Commit Graph

524 Commits

Author SHA1 Message Date
Wiktor Garbacz
2fa92bf47c Internal change
PiperOrigin-RevId: 413911008
Change-Id: I59cdac60c092f31fb487f032b3489341c0ba626a
2021-12-03 05:21:01 -08:00
Wiktor Garbacz
c3308b56fc Replace deprecated AddTmpfs call
PiperOrigin-RevId: 413907279
Change-Id: I3a32be4b19acab8b2b2092961df3dd9f3699261b
2021-12-03 04:56:40 -08:00
Christian Blichmann
4a6e005155 Make PtrXXX() family of functions public
PiperOrigin-RevId: 413616359
Change-Id: I553c17f0668708b00fdb12a21109ed45aeba6c66
2021-12-02 01:41:59 -08:00
Sandboxed API Team
a096056263 Automated rollback of commit b72078f692.
PiperOrigin-RevId: 413442229
Change-Id: I48d03ce200160da1c86faec29b2ca51fb1ead834
2021-12-01 09:54:44 -08:00
Sandboxed API Team
b72078f692 Automated rollback of commit 6a6c931317.
PiperOrigin-RevId: 413362657
Change-Id: Ie75672101b2aba4183f9aa3e39679a99f309e155
2021-12-01 02:56:59 -08:00
Wiktor Garbacz
f5fbe8cce5 Internal change
PiperOrigin-RevId: 413351344
Change-Id: I93962c43649fab1f73b3960044563e54449af271
2021-12-01 01:48:41 -08:00
Christian Blichmann
6a6c931317 Move away from multiple inheritance
This change is a first step to make the SAPI variable hierarchy more sensible.
It turns the `Reg<T>` class into a descendant of `Pointable`, but without
making its `PtrXXX()` methods public (hence the `using` statements). Further
changes are needed to restructure this.

There are no functional changes and the class sizes, including vtables, should
not change.

PiperOrigin-RevId: 413333120
Change-Id: I90ceeaeb7aea482016f8f4bee81489d5a9db9ade
2021-11-30 23:46:59 -08:00
Christian Blichmann
85a463372f Sandbox2: Mark tests that won't run under QEMU user emulation
PiperOrigin-RevId: 412861975
Change-Id: I0f168bc71b5738ed55b836f148ded94bf397d27d
2021-11-29 05:20:48 -08:00
Christian Blichmann
c2b7cffe78 Minielf: Use a template to load integers
Different versions of the `elf.h` header define their own integer types. For
example, even on LP64 systems, a 64-bit ELF integer types may decay into
`unsigned long long` instead of `unsigned long`.

This change replaces the various overloads with a single function template
that is well-defined for all integral types.

PiperOrigin-RevId: 410746713
Change-Id: I4b560f7541802372f01ae3d6f4a56554e51d70c8
2021-11-18 02:16:26 -08:00
Sandboxed API Team
dcfd85d74e Extend existing CPU architecture spellings in config header and define platform spellings.
PiperOrigin-RevId: 410474889
Change-Id: I41f870ad49e2203a6bdf833102c0d0a9cafa7af4
2021-11-17 02:41:07 -08:00
Wiktor Garbacz
e86322db84 Fix a race between NotifyMonitor/AwaitResult
PiperOrigin-RevId: 410463096
Change-Id: I370705131ac78f26736646596189d8cad2bb70c2
2021-11-17 01:40:42 -08:00
Sandboxed API Team
04503f9bbe Replace <bits/local_lim.h> with <climits>
PiperOrigin-RevId: 409932987
Change-Id: I388aca627d6d0f3c9d5721e66574fb8af85cc8f4
2021-11-15 03:16:28 -08:00
Sandboxed API Team
9541b657ad Use alias s6_addr instead of direct field access.
PiperOrigin-RevId: 409908616
Change-Id: I18f87b41eae3f96fd60b8cd14073bd8df66fae98
2021-11-15 01:01:20 -08:00
Sandboxed API Team
2727714012 Expose unwind symbol helpers.
PiperOrigin-RevId: 409391470
Change-Id: Iad14caabbada1278216e5e28ba55bae8dc8b9b2b
2021-11-12 05:59:51 -08:00
Wiktor Garbacz
26da6e6b0a Safer and more efficient custom syscall policies
Generate syscall jump table without using bpf_helper.
Check that any jump in the user provided policy is within the provided policy.

