Commit Graph

726 Commits

Author SHA1 Message Date
Chris Kennelly
e61a84979a Internal change
PiperOrigin-RevId: 413954176
Change-Id: Ie07c1c8d96019e1605ea3b9ed58030754954ee97
2021-12-03 09:34:32 -08:00
Wiktor Garbacz
e4ef46631d Replace raw_logging with regular logging in Monitor
PiperOrigin-RevId: 413928700
Change-Id: I0bc4dd86b45c0ddd679a435003fbad2aea27fbf2
2021-12-03 07:17:36 -08:00
Wiktor Garbacz
2fa92bf47c Internal change
PiperOrigin-RevId: 413911008
Change-Id: I59cdac60c092f31fb487f032b3489341c0ba626a
2021-12-03 05:21:01 -08:00
Wiktor Garbacz
c3308b56fc Replace deprecated AddTmpfs call
PiperOrigin-RevId: 413907279
Change-Id: I3a32be4b19acab8b2b2092961df3dd9f3699261b
2021-12-03 04:56:40 -08:00
Christian Blichmann
4a6e005155 Make PtrXXX() family of functions public
PiperOrigin-RevId: 413616359
Change-Id: I553c17f0668708b00fdb12a21109ed45aeba6c66
2021-12-02 01:41:59 -08:00
Sandboxed API Team
a096056263 Automated rollback of commit b72078f692.
PiperOrigin-RevId: 413442229
Change-Id: I48d03ce200160da1c86faec29b2ca51fb1ead834
2021-12-01 09:54:44 -08:00
Sandboxed API Team
b72078f692 Automated rollback of commit 6a6c931317.
PiperOrigin-RevId: 413362657
Change-Id: Ie75672101b2aba4183f9aa3e39679a99f309e155
2021-12-01 02:56:59 -08:00
Wiktor Garbacz
f5fbe8cce5 Internal change
PiperOrigin-RevId: 413351344
Change-Id: I93962c43649fab1f73b3960044563e54449af271
2021-12-01 01:48:41 -08:00
Christian Blichmann
6a6c931317 Move away from multiple inheritance
This change is a first step to make the SAPI variable hierarchy more sensible.
It turns the `Reg<T>` class into a descendant of `Pointable`, but without
making its `PtrXXX()` methods public (hence the `using` statements). Further
changes are needed to restructure this.

There are no functional changes and the class sizes, including vtables, should
not change.

PiperOrigin-RevId: 413333120
Change-Id: I90ceeaeb7aea482016f8f4bee81489d5a9db9ade
2021-11-30 23:46:59 -08:00
Christian Blichmann
85a463372f Sandbox2: Mark tests that won't run under QEMU user emulation
PiperOrigin-RevId: 412861975
Change-Id: I0f168bc71b5738ed55b836f148ded94bf397d27d
2021-11-29 05:20:48 -08:00
Christian Blichmann
c2b7cffe78 Minielf: Use a template to load integers
Different versions of the `elf.h` header define their own integer types. For
example, even on LP64 systems, a 64-bit ELF integer types may decay into
`unsigned long long` instead of `unsigned long`.

This change replaces the various overloads with a single function template
that is well-defined for all integral types.

PiperOrigin-RevId: 410746713
Change-Id: I4b560f7541802372f01ae3d6f4a56554e51d70c8
2021-11-18 02:16:26 -08:00
Sandboxed API Team
dcfd85d74e Extend existing CPU architecture spellings in config header and define platform spellings.
PiperOrigin-RevId: 410474889
Change-Id: I41f870ad49e2203a6bdf833102c0d0a9cafa7af4
2021-11-17 02:41:07 -08:00
Wiktor Garbacz
e86322db84 Fix a race between NotifyMonitor/AwaitResult
PiperOrigin-RevId: 410463096
Change-Id: I370705131ac78f26736646596189d8cad2bb70c2
2021-11-17 01:40:42 -08:00
Sandboxed API Team
04503f9bbe Replace <bits/local_lim.h> with <climits>
PiperOrigin-RevId: 409932987
Change-Id: I388aca627d6d0f3c9d5721e66574fb8af85cc8f4
2021-11-15 03:16:28 -08:00
Sandboxed API Team
9541b657ad Use alias s6_addr instead of direct field access.
PiperOrigin-RevId: 409908616
Change-Id: I18f87b41eae3f96fd60b8cd14073bd8df66fae98
2021-11-15 01:01:20 -08:00
Sandboxed API Team
2727714012 Expose unwind symbol helpers.
PiperOrigin-RevId: 409391470
Change-Id: Iad14caabbada1278216e5e28ba55bae8dc8b9b2b
2021-11-12 05:59:51 -08:00
Wiktor Garbacz
26da6e6b0a Safer and more efficient custom syscall policies
Generate syscall jump table without using bpf_helper.
Check that any jump in the user provided policy is within the provided policy.

