Commit Graph

338 Commits

Author SHA1 Message Date
Wiktor Garbacz
83a08daff7 Change int64 to size_t in Buffer
PiperOrigin-RevId: 334802978
Change-Id: I7e421b1a6a98138139003cc4dc2a548ebe366e3e
2020-10-01 06:45:38 -07:00
Christian Blichmann
575f24f5df Internal change
PiperOrigin-RevId: 334569306
Change-Id: Ibf1b3a24b57b02ce1c5e6106e5331520dfdf7112
2020-10-01 06:45:25 -07:00
Maciej Szawłowski
d806e0df3b Deferred cursor.mangled_name access - on some versions of libclang this causes sigsegv when accessing certain cursor's mangled_name
PiperOrigin-RevId: 334360148
Change-Id: I27ef72b1938052d68b65f99d05d34dcb9f7433f8
2020-09-29 05:48:27 -07:00
Sandboxed API Team
376ca05c56 Allow sandboxes to specify custom notifiers.
PiperOrigin-RevId: 334154462
Change-Id: Ia62242913731ab017a9bf8733a77a647582af243
2020-09-28 07:38:30 -07:00
Christian Blichmann
88c980218f Build fixes for recent Bazel versions
We need to add the `oss-internship-2020` and `examples/hello_sapi`
directories to `.bazelignore`, so that `bazel build ...` works on a clean
working copy. This is because the Bazel builds in these directories use their
own `WORKSPACE.bazel` and this does not nest well, leading to all kinds of
hard to debug errors.

PiperOrigin-RevId: 333728800
Change-Id: Ie2e68dd39bf6f8eb21af29d8ae3ae12971b408db
2020-09-25 07:25:31 -07:00
Maciej Szawłowski
1b8e8aa757 Disallow empty sapi_embedded_dir flag in the header generator
Ignore cursors with types that are not implemented in python bindings

PiperOrigin-RevId: 333708345
Change-Id: I618a61c960247a9bdf89bc56dcac92e2d37b3220
2020-09-25 04:30:55 -07:00
Christian Blichmann
35f9268e23 Restructure the Clang based header generator
- Support multiple input files
- Better testability
- Support for the `--sapi_isystem` argument, same as the Python generator

PiperOrigin-RevId: 333686891
Change-Id: I3e618165c1bd58bb755e1193617fb0737c29ee77
2020-09-25 01:14:18 -07:00
Wiktor Garbacz
f91f843f50 Use size_t/uintptr_t instead of uintptr_t or uint64_t where appropriate
PiperOrigin-RevId: 332449107
Change-Id: I623c320c7f31bb73b92799dfbeb9a1e8ce0cdb3b
2020-09-18 07:45:03 -07:00
Wiktor Garbacz
c33f1fb03e Simplify casts
Drive-by: check for malloc failure in sapi:✌️:Array
PiperOrigin-RevId: 332446225
Change-Id: I375ea94845e04dffc3353d70737402daa66ae50a
2020-09-18 07:23:19 -07:00
Wiktor Garbacz
08a956a415 Use opaque void* instead of uint8_t* in Comms
PiperOrigin-RevId: 332441641
Change-Id: I09902e98726a0bd57b47d3454ddcb6ef05021d56
2020-09-18 06:48:57 -07:00
Wiktor Garbacz
9ffa5afba6 Remove unnecessary TLV struct
Drive-by: Zero-copy RecvString
PiperOrigin-RevId: 332412385
Change-Id: I169ffa78f016ec2d55c1a3677ea97beed095123c
2020-09-18 02:23:22 -07:00
Christian Blichmann
13c28403a6 Implement system include detection for CMake build
The Bazel build already queries the current toolchain for its system include
directories. This change brings feature parity and is necessary for systems
with unusual include locations.

PiperOrigin-RevId: 332195812
Change-Id: Ie81d614d21e90b4bd9edf2084ef80bf0d85dd750
2020-09-17 03:08:11 -07:00
Maciej Szawłowski
a68b851c2c Added TypeKind.CHAR_U handling in the generator.
PiperOrigin-RevId: 331988119
Change-Id: I8301c5041c32da185202ed34292e6a2988ecff46
2020-09-16 06:00:55 -07:00
Christian Blichmann
ed0086eb66 Fix dynamic binary startup on PPC and newer glibc (> 2.19)
This allows the `_llseek` syscall when it is defined.