PiperOrigin-RevId: 409362089
Change-Id: I31493e52cf868e4b184ff79fcb26beeb75f49773
2021-11-12 02:44:41 -08:00
Wiktor Garbacz
c95837a6c1 Check and limit seccomp policy length.
PiperOrigin-RevId: 409129756
Change-Id: Ib9937495966f545fb980eba04393db640af2325f
2021-11-11 06:10:40 -08:00
Sandboxed API Team
00747d5241 Allow getpid call for log forwarding.
PiperOrigin-RevId: 407865992
Change-Id: Ia14dc5cc1628337292586955f1c17a8d8f2995de
2021-11-05 11:16:45 -07:00
Tony Li
cfb9e031dd
fix typo, master branch -> main 2021-10-17 22:52:57 -07:00
Christian Blichmann
d85f40b8b0 Modernize namespace_test a little
PiperOrigin-RevId: 402795383
Change-Id: Ia576259078f40a3ca6b96094bd15c3ea7b0b79d9
2021-10-13 04:17:46 -07:00
Christian Blichmann
1260b5f38b Move example sandboxes out of lib directories
This is mainly so that the structure of the examples follows what we do
internally (not having separate directories).

PiperOrigin-RevId: 402298115
Change-Id: I0f542607b88597572de39532364816f80a076697
2021-10-11 07:59:25 -07:00
Christian Blichmann
2c42654333 Improve examples
- CRC4: More readable policy, added explanatory comment
- Use `AllowLlvmSaniters()` in policies

PiperOrigin-RevId: 402296504
Change-Id: I6853199abedf2441eaffff9186d4d354c142e485
2021-10-11 07:50:27 -07:00
Christian Blichmann
d05dc7ba02 Reduce visibility of internal member function
This is the first change in a series that will eventually remove Sandboxed
API's use of multiple inheritance.

Drive-by:
- Rename short member names to full words
- Some reformatting
PiperOrigin-RevId: 402270954
Change-Id: I8af46b887921265a371b85603fd158ef3a8fab50
2021-10-11 05:38:01 -07:00
Christian Blichmann
df1c31188d Fix sums test under MSAN by allowing Scudo to add MAP_NORESERVE in mmap()
Note: This change allows `MAP_NORESERVE` generally, not just for MSAN. This follows
what we do for `AllowTcMalloc()/AllowSystemMalloc()`
PiperOrigin-RevId: 402231980
Change-Id: Ifa1c6b9f61f636dd6db231dde3765c3b4a40911b
2021-10-11 01:22:17 -07:00
Christian Blichmann
221e929018 Include shell-based tests in OSS builds
These were previously dependent on an internal-only testing target.

For now, this only works with Bazel, but should enable us to have better test coverage in GitHub actions.
Eventually, all of these shell-based tests should be converted to `cc_test`s.