PiperOrigin-RevId: 409362089
Change-Id: I31493e52cf868e4b184ff79fcb26beeb75f49773
2021-11-12 02:44:41 -08:00
Wiktor Garbacz
c95837a6c1 Check and limit seccomp policy length.
PiperOrigin-RevId: 409129756
Change-Id: Ib9937495966f545fb980eba04393db640af2325f
2021-11-11 06:10:40 -08:00
Sandboxed API Team
00747d5241 Allow getpid call for log forwarding.
PiperOrigin-RevId: 407865992
Change-Id: Ia14dc5cc1628337292586955f1c17a8d8f2995de
2021-11-05 11:16:45 -07:00
Tony Li
cfb9e031dd
fix typo, master branch -> main 2021-10-17 22:52:57 -07:00
Christian Blichmann
d85f40b8b0 Modernize namespace_test a little
PiperOrigin-RevId: 402795383
Change-Id: Ia576259078f40a3ca6b96094bd15c3ea7b0b79d9
2021-10-13 04:17:46 -07:00
Christian Blichmann
1260b5f38b Move example sandboxes out of lib directories
This is mainly so that the structure of the examples follows what we do
internally (not having separate directories).

PiperOrigin-RevId: 402298115
Change-Id: I0f542607b88597572de39532364816f80a076697
2021-10-11 07:59:25 -07:00
Christian Blichmann
2c42654333 Improve examples
- CRC4: More readable policy, added explanatory comment
- Use `AllowLlvmSaniters()` in policies

PiperOrigin-RevId: 402296504
Change-Id: I6853199abedf2441eaffff9186d4d354c142e485
2021-10-11 07:50:27 -07:00
Christian Blichmann
d05dc7ba02 Reduce visibility of internal member function
This is the first change in a series that will eventually remove Sandboxed
API's use of multiple inheritance.

Drive-by:
- Rename short member names to full words
- Some reformatting
PiperOrigin-RevId: 402270954
Change-Id: I8af46b887921265a371b85603fd158ef3a8fab50
2021-10-11 05:38:01 -07:00
Christian Blichmann
df1c31188d Fix sums test under MSAN by allowing Scudo to add MAP_NORESERVE in mmap()
Note: This change allows `MAP_NORESERVE` generally, not just for MSAN. This follows
what we do for `AllowTcMalloc()/AllowSystemMalloc()`
PiperOrigin-RevId: 402231980
Change-Id: Ifa1c6b9f61f636dd6db231dde3765c3b4a40911b
2021-10-11 01:22:17 -07:00
Christian Blichmann
221e929018 Include shell-based tests in OSS builds
These were previously dependent on an internal-only testing target.

For now, this only works with Bazel, but should enable us to have better test coverage in GitHub actions.
Eventually, all of these shell-based tests should be converted to `cc_test`s.

