
Wiktor Garbacz
2f64d3d925 stack_trace: pass fd to sandboxee's memory instead of using process_vm_readv
Libunwind sandbox no longer needs to join sandboxee's userns.
This cleans up a lot of special handling for the libunwind sandbox.

PiperOrigin-RevId: 503140778
Change-Id: I020ea3adda05ae6ff74137b668a5fa7509c138f8
2023-01-19 05:44:50 -08:00
Christian Blichmann
79b6784b82 #Cleanup: Consistently use std::make_unique
PiperOrigin-RevId: 480597371
Change-Id: I145586382ad7a7694384cc672986132376a47465
2022-10-12 05:23:42 -07:00
Wiktor Garbacz
cb8efdc270 Sandbox2: Graciously handle mapping over Comms/Exec fds
Try to move the affected FDs transparently to avoid conflict.

PiperOrigin-RevId: 480105375
Change-Id: I0cd093fce120505d1cd4a1d081b3c0e63bf0210a
2022-10-10 09:39:01 -07:00
Christian Blichmann
b9c2830ebc Use new sandbox2::Comms ctor for default connection params
This change allows Sandbox2 to change how the default FD for comms is chosen.

PiperOrigin-RevId: 479526309
Change-Id: I69add85a244bc0385eaa164ab0ea3b036503c6d3
2022-10-07 02:08:20 -07:00
Christian Blichmann
a60ff1a95c Remove OsErrorMessage in favor of Abseil's new ErrnoToStatus
#Cleanup

PiperOrigin-RevId: 443359044
Change-Id: I2b3e385a1846feac79edd28fcbf6e85b1429a44a
2022-04-21 06:15:38 -07:00
Oliver Kunz
206547591b Migrate forkserver.proto to proto3 syntax
PiperOrigin-RevId: 434458725
Change-Id: I277f76a1a5ebd3eed15c6b3f3e7f849bf6edacea
2022-03-14 07:28:23 -07:00
Wiktor Garbacz
50c55e8ac0 Provide clearer error message when global forkserver is chrooted
PiperOrigin-RevId: 433686276
Change-Id: Ieb01f9dcafdce7bcb548807169f429cc8a181e56
2022-03-10 01:32:55 -08:00
Wiktor Garbacz
20edaae54f Add an option to allow mount propagation
PiperOrigin-RevId: 433211924
Change-Id: I653f000d44de10b668b375fd2dfff3c668cbf673
2022-03-08 08:01:19 -08:00
Christian Blichmann
d451478e26 Change license link to HTTPS URL
PiperOrigin-RevId: 424811734
Change-Id: If5ea692edc56ddc9c99fd478673df41c0246e9cc
2022-01-28 01:39:09 -08:00
Wiktor Garbacz
ae9432bc03 Internal change
PiperOrigin-RevId: 423070471
Change-Id: I876ef8f1d2464383ac319e196c1ba64c46ea4201
2022-01-20 08:09:53 -08:00
Wiktor Garbacz
3f5184770d Introduce util::CharPtrArray with proper ownership semantics
Replace existing calls to VecStringToCharPtrArr

PiperOrigin-RevId: 417383812
Change-Id: Ibf9d878df5ada2cb3a0872f7ca7cab96c304a5c1
2021-12-20 05:08:12 -08:00
Kevin Hamacher
aea8bb2ed0 Automated rollback of commit 2036f5b2f0.
PiperOrigin-RevId: 395893427
Change-Id: Iabd32de9cd83de5cc8567834e1f91e48c521ac60
2021-09-10 03:34:44 -07:00
Sandboxed API Team
2036f5b2f0 Automated rollback of commit 4b018757c3.
PiperOrigin-RevId: 395067992
Change-Id: I5db335ed881aa81748a0fc8082091b160fe83e86
2021-09-06 04:07:11 -07:00
Kevin Hamacher
4b018757c3 Use absl::flat_hash_set + Status in favor of std::set in the sanitizer API
PiperOrigin-RevId: 395061068
Change-Id: I31548eb6fc9f27f55acf25bd6d3d0b941a529e63
2021-09-06 03:15:39 -07:00
Kevin Hamacher
eb2c5a66f4 Rework GetListOfFDs API
PiperOrigin-RevId: 395043959
Change-Id: I77ce13f0c786d3644971ed239f3106319667e979
2021-09-06 01:01:19 -07:00
Christian Blichmann
ccd7b03026 Introduce sapi::OsErrorMessage() for error handling
This should make handling OS error less repetetive.

PiperOrigin-RevId: 387074642
Change-Id: I09b8c5e37e7f7b08341e22ba01ccda21a916a4bc
2021-07-27 04:10:04 -07:00
Wiktor Garbacz
34c7be759a Another round of file descriptor handling fixes
PiperOrigin-RevId: 384646707
Change-Id: Ia1b51a348bcb2a1426ba26a4ed045b0522168745
2021-07-14 01:33:34 -07:00
Christian Blichmann
2d3a040f64 Minor cleanup/formatting changes
PiperOrigin-RevId: 374164136
Change-Id: I505cbc3ac9f899ed965cde66aaae1aba55a90c64
2021-05-17 04:07:08 -07:00
Christian Blichmann
ca6ec4337d Add workaround for active Tomoyo LSM
Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.