PiperOrigin-RevId: 400713615
Change-Id: I1cabb5b72977987ef4a1803480f699b58c4d56e9
2021-10-04 07:18:36 -07:00
Christian Blichmann
98e590463b Internal change
PiperOrigin-RevId: 400144449
Change-Id: Ic0cbd6a3b27012cfb406694bdf2944a5b9905580
2021-10-04 07:18:06 -07:00
Sandboxed API Team
4050f34efc Internal Change
PiperOrigin-RevId: 399850339
Change-Id: I1cbb4d7510bff3ab4a4559cb3252dcf79d2a06b8
2021-09-29 22:12:26 -07:00
Christian Blichmann
90d1867026 Remove deprecated sapi::StatusOr<> forward declaration
PiperOrigin-RevId: 399663835
Change-Id: I92255a68e50a3b9130d3e222a2e353ee2e599c18
2021-09-29 05:39:10 -07:00
Christian Blichmann
f6d9e7fd7c Fix warning about multi-line comment
PiperOrigin-RevId: 399648071
Change-Id: I793a640310d772804726527761ad911772ff19c6
2021-09-29 03:44:32 -07:00
Wiktor Garbacz
d9d2f0e5de Use regular logging in fork client
PiperOrigin-RevId: 399623764
Change-Id: I5eaf0ff7f24e7b61c84ff9dacf8cd53889cc83d0
2021-09-29 00:46:12 -07:00
Sandboxed API Team
fb81c00fd1 Replace auto with explicit type declarations
PiperOrigin-RevId: 399419917
Change-Id: I4b7acd8ab6e2542e2971b29bed0745378b2b6743
2021-09-28 05:50:57 -07:00
Sandboxed API Team
448f393c29 Enable mmap for msan (it's already enabled for asan and tsan)
PiperOrigin-RevId: 399163710
Change-Id: I2cebb6136adb00a53e4baf18d343cf80191efcb0
2021-09-27 05:08:45 -07:00
Wiktor Garbacz
c29c510e30 Log when global forkserver is started and its exit status
PiperOrigin-RevId: 398232735
Change-Id: Ia0628cf2dee51a94938dae82bcb392384feeb74c
2021-09-22 07:16:43 -07:00
Wiktor Garbacz
b470a6ece5 Make the fd cleanup test less brittle
PiperOrigin-RevId: 398229418
Change-Id: If8af43f33b07839ea8d46b85ff77efa8557a31a8
2021-09-22 06:57:55 -07:00
Catalin Patulea
b5fb483b11 Fix formatting of pgoff.
PiperOrigin-RevId: 397763298
Change-Id: I027ef4cd381247521ee2bcce57a17c9d480efb22
2021-09-20 09:02:14 -07:00
Christian Blichmann
c400f92eaa (Mostly) internal change. Add pid() accessor.
PiperOrigin-RevId: 397070773
Change-Id: I9ebac9078f3866ef3e0061ec79da5c9f71e5f480
2021-09-16 06:57:44 -07:00
Kevin Hamacher
aea8bb2ed0 Automated rollback of commit 2036f5b2f0.
PiperOrigin-RevId: 395893427
Change-Id: Iabd32de9cd83de5cc8567834e1f91e48c521ac60
2021-09-10 03:34:44 -07:00
Sandboxed API Team
2036f5b2f0 Automated rollback of commit 4b018757c3.
PiperOrigin-RevId: 395067992
Change-Id: I5db335ed881aa81748a0fc8082091b160fe83e86
2021-09-06 04:07:11 -07:00
Kevin Hamacher
4b018757c3 Use absl::flat_hash_set + Status in favor of std::set in the sanitizer API
PiperOrigin-RevId: 395061068
Change-Id: I31548eb6fc9f27f55acf25bd6d3d0b941a529e63
2021-09-06 03:15:39 -07:00
Kevin Hamacher
eb2c5a66f4 Rework GetListOfFDs API
PiperOrigin-RevId: 395043959
Change-Id: I77ce13f0c786d3644971ed239f3106319667e979
2021-09-06 01:01:19 -07:00
Christian Blichmann
289adcff06 Internal change.
For OSS, this change should be mostly a no-op. Visible edits are due to
changed order of code and/or includes.

PiperOrigin-RevId: 394177395
Change-Id: I1d32f9fd175579e8f05c051b1307953b249d139d
2021-09-01 01:28:19 -07:00
Catalin Patulea
9ab330dc7a 'Map' symbols: add pgoff to disambiguate multiple mappings on same object.
PiperOrigin-RevId: 391520785
Change-Id: Icb05e60f778acfb9fe6f519911ce54bec65fc4ff
2021-08-18 07:14:31 -07:00
Wiktor Garbacz
59f5fa8042 Allow collecting stacktraces on normal process exit
This mainly a debugging facility.
It makes diagnosing problems where sandboxed process just randomly exits whereas unsandboxed one runs to completion due to differences in the setup/environment much easier.