PiperOrigin-RevId: 331498182
Change-Id: I2760b264e3a82000b38d278a9c280501a3dbc724
2020-09-14 01:18:33 -07:00
Christian Blichmann
21f7373e76 Initial changes to support AArch64
This is a work in progress:
- Syscall tables need work
- Only tested on real hardware using one of our test hosts

As a drive-by, this change also enables the open source version to function on
POWER.

Another side-effect of this change is that the default policies no longer
check for different host architectures at runtime. On x86_64, we do not need
to check for PPC or AArch64 specifice and vice versa.

PiperOrigin-RevId: 331137472
Change-Id: Ic6d6be5cbe61d83dbe13d5a0be036871754b2eb8
2020-09-11 06:34:27 -07:00
Christian Blichmann
c19949eb7b Use inclusive language
PiperOrigin-RevId: 331116936
Change-Id: I7084b24440a1c78c0d70030da900330f0b8d954f
2020-09-11 03:14:12 -07:00
Christian Blichmann
6a1e4b881c Introduce config header to centralize CPU architecture checks
This allows us to remove some uses of macros.

Related changes:
- Make it clear that we support hosting sandboxed binaries from 64-bit
  processes only. CPU architectures are x86-64 and POWER64 (little endian).
- Introduced CPU architecture macros, abstracting away compiler specifics

PiperOrigin-RevId: 330918134
Change-Id: Ife7ad5f14723eec9f68055127b0583b8aecd38dd
2020-09-10 05:48:00 -07:00
Kevin Hamacher
1f8e88586b Log details when executor fails to open the sandboxee binary
PiperOrigin-RevId: 330680717
Change-Id: I4ec855861196177321783dc94f2e05a28e84d512
2020-09-09 02:12:29 -07:00
Sandboxed API Team
776e34502a Internal cleanup migrating StatusOr.
PiperOrigin-RevId: 330561315
Change-Id: Ie8d8857e7fa5819be3358b26425790ede97c99f8
2020-09-08 12:24:35 -07:00
Christian Blichmann
fdf0483ca0 Migrate to open-source absl::StatusOr<>
This removes our own fork of `absl::StatusOr<>`. Sandboxed API still includes
a custom matcher for Googletest, as that is not open source yet. For
compatibility, the `statusor.h` header is still retained and now aliases
`sapi::StatusOr<>` to `absl::StatusOr<>`.

PiperOrigin-RevId: 329916309
Change-Id: I0544b73a9e312dce499bc4128c28457e04ab9929
2020-09-03 07:40:48 -07:00
Sandboxed API Team
23da55c19a Internal BUILD refactoring
PiperOrigin-RevId: 329720214
Change-Id: I25fbb94dea17db3bdca6438d17508fa304d9706f
2020-09-03 07:40:33 -07:00
Sandboxed API Team
1c833d6f25 Internal cleanup migrating StatusOr.
PiperOrigin-RevId: 329304527
Change-Id: Id6c141272df54c4e165829d690f9f5b2e9ee90cc
2020-08-31 08:13:29 -07:00
Sandboxed API Team
cfac8eb2d9 Internal cleanup migrating StatusOr.
PiperOrigin-RevId: 329250595
Change-Id: I0447d8154a57b1132981b116f02b4d5bceedfd4c
2020-08-31 00:13:54 -07:00
Wiktor Garbacz
c53f2a900f Automated rollback of commit e7a195ce42.
PiperOrigin-RevId: 328918626
Change-Id: Iabe93ec7062ea6e750e4185e2b0b672a37111ee7
2020-08-28 04:49:41 -07:00
Sandboxed API Team
e7a195ce42 Automated rollback of commit 82c56775ef.
PiperOrigin-RevId: 328340042
Change-Id: Ib225f8012fb373c74e3f1b3e6201b2daca7da40b
2020-08-25 09:01:22 -07:00
Wiktor Garbacz
82c56775ef StatusOr cleanups
PiperOrigin-RevId: 328318284
Change-Id: I207570c0fee6797dbc8995d36ef2130b0bff28fa
2020-08-25 06:22:05 -07:00
Christian Blichmann
b76cb15f26 Rename accessors, move away from time_t API
- `GetPid()` -> `pid()`
- `GetRpcChannel()` -> `rpc_channel()`
- `IsActive()` -> `is_active()`
- Suggest `SetWallTimeLimit(time_t)` -> `SetWallTimeLimit(absl::Duration)`

In addition, remove the protected zero-argument contructor.

