Commit Graph

253 Commits

Author SHA1 Message Date
Sandboxed API Team
79049b09c0 Add helper function for MADV_WIPEONFORK.
BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning.

PiperOrigin-RevId: 309173849
Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234
2020-04-30 00:08:55 -07:00
Christian Blichmann
fea5e8c485 CMake: Avoid Google Test error when re-configuring with latest Abseil
Abseil insists on having a Google Test directory, even if we're not going to
run (or even build) the tests.

This changes forces all test settings to `OFF` just for Abseil, allowing
SAPI builds to complete normally. Embedding projects should not be affected,
if they already included Abseil.

PiperOrigin-RevId: 309035680
Change-Id: Ie46297d8b502d92d0c10ef04360e992bcee4964b
2020-04-29 09:17:26 -07:00
Christian Blichmann
7ec20bd5d5 Update dependencies to latest versions
- Abseil (HEAD)
- Benchmark (HEAD)
- Google Flags (HEAD)
- Google Logging (HEAD)
- Google Test/Mock (HEAD)
- Protocol Buffers (3.11.4)

PiperOrigin-RevId: 309012925
Change-Id: I826846afb3f2c4e92180915796890fce6b5a1d6c
2020-04-29 06:45:44 -07:00
Christian Blichmann
8faccffbad Update StatusOr<> and tests
Fixes some template issues that could lead to code not compiling when it
otherwise should.

PiperOrigin-RevId: 308809964
Change-Id: I9f2f9d4aff5f1a9cb967fb705a86fd7f49114f7a
2020-04-28 06:12:58 -07:00
Christian Blichmann
a2e292792e Move .bazelrc to correct location next to WORKSPACE
PiperOrigin-RevId: 308792839
Change-Id: Id70f6bbd3ba2b8fe769eb1013a9310f00a300610
2020-04-28 03:17:28 -07:00
Christian Blichmann
dfc51704c0 Fix linker issue introduced in b2764c5
The underlying issue is with a Copybara transform and the internal Blaze BUILD file.

PiperOrigin-RevId: 308787839
Change-Id: I32af664b3eac4c925d39f50b967756198eff23f3
2020-04-28 02:30:47 -07:00
Sandboxed API Team
b2764c5937 Internal change.
PiperOrigin-RevId: 308273962
Change-Id: If41d229d37eda610eb4bf202e20dc4f5976f2333
2020-04-24 10:02:21 -07:00
Sandboxed API Team
f18f524100 Internal change.
PiperOrigin-RevId: 307871367
Change-Id: Iefae576ae58b88a72f0cd923b3e76ce560af6e58
2020-04-22 12:23:46 -07:00
Sandboxed API Team
9b85dc49c1 Split sanitizer.h into a separate library
PiperOrigin-RevId: 305327952
Change-Id: I6708729d379d019c3d299e9cb54b76338ced23bf
2020-04-07 13:26:51 -07:00
Christian Blichmann
bd4cb3ad10 Update .gitignore
PiperOrigin-RevId: 304574629
Change-Id: Ie8fd461eeb3329cb682cf18d3ec9e2df174e1b11
2020-04-03 02:30:57 -07:00
Christian Blichmann
496672c333 Cleanup calls to sapi::StatusOr<>::ValueOrDie()
PiperOrigin-RevId: 304398197
Change-Id: I85d09457a5e27f65c0792fe93aebbd8219801ef6
2020-04-02 07:42:45 -07:00
Christian Blichmann
2b2e7ac498 Bring sapi::StatusOr<> up to date with internal Abseil changes
Note: This intentionally omits perfect-forwarding value assignments. This
avoids overly complex template expressions. The regular assignments are still
efficient.
PiperOrigin-RevId: 304159053
Change-Id: I3460f46ca5779a0619cf90ae22625de8fad7669c
2020-04-01 04:40:38 -07:00
Sandboxed API Team
2fa0bf85f4 Fix an ODR violation
PiperOrigin-RevId: 303066199
Change-Id: I0cde5fce6f9538136b913edccc5a3195e0b4e503
2020-03-26 01:59:05 -07:00
Sandboxed API Team
22c6417307 Adding new build rule for sanitizer
PiperOrigin-RevId: 302687093
Change-Id: I090352c70df67e51eba79a618315b7ca9696bcfe
2020-03-24 09:54:49 -07:00
Kevin Hamacher
dadf55f647 Show a warning when tmpfs size is not specified
PiperOrigin-RevId: 302441519
Change-Id: Ia4130c9067f00ed48065ea3b4854c844e7b88f85
2020-03-23 08:44:28 -07:00
Copybara-Service
8e83506380 Merge pull request #37 from cblichmann:master
PiperOrigin-RevId: 302426325
Change-Id: I033c69ef18d8ccb5df5668c865846cb7df8fdf3a
2020-03-23 07:08:34 -07:00
Christian Blichmann
57d374e667 Fix libffi configure directory in Bazel/CMake builds 2020-03-23 13:52:02 +01:00
Copybara-Service
486d934bf4 Merge pull request #36 from cblichmann:master
PiperOrigin-RevId: 302410620
Change-Id: I11a7022d4f267e83478129948343d662873a02da
2020-03-23 05:08:09 -07:00
Christian Blichmann
45d825b3b7 Merge branch 'master' of https://github.com/google/sandboxed-api 2020-03-22 16:47:41 +01:00
Christian Blichmann
0772d71264 Download libffi at CMake config time (fixes #35)
Drive-by:
- Make Bazel config action more robust
- Disable dependency tracking in libunwind configure