PiperOrigin-RevId: 391005548
Change-Id: Ia19fe6632748da93c1f4291bb55e895f50a4e2b0
2021-08-16 03:13:15 -07:00
Sandboxed API Team
7b31deaed8 Delete deprecated sapi::Sandbox::IsActive and its remaining call sites.
PiperOrigin-RevId: 390412024
Change-Id: Iab3853b3c40dd4e9b0ff31532e8c41c2583ebc4e
2021-08-12 11:00:51 -07:00
Sandboxed API Team
dae91ff082 Fix Symbolize* tests.
PiperOrigin-RevId: 390372065
Change-Id: I1ddc9dd9238795eb0674e04c20a5c91a68582027
2021-08-12 08:03:52 -07:00
Sandboxed API Team
d631154ce5 Delete deprecated sapi::Sandbox::GetRpcChannel and its remaining call sites.
PiperOrigin-RevId: 389968873
Change-Id: Ia72e0064fa57679180f9c406f96266473f8461c2
2021-08-10 13:50:15 -07:00
Wiktor Garbacz
773dc6b18b Do not fail-hard in global forkserver startup
PiperOrigin-RevId: 389816114
Change-Id: Icd672028ff224cf01095d6590fe1cc2adb312316
2021-08-10 00:33:29 -07:00
Sandboxed API Team
165c155a08 Delete deprecated sapi::Sandbox::GetComms and its remaining call sites.
PiperOrigin-RevId: 389716023
Change-Id: I092bc37f3f3bb40554b627f9dd528525b60d67a1
2021-08-09 13:49:45 -07:00
Sandboxed API Team
3f0875798d Delete deprecated sapi::Sandbox::GetPid and its remaining call sites.
PiperOrigin-RevId: 389713115
Change-Id: I1832e759016a581e10bf5bd8b5b70244b40ecd69
2021-08-09 13:36:15 -07:00
Wiktor Garbacz
0621e06a9c Allow recovering from global forkserver failure
PiperOrigin-RevId: 389164847
Change-Id: I40bc3b6d3bea28ee8954ea2a11a0427a6c05da35
2021-08-06 06:54:05 -07:00
Wiktor Garbacz
fe709502f4 Wait for global forkserver when shutting it down
Otherwise starting forkserver multiple times will result in zombie processes lingering around.

PiperOrigin-RevId: 388926497
Change-Id: Ia9947cce3d9e909edd709b0d3525e1ae8b8bbc51
2021-08-05 07:07:35 -07:00
Wiktor Garbacz
e88755256d Use FDCloser in Executor extensively
Also really own `exec_fd_` as previously if the executor is destructed without calling `StartSubProcess` the file descriptor would leak.

PiperOrigin-RevId: 388901766
Change-Id: I6bbb15ced37a0a832ec5a5228452a3d54ef46ee9
2021-08-05 04:16:11 -07:00
Wiktor Garbacz
80ad7bb2b0 Replace a CHECK with a warning
PiperOrigin-RevId: 388893117
Change-Id: I0b0ccf2045aea09d31ae1605b205aab456bd8550
2021-08-05 03:03:24 -07:00
Christian Blichmann
8b1dfd7343 Fix factory method sapi:✌️:Proto<>::FromMessage
This was missing a friend declaration in order to actually compile.
It's now being used in the "stringop" example, so we test it as well.

Drive-by:
- Do not copy the proto's bytes the constructor, but use `std::move`
PiperOrigin-RevId: 387774353
Change-Id: Ic8824af911ac744e2e68130e1f4673c4dddd4939
2021-07-30 03:55:17 -07:00
Christian Blichmann
fd20eb0b4d Reorder error logging before Terminate()
Calling `Terminate()` issues additional syscalls that may clobber the `errno`
value. Reordering the log statements ensures we actually log the initial error
in `read()`/`write()`.

PiperOrigin-RevId: 387576942
Change-Id: I0f9c8c6001e6dc4ca098abe02cd251029f92a737
2021-07-29 07:12:02 -07:00
Christian Blichmann
f14aeee0ad Internal change.
PiperOrigin-RevId: 387565158
Change-Id: I7b5293b614fae74abae1f9a347b0ef414028b8ea
2021-07-29 05:52:19 -07:00
Christian Blichmann
85c58dc2d7 Reduce logspam: Log Tomoyo LSM check only with VLOG
PiperOrigin-RevId: 387114844
Change-Id: Ib670799e3327fcc991ad012ccee20b96089c2f48
2021-07-27 08:32:10 -07:00
Christian Blichmann
ccd7b03026 Introduce sapi::OsErrorMessage() for error handling
This should make handling OS error less repetetive.

PiperOrigin-RevId: 387074642
Change-Id: I09b8c5e37e7f7b08341e22ba01ccda21a916a4bc
2021-07-27 04:10:04 -07:00
Paul Wankadia
bb6ae1d4ab Introduce AllowRestartableSequencesWithProcFiles() and tidy up.
1. In many cases, sandboxes need to allow /proc/stat and /proc/cpuinfo so that
get_nprocs(3) will work; otherwise, per-CPU logic can't determine how many CPUs
there are. Unfortunately, some of those sandboxes also disable namespaces. The
solution is to provide two functions: AllowRestartableSequencesWithProcFiles(),
which allows syscalls and files; and AllowRestartableSequences(), which allows
syscalls only. Sandboxes should usually call the former; sandboxes that disable
namespaces should instead call the latter and are responsible for allowing the
files via the deprecated Fs mechanism.