PiperOrigin-RevId: 325390292
Change-Id: Iba044ad5ce44e78c4064c0a09faaa4227c4d19a5
2020-08-07 00:30:28 -07:00
Christian Blichmann
11fd8ba330 Collect Bazel files into bzl_library targets
PiperOrigin-RevId: 325221214
Change-Id: Iab03b900e143b9b95bed151097abb59ac1e0f996
2020-08-06 06:53:44 -07:00
Sandboxed API Team
8633f22185 Increase limit on symbol table size and section size.
PiperOrigin-RevId: 325215228
Change-Id: I2e6ca131d92d86e7aa0d5cc37a3507dce03db25f
2020-08-06 06:04:14 -07:00
Christian Blichmann
833c9740aa Use absl::StrFormat() in Reg<T>::ToString()
PiperOrigin-RevId: 322528126
Change-Id: Ia5344e53366a8b3c11ec0dbba7cff8e4192a7605
2020-07-22 01:21:02 -07:00
Christian Blichmann
aaa3eded8f Rename SYNC_* constants to conform to style guide
PiperOrigin-RevId: 322137271
Change-Id: I03d7f2e4841f42e439359727a686d55f1b4ab081
2020-07-20 07:05:44 -07:00
Christian Blichmann
c7a27dd4b1 Modernize a few files
- Use default initialization
- Rely on `static_assert()` and use `if constexpr` when checking SAPI
  variable type
- Small style fixes

PiperOrigin-RevId: 322107281
Change-Id: I48cf43f354b60e31e6207552dbbfa16e3acd5615
2020-07-20 03:07:54 -07:00
Christian Blichmann
eb62bae167 Refactor stack trace handling
- Drop `delim` argument from the `GetStackTrace()` family of functions.
  We only ever used plain spaces.
- Use an `std::vector<std::string>` for the symbolized stack frames and
  adjust the unwind proto accordingly.

This change now prints each stack frame on its own line while skipping
duplicate ones:

```
I20200717 11:47:16.811381 3636246 monitor.cc:326] Stack trace: [
I20200717 11:47:16.811415 3636246 monitor.cc:337]   map:/lib/x86_64-linux-gnu/libc-2.30.so+0xceee7(0x7fb871602ee7)
I20200717 11:47:16.811420 3636246 monitor.cc:337]   Rot13File+0x130(0x55ed24615995)
I20200717 11:47:16.811424 3636246 monitor.cc:337]   ffi_call_unix64+0x55(0x55ed2461f2dd)
I20200717 11:47:16.811429 3636246 monitor.cc:337]   map:[stack]+0x1ec80(0x7ffee4257c80)
I20200717 11:47:16.811455 3636246 monitor.cc:339]   (last frame repeated 196 times)
I20200717 11:47:16.811460 3636246 monitor.cc:347] ]
```

PiperOrigin-RevId: 322089140
Change-Id: I05b0de2f4118fed90fe920c06bbd70ea0d1119e2
2020-07-20 00:24:40 -07:00
Wiktor Garbacz
f7d3f442df Extract ForkClient to a separate target
PiperOrigin-RevId: 321757582
Change-Id: I48b89ab4e4b1d87dd9444874de5bf5bd2526531a
2020-07-17 04:54:54 -07:00
Wiktor Garbacz
e9f7293e21 Fix ptrace_hook dependency graph
PiperOrigin-RevId: 321748143
Change-Id: Idb453054b78e932ce13c5f44f7d408cc0f9c31f2
2020-07-17 03:20:43 -07:00
Wiktor Garbacz
405cc00683 Workaround for issue#32
PiperOrigin-RevId: 321154163
Change-Id: Ida6defa3d5586b39e69e958524cee7579085826f
2020-07-14 07:28:16 -07:00
Christian Blichmann
b7d137721a Do not keep a reference to a temporary
PiperOrigin-RevId: 321117444
Change-Id: If6951058fcd32fe638f9241bef79181d6785e9cf
2020-07-14 01:42:05 -07:00
Christian Blichmann
1f1de9e229 Fix logging/display of syscall tables
Initializing `absl::Span`s like by assigning them from a temporary
array leaves them pointing to invalid data. Due to the way the linker
initializes these constant tables, _most_ of them will still be valid
_most_ of the time, leading to crashes when running sandboxees with the
`--sandbox2_danger_danger_permit_all_and_log` option.