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-03-22 16:44:39 +01:00
Anna Sapek
4665335604 Use file::IsAbsolutePath consistently
PiperOrigin-RevId: 302073992
Change-Id: Ib3b9fbedc6e85a1abd87cbc683d8a8c3dc3daf87
2020-03-20 12:08:25 -07:00
Christian Blichmann
604b671d12 Internal change.
PiperOrigin-RevId: 301836978
Change-Id: Ic959f224701bf370294fdbbe3126edd01c615e2a
2020-03-19 09:58:28 -07:00
Christian Blichmann
69bdb54bf9 Update README, graphical assets
PiperOrigin-RevId: 301830652
Change-Id: I60a67c372869a30ff5ba575387d67700ffc20134
2020-03-19 09:27:42 -07:00
Copybara-Service
4bef25da67 Merge pull request #34 from cblichmann:master
PiperOrigin-RevId: 301772291
Change-Id: Ibc7b781e40d2264efb8757410bdc81feee88ba74
2020-03-19 02:46:04 -07:00
Christian Blichmann
f44cca6c98 Fix path to generated proto sources when embedding
When embedding SAPI in an external CMake project, the version of
`protobuf_generate_cpp` that we lifted from upstream protobuf produces
the wrong generated file paths.

For example, given this project structure:

```
/parent/
+-- myproject/
+-- myproject_build/  <- CMake build directory
+-- sandboxed-api/    <- Checkout from GitHub
```

And a CMake file in `myproject/CMakeLists.txt` that embeds SAPI like
this:

```
cmake_minimum_required(VERSION 3.12)
project(SandboxedTest LANGUAGES CXX)
set(CMAKE_CXX_STANDARD 17)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

add_subdirectory(
  ${PROJECT_SOURCE_DIR}/../sandboxed-api
  ${PROJECT_BINARY_DIR}/sandboxed-api
)
```

Then `protobuf_generate_cpp` correctly invokes the protoc compiler to
generate
`/parent/myproject_build/sandboxed-api/sandboxed_api/proto_arg.proto.pb.cc'.
However, the path of the generated source file that is passed to the C++
compiler will be
`/parent/myproject_build/sandboxed-api/sandboxed_api/../../myproject_build/sandboxed-api/sandboxed_api/proto_arg.pb.cc`.
Note the duplicated project build directory component in the
canonicalized version:
`/parent/myproject_build/myproject_build/sandboxed-api/sandboxed_api/proto_arg.pb.cc`.

This change simple omits the computation of any relative file paths and
simply uses `_pb_PROTOC_OUT_DIR` which defauls to
`CMAKE_CURRENT_BINARY_DIR`, which should always contain the correct
path.

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-03-18 18:47:02 +01:00
Copybara-Service
d4faf10b4a Merge pull request #33 from cblichmann:master
PiperOrigin-RevId: 301562682
Change-Id: I9bc0700c295236523bbe1c13451b01fad12e4720
2020-03-18 04:19:34 -07:00
Christian Blichmann
509c7bca94 Cache the location of Python 3 interpreter
Add the location of the Python 3 interpreter to the CMake cache so
that its available in the `add_sapi_library()` macro in downstream
embedding projects.

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-03-17 21:26:14 +01:00
bielec
d17482e2eb Split network_proxy example to 2 examples: with automatic handler, and without.
Created documentation for network proxy. fixed 2 things in documentation (namespaces are enabled by default for a while).

PiperOrigin-RevId: 300321016
Change-Id: Id9c54b29551e8d3b70e814e2fdbfee594126aa90
2020-03-11 07:32:50 -07:00
Christian Blichmann
f6c3db4c6e Replace sapi::Status with absl::Status
PiperOrigin-RevId: 297614681
Change-Id: I89fe1357a172ed4d28df6dd84b80fee364ce1c14
2020-02-27 09:24:12 -08:00
Sandboxed API Team
a5d931ec5f Qualify uses of std::string
PiperOrigin-RevId: 297528932
Change-Id: I750c43e356be55a5bd37a8bb59d998238bd8f1bb
2020-02-27 00:03:55 -08:00
Maciej Szawłowski
edd6b437ae Filter functions based on files we scan.
Currently we extract all functions from the compilation unit - it doesn't really make sense as it will try to process functions in included files too.
As we require sapi_in flag, we have information which files are of interest.

This change stores the top path in _TranslationUnit and uses it when looking for function definitions to filter only functions from the path we provided.