2. Make the mmap(2) policy evaluate prot AND flags, not prot OR flags.

3. Order the code and the comments identically for better readability.

PiperOrigin-RevId: 386414028
Change-Id: I016b1854ed1da9c9bcff7b351c5e0041093b8193
2021-07-23 02:23:22 -07:00
Christian Blichmann
9c21744460 Revert memfd file sealing for embeded files
Ideally, we'd seal the embedded SAPI binary using fcntl(). However, in rare
cases, adding the file seals `F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW |
F_SEAL_WRITE` results in `EBUSY` errors.

This is likely because of an interaction of `SEAL_WRITE` with pending writes
to the mapped memory region (see `memfd_wait_for_pins()` in Linux'
`mm/memfd.c`). Since `fsync()` is a no-op on memfds, it doesn't help to
ameliorate the problem.

On systems where it is enabled, ksmd might also be a source of pending writes.

PiperOrigin-RevId: 385741435
Change-Id: I21bd6a9039be4b6298774e837ce3628180ed91a8
2021-07-20 02:29:21 -07:00
Christian Blichmann
7b711b85e8 Rename static singleton accessor
PiperOrigin-RevId: 384699374
Change-Id: I674baffc77bc6b3815f94512058a14d37d164c6f
2021-07-14 08:00:59 -07:00
Wiktor Garbacz
34c7be759a Another round of file descriptor handling fixes
PiperOrigin-RevId: 384646707
Change-Id: Ia1b51a348bcb2a1426ba26a4ed045b0522168745
2021-07-14 01:33:34 -07:00
Christian Blichmann
5267d14248 Take a vector in Policy::AllowUnsafeKeepCapabilities()
The existing function signature took a `unique_ptr<>` owning a vector, and
took `nullptr` to mean an empty set of capabilities. This is more naturally
modeled by taking the vector directly and `std::move`-ing it.

PiperOrigin-RevId: 384214849
Change-Id: I177f04a06803ae00429b19a1f3f12e7be04d2908
2021-07-12 05:43:21 -07:00
Christian Blichmann
002cb9ae01 More efficient fork request handling and #Cleanup
- Assign to `*mutable_XXX()` instead of looping
- Use a const ref for capabilities

PiperOrigin-RevId: 384192675
Change-Id: I4db3d0c8ce0d7f6acc9fd486a2409962516b5fe7
2021-07-12 02:37:42 -07:00
Paul Wankadia
372b8e2696 Fix constant name in log message
PiperOrigin-RevId: 384187707
Change-Id: I3d322f6d00fa63fc7a2b33f8c7844c4291e4fef1
2021-07-12 01:56:42 -07:00
Christian Blichmann
a290ffc8bc Seal memfd in embed_file.cc
PiperOrigin-RevId: 383358851
Change-Id: I839a9b816f9c7f486908fbccdc3ecd621bd1c402
2021-07-07 00:58:57 -07:00
Wiktor Garbacz
424c543eb7 Automated rollback of commit 4a38f59728.
PiperOrigin-RevId: 381815277
Change-Id: I344c9bb1a505cc0a0dcf7e9ff979c172c484d963
2021-06-28 02:03:06 -07:00
Wiktor Garbacz
fe2ee5dfac Do not expose stack_trace.h in public API
PiperOrigin-RevId: 381412175
Change-Id: I30729c5af378c358e6400e4b7366d435518ae7d7
2021-06-25 00:03:54 -07:00
Wiktor Garbacz
fe08d724e4 Simplify the dup fix and add better error handling
Original fix might fail if RLIMIT_NOFILE is set to 1024.

PiperOrigin-RevId: 381034115
Change-Id: I39e33a90083533cf85eb04072604665c299b861f
2021-06-23 08:14:01 -07:00
Sandboxed API Team
4a38f59728 Automated rollback of commit a850aa44d2.
PiperOrigin-RevId: 380897565
Change-Id: Iacc50697a5ff25b79272a1549291bbf32152d3f6
2021-06-22 14:50:33 -07:00
Wiktor Garbacz
0ec4f07f96 Fix rare failure while starting the global forkserver
This bug only manifests if a lot of fds are open when global forkserver is started.
If the allocated exec_fd number was equal Comms::kSandbox2ClientCommsFD then it would be replaced by the comms fd and result in EACCESS at execveat.