PiperOrigin-RevId: 321112099
Change-Id: I891118da08cbb6000b3e2e275618bc4edaa1d020
2020-07-14 00:47:54 -07:00
Christian Blichmann
5f35b4fc8c Fix mix-up in main_zlib.cc
The example compresses from stdin to stdout, not vice versa.

PiperOrigin-RevId: 320941406
Change-Id: I41c7fed1b7f6306541567c0df46a8590844db69b
2020-07-13 06:12:35 -07:00
Chris Kennelly
63a8b3ff15 Refactoring for internal change
PiperOrigin-RevId: 320612442
Change-Id: I65729ac5d83c76dac047a47f866b7ad4af3c56c1
2020-07-10 09:01:49 -07:00
Christian Blichmann
c3861819bc Update Hello SAPI's WORKSPACE for newer Bazel versions
Bazel 3.x now requires specifying `commit`, `tag` or `branch` in its
`git_repository` rule.

PiperOrigin-RevId: 320572176
Change-Id: I81048d997f595202f4dfbd3c1e9c8321240a28a3
2020-07-10 02:50:00 -07:00
Sandboxed API Team
a602177943 Fix AllowLlvmSanitizers for Msan.
PiperOrigin-RevId: 319947612
Change-Id: I6485d8282381c4cb2be05e138e007ccbb3e5d956
2020-07-07 02:40:24 -07:00
Sandboxed API Team
228f3e7ed1 Migrate usage of StatusOr::operator bool to StautsOr::ok.
PiperOrigin-RevId: 319931897
Change-Id: I31b4bb71c7eeaf6687a499248bbfbb26c78b94ff
2020-07-07 00:14:07 -07:00
Sandboxed API Team
88e9dbf8d4 Allow Asan to get sigaltstack
Include sigaltstack into AllowHandleSignals

PiperOrigin-RevId: 319293484
Change-Id: I4d60715893bd07eff047d2bced1450a3cd29bcec
2020-07-01 14:09:03 -07:00
Wiktor Garbacz
6008dc6db4 Reduce dependencies on libcap
PiperOrigin-RevId: 319228803
Change-Id: I1a9497f9e33bbe1e84749505305cd9c148b6d700
2020-07-01 08:23:46 -07:00
Wiktor Garbacz
0d375e69e1 Remove abort from ExecuteProcess
Otherwise ExecuteProcess is implicitly `[[noreturn]]` and this
might cause policy violations in `__asan_handle_no_return`
for ASAN builds.

PiperOrigin-RevId: 319203128
Change-Id: I5c8ba71ce88261f803aa3f16730eccea0d803dd1
2020-07-01 04:54:29 -07:00
Christian Blichmann
2ffea13759 Mark zlib as found when using SAPI CMake build
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-06-30 08:59:50 +02:00
Sandboxed API Team
5de6b84111 Internal change
PiperOrigin-RevId: 317068509
Change-Id: I268381ca50eabed88b189bf79ccc9313e5b7d9ae
2020-06-18 03:19:01 -07:00
Christian Blichmann
89e80d4c80 Internal change.
PiperOrigin-RevId: 316414698
Change-Id: Ib0d43bfc7c95a3029618b4ed758990f78cb25529
2020-06-15 00:59:33 -07:00
Copybara-Service
fdf5fd5854 Merge pull request #45 from cblichmann:20200609-include-guard-test
PiperOrigin-RevId: 315673526
Change-Id: If6efb2deb8dc0da8a10db26aec683c730ae2d97a
2020-06-10 05:34:35 -07:00
Christian Blichmann
c0c9d1dbf9 Copybara import of the project:
--
fd2e99fa87c34f2fb1a20052c030ad7a4139b4e1 by Christian Blichmann <mail@blichmann.eu>:

Support LLVM >= 7.0.1 in Clang based header generator

This change glosses over small API changes introduced since LLVM/Clang
7.0.1, which ships with Debian Stable "Buster". Ubuntu 18.04 LTS "Bionic"
also shipped this (and subsequently updated to version 9).