PiperOrigin-RevId: 400713615
Change-Id: I1cabb5b72977987ef4a1803480f699b58c4d56e9
2021-10-04 07:18:36 -07:00
Christian Blichmann
98e590463b Internal change
PiperOrigin-RevId: 400144449
Change-Id: Ic0cbd6a3b27012cfb406694bdf2944a5b9905580
2021-10-04 07:18:06 -07:00
Sandboxed API Team
4050f34efc Internal Change
PiperOrigin-RevId: 399850339
Change-Id: I1cbb4d7510bff3ab4a4559cb3252dcf79d2a06b8
2021-09-29 22:12:26 -07:00
Christian Blichmann
90d1867026 Remove deprecated sapi::StatusOr<> forward declaration
PiperOrigin-RevId: 399663835
Change-Id: I92255a68e50a3b9130d3e222a2e353ee2e599c18
2021-09-29 05:39:10 -07:00
Christian Blichmann
f6d9e7fd7c Fix warning about multi-line comment
PiperOrigin-RevId: 399648071
Change-Id: I793a640310d772804726527761ad911772ff19c6
2021-09-29 03:44:32 -07:00
Wiktor Garbacz
d9d2f0e5de Use regular logging in fork client
PiperOrigin-RevId: 399623764
Change-Id: I5eaf0ff7f24e7b61c84ff9dacf8cd53889cc83d0
2021-09-29 00:46:12 -07:00
Sandboxed API Team
fb81c00fd1 Replace auto with explicit type declarations
PiperOrigin-RevId: 399419917
Change-Id: I4b7acd8ab6e2542e2971b29bed0745378b2b6743
2021-09-28 05:50:57 -07:00
Sandboxed API Team
448f393c29 Enable mmap for msan (it's already enabled for asan and tsan)
PiperOrigin-RevId: 399163710
Change-Id: I2cebb6136adb00a53e4baf18d343cf80191efcb0
2021-09-27 05:08:45 -07:00
Wiktor Garbacz
c29c510e30 Log when global forkserver is started and its exit status
PiperOrigin-RevId: 398232735
Change-Id: Ia0628cf2dee51a94938dae82bcb392384feeb74c
2021-09-22 07:16:43 -07:00
Wiktor Garbacz
b470a6ece5 Make the fd cleanup test less brittle
PiperOrigin-RevId: 398229418
Change-Id: If8af43f33b07839ea8d46b85ff77efa8557a31a8
2021-09-22 06:57:55 -07:00
Catalin Patulea
b5fb483b11 Fix formatting of pgoff.
PiperOrigin-RevId: 397763298
Change-Id: I027ef4cd381247521ee2bcce57a17c9d480efb22
2021-09-20 09:02:14 -07:00
Christian Blichmann
c400f92eaa (Mostly) internal change. Add pid() accessor.
PiperOrigin-RevId: 397070773
Change-Id: I9ebac9078f3866ef3e0061ec79da5c9f71e5f480
2021-09-16 06:57:44 -07:00
Kevin Hamacher
aea8bb2ed0 Automated rollback of commit 2036f5b2f0.
PiperOrigin-RevId: 395893427
Change-Id: Iabd32de9cd83de5cc8567834e1f91e48c521ac60
2021-09-10 03:34:44 -07:00
Sandboxed API Team
2036f5b2f0 Automated rollback of commit 4b018757c3.
PiperOrigin-RevId: 395067992
Change-Id: I5db335ed881aa81748a0fc8082091b160fe83e86
2021-09-06 04:07:11 -07:00
Kevin Hamacher
4b018757c3 Use absl::flat_hash_set + Status in favor of std::set in the sanitizer API
PiperOrigin-RevId: 395061068
Change-Id: I31548eb6fc9f27f55acf25bd6d3d0b941a529e63
2021-09-06 03:15:39 -07:00
Kevin Hamacher
eb2c5a66f4 Rework GetListOfFDs API
PiperOrigin-RevId: 395043959
Change-Id: I77ce13f0c786d3644971ed239f3106319667e979
2021-09-06 01:01:19 -07:00
Christian Blichmann
289adcff06 Internal change.
For OSS, this change should be mostly a no-op. Visible edits are due to
changed order of code and/or includes.

PiperOrigin-RevId: 394177395
Change-Id: I1d32f9fd175579e8f05c051b1307953b249d139d
2021-09-01 01:28:19 -07:00
Catalin Patulea
9ab330dc7a 'Map' symbols: add pgoff to disambiguate multiple mappings on same object.
PiperOrigin-RevId: 391520785
Change-Id: Icb05e60f778acfb9fe6f519911ce54bec65fc4ff
2021-08-18 07:14:31 -07:00
Wiktor Garbacz
59f5fa8042 Allow collecting stacktraces on normal process exit
This mainly a debugging facility.
It makes diagnosing problems where sandboxed process just randomly exits whereas unsandboxed one runs to completion due to differences in the setup/environment much easier.