PiperOrigin-RevId: 297342507
Change-Id: Ie411321d375168f413f9f153a606c1113f55e79a
2020-02-26 06:02:15 -08:00
Sandboxed API Team
6332df5ef6 Fix or ignore type errors generated by the next release of pytype.
The next release contains one major change: for function parameter annotations,
pytype will no longer treat (x: X = None) as equivalent to
(x: Optional[X] = None). This pytype behavior was based on an outdated version
of the type-checking spec. Annotations that were relying on the behavior now
need to explicitly declare themselves as Optional.

PiperOrigin-RevId: 297065077
Change-Id: Iade679e5928bb3839485e8b8571945456ba6e982
2020-02-25 01:15:54 -08:00
bielec
5a4e3f3d29 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 296206385
Change-Id: I53b23122abece1fe318ed4c6a7e37bf3228c8f5f
2020-02-20 07:45:44 -08:00
Christian Blichmann
5d81c822d8 Automated rollback of commit e56f562fe2.
PiperOrigin-RevId: 296178631
Change-Id: I0f871aeecd70e9d2f99c7d52d94c6043a1668325
2020-02-20 04:26:37 -08:00
Maciej Szawłowski
fc514451e0 Internal BUILD changes
PiperOrigin-RevId: 296174640
Change-Id: I94c8e36d76d6cbb2b9d65f35d8700018b62d3db1
2020-02-20 04:26:23 -08:00
Sandboxed API Team
e56f562fe2 Automated rollback of commit 4eede550e7.
PiperOrigin-RevId: 295946052
Change-Id: Ie8c23fe8eec99ab52245ae7f482f1e6b99ec010e
2020-02-19 05:19:15 -08:00
Christian Blichmann
4eede550e7 Prepare for upcoming changes in Abseil
- Move canonical errors into status.

PiperOrigin-RevId: 295941935
Change-Id: I9408d21b6d34239b0ef3f3cd24975f39f1405505
2020-02-19 04:43:29 -08:00
Christian Blichmann
d578b18c22 Modernize the transaction API
PiperOrigin-RevId: 295712938
Change-Id: Iaf4c9668bb0b48555679fef822fe424277540d1f
2020-02-18 05:27:38 -08:00
Wiktor Garbacz
5b1119aa6d Internal change
PiperOrigin-RevId: 295579669
Change-Id: I2488a87a78cf76f0d4ddf73d115e443bd801e420
2020-02-17 06:54:52 -08:00
Sandboxed API Team
05280287e0 Automated rollback of commit 800339d672.
PiperOrigin-RevId: 294644781
Change-Id: I88ad35abd96468476294039a41b6f2a8234db6ca
2020-02-17 10:39:08 +01:00
bielec
800339d672 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 294640297
Change-Id: I4c6520685a658f8b7762af238588830f71b3f54a
2020-02-17 10:38:44 +01:00
Wiktor Garbacz
f1ce6fcb87 Internal change
PiperOrigin-RevId: 292529030
Change-Id: Ie6b315d9edd5f253386474be4afff1a59e24a91e
2020-01-31 05:39:25 -08:00
Sandboxed API Team
daa1c7a64e Allow sandboxee to read from /proc when sanitizers are allowed.
Sanitizers read from /proc. For example:
69445f095c/lib/sanitizer_common/sanitizer_linux.cpp (L1101)

PiperOrigin-RevId: 292363903
Change-Id: Icc383ededcad363b4e96f5551f140f012b07b495
2020-01-30 09:30:42 -08:00
Sandboxed API Team
b9c866410d Replace deprecated thread annotations macros.
PiperOrigin-RevId: 292326427
Change-Id: Iebd745bf0c6b0b14e090462a9df44ebd7d374c7d
2020-01-30 05:07:40 -08:00
Sandboxed API Team
54cd192442 Replace deprecated thread annotations macros.
PiperOrigin-RevId: 292326369
Change-Id: I47cb8416b198872c96921207e257745451285680
2020-01-30 05:06:55 -08:00
Wiktor Garbacz
539d1cac34 Replace if (!cond) { LOG(FATAL, msg) } with CHECK(cond, msg)
PiperOrigin-RevId: 291916344
Change-Id: Ib522a3f202b20bf8f1ab4ca5774952d4b8f43e91
2020-01-28 05:59:33 -08:00
Wiktor Garbacz
d88c9f7598 Log mount flags in human readable format
PiperOrigin-RevId: 291690800
Change-Id: I6c4acdad93aeed29616d1ea44f797dad6fc7f277
2020-01-27 03:19:56 -08:00
Wiktor Garbacz
d74215d30d Properly test read-only mounts
PiperOrigin-RevId: 291337704
Change-Id: I806d0d09051ab205813d6626ea70e9e57a28a7a5
2020-01-24 02:38:11 -08:00
Wiktor Garbacz
e3d638466d Internal change
PiperOrigin-RevId: 290621061
Change-Id: I4b575ac65a9c225453552db74416eed45f1f4ebd
2020-01-20 08:35:24 -08:00
Wiktor Garbacz
bd22a18f87 Internal change
PiperOrigin-RevId: 290586117
Change-Id: I637ca27121ef541d48a717903496cab256214a0a
2020-01-20 02:55:04 -08:00