As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace

Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729

To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:

```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```

The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.

PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
2021-05-10 07:04:04 -07:00
Christian Blichmann
dbaf95c724 Move utility code into sandboxed_api/util
This change should make it less confusing where utility code comes from.
Having it in two places made sense when we were debating whether to publish
Sandbox2 separately, but not any longer.

Follow-up changes will move `sandbox2/util.h` and rename the remaining
`sandbox2/util` folder.

PiperOrigin-RevId: 351601640
Change-Id: I6256845261f610e590c25e2c59851cc51da2d778
2021-01-13 09:25:52 -08:00
Christian Blichmann
c3ac45be3e Reimplement raw logging to avoid Abseil internals
The defined raw logging macros should be compatible with Abseil and
we can remove our version once Abseil releases theirs.

PiperOrigin-RevId: 347354273
Change-Id: I178a89cfd2e19bcd707a06fa9dfd7b767e2b654b
2020-12-14 03:34:02 -08:00
Wiktor Garbacz
f8a2729c32 Start global fork-server on demand
Allow disabling global fork-server with a flag.

PiperOrigin-RevId: 340860588
Change-Id: I184603dc3a81eb90f715053e14fb3b8d66a6f104
2020-11-05 08:48:03 -08:00
Sandboxed API Team
23da55c19a Internal BUILD refactoring
PiperOrigin-RevId: 329720214
Change-Id: I25fbb94dea17db3bdca6438d17508fa304d9706f
2020-09-03 07:40:33 -07:00
Wiktor Garbacz
c53f2a900f Automated rollback of commit e7a195ce42.
PiperOrigin-RevId: 328918626
Change-Id: Iabe93ec7062ea6e750e4185e2b0b672a37111ee7
2020-08-28 04:49:41 -07:00
Sandboxed API Team
e7a195ce42 Automated rollback of commit 82c56775ef.
PiperOrigin-RevId: 328340042
Change-Id: Ib225f8012fb373c74e3f1b3e6201b2daca7da40b
2020-08-25 09:01:22 -07:00
Wiktor Garbacz
82c56775ef StatusOr cleanups
PiperOrigin-RevId: 328318284
Change-Id: I207570c0fee6797dbc8995d36ef2130b0bff28fa
2020-08-25 06:22:05 -07:00
Wiktor Garbacz
f7d3f442df Extract ForkClient to a separate target
PiperOrigin-RevId: 321757582
Change-Id: I48b89ab4e4b1d87dd9444874de5bf5bd2526531a
2020-07-17 04:54:54 -07:00
Wiktor Garbacz
e9f7293e21 Fix ptrace_hook dependency graph
PiperOrigin-RevId: 321748143
Change-Id: Idb453054b78e932ce13c5f44f7d408cc0f9c31f2
2020-07-17 03:20:43 -07:00
Chris Kennelly
63a8b3ff15 Refactoring for internal change
PiperOrigin-RevId: 320612442
Change-Id: I65729ac5d83c76dac047a47f866b7ad4af3c56c1
2020-07-10 09:01:49 -07:00
Wiktor Garbacz
6008dc6db4 Reduce dependencies on libcap
PiperOrigin-RevId: 319228803
Change-Id: I1a9497f9e33bbe1e84749505305cd9c148b6d700
2020-07-01 08:23:46 -07:00
Wiktor Garbacz
0d375e69e1 Remove abort from ExecuteProcess
Otherwise ExecuteProcess is implicitly `[[noreturn]]` and this
might cause policy violations in `__asan_handle_no_return`
for ASAN builds.

PiperOrigin-RevId: 319203128
Change-Id: I5c8ba71ce88261f803aa3f16730eccea0d803dd1
2020-07-01 04:54:29 -07:00
Christian Blichmann
496672c333 Cleanup calls to sapi::StatusOr<>::ValueOrDie()
PiperOrigin-RevId: 304398197
Change-Id: I85d09457a5e27f65c0792fe93aebbd8219801ef6
2020-04-02 07:42:45 -07:00
Christian Blichmann
f6c3db4c6e Replace sapi::Status with absl::Status
PiperOrigin-RevId: 297614681
Change-Id: I89fe1357a172ed4d28df6dd84b80fee364ce1c14
2020-02-27 09:24:12 -08:00
Christian Blichmann
5d81c822d8 Automated rollback of commit e56f562fe2.
PiperOrigin-RevId: 296178631
Change-Id: I0f871aeecd70e9d2f99c7d52d94c6043a1668325
2020-02-20 04:26:37 -08:00