Hence, compiling the generator should now work on all reasonable Debian
based distributions.

COPYBARA_INTEGRATE_REVIEW=https://github.com/google/sandboxed-api/pull/44 from cblichmann:20200609-llvm-version-compat fd2e99fa87c34f2fb1a20052c030ad7a4139b4e1
PiperOrigin-RevId: 315637014
Change-Id: I6585041d8bebade15e44c057b1a69287bbc0e733
2020-06-09 23:32:03 -07:00
Christian Blichmann
b02061a3d2
Add scaffolding and first test for Clang-based generator
- Fix `GetIncludeGuard()` to always uppercase
2020-06-09 13:37:52 +02:00
Christian Blichmann
726cabe2f7 Fix up generated header include paths
The "hello_sapi" example lives in a different WORKSPACE as it is intended to
show how to embed SAPI in your own projects. However, this is not compatible
with simply running `bazel build //sandboxed_api/...` after checkout.

This change simply replace `copts = ["-I."]` with `includes = ["."]`, so that
generated headers can be found reliably, regardless of how the example is
compiled.

PiperOrigin-RevId: 313782756
Change-Id: Iac26e828146b01545c81d9500f5f68fa0f2d4ddf
2020-05-29 08:13:58 -07:00
Christian Blichmann
5aff251a92 Move filewrapper to tools directory
This decouples it from the underlying build system

PiperOrigin-RevId: 313764652
Change-Id: I64de2f8533d307567de297942a3d02d26b0839f4
2020-05-29 05:40:52 -07:00
Christian Blichmann
e76e73dfe8 Merge pull request #40 from cblichmann:clang-tool
PiperOrigin-RevId: 313577454
Change-Id: I4de93e1ffca003899ae3c7110ab3fd10f700907c
2020-05-28 16:01:09 +02:00
Christian Blichmann
507eb00a90
Add sandboxee embedding
- Implement `--sapi_embed_name` and `--sapi_embed_dir` flags
- Do not emit full AST-serialization for C++ classes
2020-05-15 17:03:25 +02:00
Christian Blichmann
143e539d79 First MVP of a LibTooling based SAPI header generator
- Extract dependent types directly from the Clang AST and re-serialize
  back into compilable code
- Collect types and emit diagnostics
- Format generated code

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-05-15 15:35:42 +02:00
Copybara-Service
dd4e81bccb Merge pull request #39 from cblichmann:master
PiperOrigin-RevId: 311518877
Change-Id: Ib29354cb55ed6289d0aa303189c12222b9f92ea8
2020-05-14 06:17:42 -07:00
Christian Blichmann
2c8c9a489a
Add external embedding example
This change contains a "hello world"-style example library to be
sandboxed. It consists of a stand-alone CMake and Bazel project that
uses Sandboxed API as its dependency.

To use Sandboxed API in an external project, it should be enough to
copy the files in the `sandboxed_api/examples/hello_sapi` directory
as a starting point.
2020-05-14 11:40:02 +02:00
Christian Blichmann
ba47adc21d Allow empty sapi_embedded_dir flag in the header generator
PiperOrigin-RevId: 311478848
Change-Id: If94d2279989b3cfc76304bb0bb8624e0f0532ba6
2020-05-13 23:49:25 -07:00
Christian Blichmann
d6b8e0b3e3 CMake: Fix inclusion and paths for external embedding
When using SAPI from an external project via CMake, the small zlib patch
cannot be found during the config phase.

This change also fixes an oversight in that the tests depend on some of
the example code.

Regardless embedding code should set `SAPI_ENABLE_EXAMPLES` to `OFF`.
Disabling tests by setting `SAPI_ENABLE_TESTS` to `OFF` stays optional.

PiperOrigin-RevId: 311290454
Change-Id: Ibe105895859b793b20f47c89b1a9e11cbfef2e2f
2020-05-13 02:09:33 -07:00
Christian Blichmann
6d97220e5c
Use common repository prefix everywhere
Build macros in earlier versions of Bazel (pre-1.0) needed to specify
targets in a different format, depending from where they were
included/expanded at build time.