PiperOrigin-RevId: 380805414
Change-Id: I31427fa929abfc60890477b55790cc14c749f7f5
2021-06-22 07:48:58 -07:00
Wiktor Garbacz
a850aa44d2 Better error handling in stacktraces
PiperOrigin-RevId: 380789060
Change-Id: I655428fd45bf305f787b75cc925d31c6ab60c074
2021-06-22 05:52:15 -07:00
Wiktor Garbacz
e5cfce71a3 Add new x86-64 syscalls
PiperOrigin-RevId: 377460610
Change-Id: I06833ca7fcc88447ed482e9e6914b9113781a114
2021-06-04 01:01:34 -07:00
Wiktor Garbacz
e87a052e61 Fix restarting global forkserver
PiperOrigin-RevId: 376643949
Change-Id: I5811e8b8a9f5e74cab21d021c8e83b2a4b91818a
2021-05-31 02:19:28 -07:00
Sandboxed API Team
aa568597b0 Add rt_sigprocmask to AllowLogForwarding
PiperOrigin-RevId: 376142747
Change-Id: I6470a6eea8a4e85b0921de6dc332097a6c9440a4
2021-05-27 04:40:28 -07:00
Christian Blichmann
d73f80cfa5 Enable AArch64 syscalls in examples
PiperOrigin-RevId: 375923215
Change-Id: I9523a074579975379b1a9d4644497268781499e1
2021-05-26 05:47:37 -07:00
Sandboxed API Team
f159359f65 Automated rollback of commit 5bb161b0db.
PiperOrigin-RevId: 375047066
Change-Id: I09ce8aafa92337c79a61f0f757ec66be2b2cefdc
2021-05-21 02:59:34 -07:00
Sandboxed API Team
5bb161b0db Automated rollback of commit e97ecfb955.
PiperOrigin-RevId: 375044368
Change-Id: Ib8bcf5d67e70fb37ef330c1433056343674a9f14
2021-05-21 02:38:05 -07:00
Christian Blichmann
e97ecfb955 Internal change
PiperOrigin-RevId: 375038366
Change-Id: I9180c2dc544d5ba12a73a67f5613e0c44e962505
2021-05-21 01:44:47 -07:00
Christian Blichmann
ab469deac3 Internal change
PiperOrigin-RevId: 374874118
Change-Id: Id669e3f099e058ada3effa62f9569daaf5b36f63
2021-05-20 08:17:10 -07:00
Wiktor Garbacz
78d749380b Fix a data race in Comms
PiperOrigin-RevId: 374397564
Change-Id: I630a7587242b7b25364aa66158d86d53aff5c343
2021-05-18 05:48:54 -07:00
Wiktor Garbacz
a986278550 Raw logging should not allocate memory
PiperOrigin-RevId: 374396461
Change-Id: I709103c7834d4803a26a0b292f342a3d629d332c
2021-05-18 05:37:38 -07:00
Christian Blichmann
2d3a040f64 Minor cleanup/formatting changes
PiperOrigin-RevId: 374164136
Change-Id: I505cbc3ac9f899ed965cde66aaae1aba55a90c64
2021-05-17 04:07:08 -07:00
Christian Blichmann
ca6ec4337d Add workaround for active Tomoyo LSM
Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.

As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace

Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729

To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:

```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```

The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.

PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
2021-05-10 07:04:04 -07:00
Christian Blichmann
5c7903ecd9 Check for either violate() or ViolateIndirect() in stack trace
Depending on architecture and optimization level, the compiler may choose to
not generate full stack frames, even with no-inline and no tail-call
attributes.

PiperOrigin-RevId: 372339987
Change-Id: I42043131bbb6092ff234e80ae9047f7a2bf31161
2021-05-06 07:36:13 -07:00
Christian Blichmann
0750216bc1 Make stack trace test more resilient against optimizer
This fixes tests for PPC, where the tail-call optimization would consistently
remove 'violate()' from the stack trace.

PiperOrigin-RevId: 371103794
Change-Id: Ifb1a7d588a455041a6b0f3c763276ed44de47e60
2021-04-29 06:01:24 -07:00
Christian Blichmann
00a7cc5a33 Use sapi::file::GetContents() and light Mini-ELF refactoring
Plus some style fixes.

PiperOrigin-RevId: 370901533
Change-Id: If4f9d7c3157fdfc2ca4302b06cd95e96e7a8ebdd
2021-04-28 07:49:17 -07:00
Christian Blichmann
08e1e733a0 Update third-party dependencies
Also include-what-you-use the `signal.h` header.

PiperOrigin-RevId: 370433834
Change-Id: I934fe6fbf65091e365127db0fc4544499720841c
2021-04-26 05:00:30 -07:00
Christian Blichmann
ab7943abdc Simplify ptrace emulation and code style fixes
PiperOrigin-RevId: 369862187
Change-Id: Ia0759c320cde1c9e3798f0df5c2a0d50ca20fd71
2021-04-22 06:56:45 -07:00
Wiktor Garbacz
d9824dff16 Use absl::Span in BPF disassembler
PiperOrigin-RevId: 369636095
Change-Id: I13a8ae08ba354e54c502e0f6cdd35287fdfbb723
2021-04-21 05:33:12 -07:00
Catalin Patulea
4344bbceba Add optional VLOG(1) for additional process info on Syscall Violation.
PiperOrigin-RevId: 368900451
Change-Id: I331d0e239e2f3176c435bd42012d155d60d0b1ac
2021-04-16 12:43:08 -07:00
Christian Blichmann
be6c878b01 Internal change touching the generator rules
PiperOrigin-RevId: 368802693
Change-Id: Ia0102d1a92a49b807d4432ee3d0a6a02f528ef00
2021-04-16 01:38:08 -07:00
Catalin Patulea
d5bd1cb38f Pretty-print ptrace event name on WIFSTOPPED.
PiperOrigin-RevId: 368688417
Change-Id: I4368268f1b05148213010768a6d4eaa87211ea45
2021-04-15 12:02:11 -07:00
Wiktor Garbacz
c15b5cb123 Log more info for seccomp setup failure
PiperOrigin-RevId: 368618345
Change-Id: Ia1559ece8f83cf27623adab4baa141cd8cfdf143
2021-04-15 05:09:38 -07:00
Wiktor Garbacz
6a679a407d Automated rollback of commit 54ac8f86fc.
PiperOrigin-RevId: 368616441
Change-Id: I6ff53b730b44b5f08986be62b32fda13932ec19a
2021-04-15 04:54:14 -07:00
Wiktor Garbacz
54ac8f86fc Automated rollback of commit 2ff96ba0e7.
PiperOrigin-RevId: 368597960
Change-Id: Ifa6c8a57fbd7761fb5e121b589a49ad67333e7cd
2021-04-15 02:17:50 -07:00
Wiktor Garbacz
2ff96ba0e7 Add missing TSAN syscalls
PiperOrigin-RevId: 368427218
Change-Id: I73cd330028b805d8a86712936fb0c5103ce9914a
2021-04-14 07:39:13 -07:00
Wiktor Garbacz
bc6bb0c7e5 Fix Mounts::ResolvePath for dir nodes.
PiperOrigin-RevId: 368390904
Change-Id: I4f59e8d74b0d81497255cb0838d6d3132cae160b
2021-04-14 02:45:41 -07:00
Martijn Vels
2efaa463c9 Implement enabling RSEQ inside AllowTcMalloc in terms of AllowRestartableSequences()
PiperOrigin-RevId: 368208391
Change-Id: Ie1204cb3a0824ebe54b770e2669ae31f7932ed51
2021-04-13 07:14:55 -07:00
Christian Blichmann
5eb412ac32 Internal change
PiperOrigin-RevId: 368172152
Change-Id: Ie1479862473bfef7f08d555109a577d47bfbabc7
2021-04-13 01:58:11 -07:00
Wiktor Garbacz
00649577d9 Fix Reg<long double> for MSAN
On x86 `long double` has 10 bytes of meaningful data, but `sizeof(long double)` is 16 - the remaining bytes are random garbage.

Roll forward after fixing a bug in the original commit.

PiperOrigin-RevId: 368170639
Change-Id: I4a1d2d95b92eed6b71c37145726f7320cfc00ba0
2021-04-13 01:44:01 -07:00