For example, a `sapi_library()` macro invocation in one of the directories
under `examples`, always needed to depend on the SAPI main library as
`//sandboxed_api:sapi`. When using SAPI from another Bazel project, the
same macro would have needed to depend on
`@com_google_sandboxed_api//sandboxed_api:sapi`. The `sapi_library()`
macro was thus checking the repository name and conditionally changed
the dependencies. This approach is brittle and as of Bazel 3.1.0 no
longer works.

This CL simple removes the conditional prefix and unconditionally uses
`@com_google_sandboxed_api`.

Tested on Bazel 1.2.1, 2.2.0 and 3.1.0
2020-05-11 16:51:53 +02:00
Christian Blichmann
aafc597630 Add zlib as dependency for examples
Similar to what the Bazel build does, this change adds zlib as an additional
dependency when `SAPI_ENABLE_EXAMPLES` is set to `ON`.

PiperOrigin-RevId: 309203959
Change-Id: I201a9e6415789afb1e058bc48cebbc0fc0004fe9
2020-04-30 04:57:33 -07:00
Sandboxed API Team
79049b09c0 Add helper function for MADV_WIPEONFORK.
BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning.

PiperOrigin-RevId: 309173849
Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234
2020-04-30 00:08:55 -07:00
Christian Blichmann
7ec20bd5d5 Update dependencies to latest versions
- Abseil (HEAD)
- Benchmark (HEAD)
- Google Flags (HEAD)
- Google Logging (HEAD)
- Google Test/Mock (HEAD)
- Protocol Buffers (3.11.4)

PiperOrigin-RevId: 309012925
Change-Id: I826846afb3f2c4e92180915796890fce6b5a1d6c
2020-04-29 06:45:44 -07:00
Christian Blichmann
8faccffbad Update StatusOr<> and tests
Fixes some template issues that could lead to code not compiling when it
otherwise should.

PiperOrigin-RevId: 308809964
Change-Id: I9f2f9d4aff5f1a9cb967fb705a86fd7f49114f7a
2020-04-28 06:12:58 -07:00
Christian Blichmann
a2e292792e Move .bazelrc to correct location next to WORKSPACE
PiperOrigin-RevId: 308792839
Change-Id: Id70f6bbd3ba2b8fe769eb1013a9310f00a300610
2020-04-28 03:17:28 -07:00
Christian Blichmann
dfc51704c0 Fix linker issue introduced in b2764c5
The underlying issue is with a Copybara transform and the internal Blaze BUILD file.

PiperOrigin-RevId: 308787839
Change-Id: I32af664b3eac4c925d39f50b967756198eff23f3
2020-04-28 02:30:47 -07:00
Sandboxed API Team
b2764c5937 Internal change.
PiperOrigin-RevId: 308273962
Change-Id: If41d229d37eda610eb4bf202e20dc4f5976f2333
2020-04-24 10:02:21 -07:00
Sandboxed API Team
f18f524100 Internal change.
PiperOrigin-RevId: 307871367
Change-Id: Iefae576ae58b88a72f0cd923b3e76ce560af6e58
2020-04-22 12:23:46 -07:00
Sandboxed API Team
9b85dc49c1 Split sanitizer.h into a separate library
PiperOrigin-RevId: 305327952
Change-Id: I6708729d379d019c3d299e9cb54b76338ced23bf
2020-04-07 13:26:51 -07:00
Christian Blichmann
496672c333 Cleanup calls to sapi::StatusOr<>::ValueOrDie()
PiperOrigin-RevId: 304398197
Change-Id: I85d09457a5e27f65c0792fe93aebbd8219801ef6
2020-04-02 07:42:45 -07:00
Christian Blichmann
2b2e7ac498 Bring sapi::StatusOr<> up to date with internal Abseil changes
Note: This intentionally omits perfect-forwarding value assignments. This
avoids overly complex template expressions. The regular assignments are still
efficient.
PiperOrigin-RevId: 304159053
Change-Id: I3460f46ca5779a0619cf90ae22625de8fad7669c
2020-04-01 04:40:38 -07:00
Sandboxed API Team
2fa0bf85f4 Fix an ODR violation
PiperOrigin-RevId: 303066199
Change-Id: I0cde5fce6f9538136b913edccc5a3195e0b4e503
2020-03-26 01:59:05 -07:00
Sandboxed API Team
22c6417307 Adding new build rule for sanitizer
PiperOrigin-RevId: 302687093
Change-Id: I090352c70df67e51eba79a618315b7ca9696bcfe
2020-03-24 09:54:49 -07:00
Kevin Hamacher
dadf55f647 Show a warning when tmpfs size is not specified
PiperOrigin-RevId: 302441519
Change-Id: Ia4130c9067f00ed48065ea3b4854c844e7b88f85
2020-03-23 08:44:28 -07:00
Christian Blichmann
57d374e667 Fix libffi configure directory in Bazel/CMake builds 2020-03-23 13:52:02 +01:00
Christian Blichmann
45d825b3b7 Merge branch 'master' of https://github.com/google/sandboxed-api 2020-03-22 16:47:41 +01:00
Christian Blichmann
0772d71264 Download libffi at CMake config time (fixes #35)
Drive-by:
- Make Bazel config action more robust
- Disable dependency tracking in libunwind configure

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-03-22 16:44:39 +01:00
Anna Sapek
4665335604 Use file::IsAbsolutePath consistently
PiperOrigin-RevId: 302073992
Change-Id: Ib3b9fbedc6e85a1abd87cbc683d8a8c3dc3daf87
2020-03-20 12:08:25 -07:00
Christian Blichmann
604b671d12 Internal change.
PiperOrigin-RevId: 301836978
Change-Id: Ic959f224701bf370294fdbbe3126edd01c615e2a
2020-03-19 09:58:28 -07:00
Christian Blichmann
69bdb54bf9 Update README, graphical assets
PiperOrigin-RevId: 301830652
Change-Id: I60a67c372869a30ff5ba575387d67700ffc20134
2020-03-19 09:27:42 -07:00
Christian Blichmann
f44cca6c98 Fix path to generated proto sources when embedding
When embedding SAPI in an external CMake project, the version of
`protobuf_generate_cpp` that we lifted from upstream protobuf produces
the wrong generated file paths.

For example, given this project structure:

```
/parent/
+-- myproject/
+-- myproject_build/  <- CMake build directory
+-- sandboxed-api/    <- Checkout from GitHub
```

And a CMake file in `myproject/CMakeLists.txt` that embeds SAPI like
this:

```
cmake_minimum_required(VERSION 3.12)
project(SandboxedTest LANGUAGES CXX)
set(CMAKE_CXX_STANDARD 17)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

add_subdirectory(
  ${PROJECT_SOURCE_DIR}/../sandboxed-api
  ${PROJECT_BINARY_DIR}/sandboxed-api
)
```

Then `protobuf_generate_cpp` correctly invokes the protoc compiler to
generate
`/parent/myproject_build/sandboxed-api/sandboxed_api/proto_arg.proto.pb.cc'.
However, the path of the generated source file that is passed to the C++
compiler will be
`/parent/myproject_build/sandboxed-api/sandboxed_api/../../myproject_build/sandboxed-api/sandboxed_api/proto_arg.pb.cc`.
Note the duplicated project build directory component in the
canonicalized version:
`/parent/myproject_build/myproject_build/sandboxed-api/sandboxed_api/proto_arg.pb.cc`.

This change simple omits the computation of any relative file paths and
simply uses `_pb_PROTOC_OUT_DIR` which defauls to
`CMAKE_CURRENT_BINARY_DIR`, which should always contain the correct
path.

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-03-18 18:47:02 +01:00
bielec
d17482e2eb Split network_proxy example to 2 examples: with automatic handler, and without.
Created documentation for network proxy. fixed 2 things in documentation (namespaces are enabled by default for a while).

PiperOrigin-RevId: 300321016
Change-Id: Id9c54b29551e8d3b70e814e2fdbfee594126aa90
2020-03-11 07:32:50 -07:00
Christian Blichmann
f6c3db4c6e Replace sapi::Status with absl::Status
PiperOrigin-RevId: 297614681
Change-Id: I89fe1357a172ed4d28df6dd84b80fee364ce1c14
2020-02-27 09:24:12 -08:00
Sandboxed API Team
a5d931ec5f Qualify uses of std::string
PiperOrigin-RevId: 297528932
Change-Id: I750c43e356be55a5bd37a8bb59d998238bd8f1bb
2020-02-27 00:03:55 -08:00
Maciej Szawłowski
edd6b437ae Filter functions based on files we scan.
Currently we extract all functions from the compilation unit - it doesn't really make sense as it will try to process functions in included files too.
As we require sapi_in flag, we have information which files are of interest.

This change stores the top path in _TranslationUnit and uses it when looking for function definitions to filter only functions from the path we provided.

PiperOrigin-RevId: 297342507
Change-Id: Ie411321d375168f413f9f153a606c1113f55e79a
2020-02-26 06:02:15 -08:00
Sandboxed API Team
6332df5ef6 Fix or ignore type errors generated by the next release of pytype.
The next release contains one major change: for function parameter annotations,
pytype will no longer treat (x: X = None) as equivalent to
(x: Optional[X] = None). This pytype behavior was based on an outdated version
of the type-checking spec. Annotations that were relying on the behavior now
need to explicitly declare themselves as Optional.

PiperOrigin-RevId: 297065077
Change-Id: Iade679e5928bb3839485e8b8571945456ba6e982
2020-02-25 01:15:54 -08:00
bielec
5a4e3f3d29 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 296206385
Change-Id: I53b23122abece1fe318ed4c6a7e37bf3228c8f5f
2020-02-20 07:45:44 -08:00
Christian Blichmann
5d81c822d8 Automated rollback of commit e56f562fe2.
PiperOrigin-RevId: 296178631
Change-Id: I0f871aeecd70e9d2f99c7d52d94c6043a1668325
2020-02-20 04:26:37 -08:00
Maciej Szawłowski
fc514451e0 Internal BUILD changes
PiperOrigin-RevId: 296174640
Change-Id: I94c8e36d76d6cbb2b9d65f35d8700018b62d3db1
2020-02-20 04:26:23 -08:00
Sandboxed API Team
e56f562fe2 Automated rollback of commit 4eede550e7.
PiperOrigin-RevId: 295946052
Change-Id: Ie8c23fe8eec99ab52245ae7f482f1e6b99ec010e
2020-02-19 05:19:15 -08:00
Christian Blichmann
4eede550e7 Prepare for upcoming changes in Abseil
- Move canonical errors into status.

PiperOrigin-RevId: 295941935
Change-Id: I9408d21b6d34239b0ef3f3cd24975f39f1405505
2020-02-19 04:43:29 -08:00
Christian Blichmann
d578b18c22 Modernize the transaction API
PiperOrigin-RevId: 295712938
Change-Id: Iaf4c9668bb0b48555679fef822fe424277540d1f
2020-02-18 05:27:38 -08:00
Wiktor Garbacz
5b1119aa6d Internal change
PiperOrigin-RevId: 295579669
Change-Id: I2488a87a78cf76f0d4ddf73d115e443bd801e420
2020-02-17 06:54:52 -08:00
Sandboxed API Team
05280287e0 Automated rollback of commit 800339d672.
PiperOrigin-RevId: 294644781
Change-Id: I88ad35abd96468476294039a41b6f2a8234db6ca
2020-02-17 10:39:08 +01:00
bielec
800339d672 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 294640297
Change-Id: I4c6520685a658f8b7762af238588830f71b3f54a
2020-02-17 10:38:44 +01:00
Wiktor Garbacz
f1ce6fcb87 Internal change
PiperOrigin-RevId: 292529030
Change-Id: Ie6b315d9edd5f253386474be4afff1a59e24a91e
2020-01-31 05:39:25 -08:00
Sandboxed API Team
daa1c7a64e Allow sandboxee to read from /proc when sanitizers are allowed.
Sanitizers read from /proc. For example:
69445f095c/lib/sanitizer_common/sanitizer_linux.cpp (L1101)

PiperOrigin-RevId: 292363903
Change-Id: Icc383ededcad363b4e96f5551f140f012b07b495
2020-01-30 09:30:42 -08:00
Sandboxed API Team
b9c866410d Replace deprecated thread annotations macros.
PiperOrigin-RevId: 292326427
Change-Id: Iebd745bf0c6b0b14e090462a9df44ebd7d374c7d
2020-01-30 05:07:40 -08:00