PiperOrigin-RevId: 391005548
Change-Id: Ia19fe6632748da93c1f4291bb55e895f50a4e2b0
2021-08-16 03:13:15 -07:00
Sandboxed API Team
7b31deaed8 Delete deprecated sapi::Sandbox::IsActive and its remaining call sites.
PiperOrigin-RevId: 390412024
Change-Id: Iab3853b3c40dd4e9b0ff31532e8c41c2583ebc4e
2021-08-12 11:00:51 -07:00
Sandboxed API Team
dae91ff082 Fix Symbolize* tests.
PiperOrigin-RevId: 390372065
Change-Id: I1ddc9dd9238795eb0674e04c20a5c91a68582027
2021-08-12 08:03:52 -07:00
Sandboxed API Team
d631154ce5 Delete deprecated sapi::Sandbox::GetRpcChannel and its remaining call sites.
PiperOrigin-RevId: 389968873
Change-Id: Ia72e0064fa57679180f9c406f96266473f8461c2
2021-08-10 13:50:15 -07:00
Wiktor Garbacz
773dc6b18b Do not fail-hard in global forkserver startup
PiperOrigin-RevId: 389816114
Change-Id: Icd672028ff224cf01095d6590fe1cc2adb312316
2021-08-10 00:33:29 -07:00
Sandboxed API Team
165c155a08 Delete deprecated sapi::Sandbox::GetComms and its remaining call sites.
PiperOrigin-RevId: 389716023
Change-Id: I092bc37f3f3bb40554b627f9dd528525b60d67a1
2021-08-09 13:49:45 -07:00
Sandboxed API Team
3f0875798d Delete deprecated sapi::Sandbox::GetPid and its remaining call sites.
PiperOrigin-RevId: 389713115
Change-Id: I1832e759016a581e10bf5bd8b5b70244b40ecd69
2021-08-09 13:36:15 -07:00
Wiktor Garbacz
0621e06a9c Allow recovering from global forkserver failure
PiperOrigin-RevId: 389164847
Change-Id: I40bc3b6d3bea28ee8954ea2a11a0427a6c05da35
2021-08-06 06:54:05 -07:00
Wiktor Garbacz
fe709502f4 Wait for global forkserver when shutting it down
Otherwise starting forkserver multiple times will result in zombie processes lingering around.

PiperOrigin-RevId: 388926497
Change-Id: Ia9947cce3d9e909edd709b0d3525e1ae8b8bbc51
2021-08-05 07:07:35 -07:00
Wiktor Garbacz
e88755256d Use FDCloser in Executor extensively
Also really own `exec_fd_` as previously if the executor is destructed without calling `StartSubProcess` the file descriptor would leak.

PiperOrigin-RevId: 388901766
Change-Id: I6bbb15ced37a0a832ec5a5228452a3d54ef46ee9
2021-08-05 04:16:11 -07:00
Wiktor Garbacz
80ad7bb2b0 Replace a CHECK with a warning
PiperOrigin-RevId: 388893117
Change-Id: I0b0ccf2045aea09d31ae1605b205aab456bd8550
2021-08-05 03:03:24 -07:00
Christian Blichmann
8b1dfd7343 Fix factory method sapi:✌️:Proto<>::FromMessage
This was missing a friend declaration in order to actually compile.
It's now being used in the "stringop" example, so we test it as well.

Drive-by:
- Do not copy the proto's bytes the constructor, but use `std::move`
PiperOrigin-RevId: 387774353
Change-Id: Ic8824af911ac744e2e68130e1f4673c4dddd4939
2021-07-30 03:55:17 -07:00
Christian Blichmann
fd20eb0b4d Reorder error logging before Terminate()
Calling `Terminate()` issues additional syscalls that may clobber the `errno`
value. Reordering the log statements ensures we actually log the initial error
in `read()`/`write()`.

PiperOrigin-RevId: 387576942
Change-Id: I0f9c8c6001e6dc4ca098abe02cd251029f92a737
2021-07-29 07:12:02 -07:00
Christian Blichmann
f14aeee0ad Internal change.
PiperOrigin-RevId: 387565158
Change-Id: I7b5293b614fae74abae1f9a347b0ef414028b8ea
2021-07-29 05:52:19 -07:00
Christian Blichmann
85c58dc2d7 Reduce logspam: Log Tomoyo LSM check only with VLOG
PiperOrigin-RevId: 387114844
Change-Id: Ib670799e3327fcc991ad012ccee20b96089c2f48
2021-07-27 08:32:10 -07:00
Christian Blichmann
ccd7b03026 Introduce sapi::OsErrorMessage() for error handling
This should make handling OS error less repetetive.

PiperOrigin-RevId: 387074642
Change-Id: I09b8c5e37e7f7b08341e22ba01ccda21a916a4bc
2021-07-27 04:10:04 -07:00
Paul Wankadia
bb6ae1d4ab Introduce AllowRestartableSequencesWithProcFiles() and tidy up.
1. In many cases, sandboxes need to allow /proc/stat and /proc/cpuinfo so that
get_nprocs(3) will work; otherwise, per-CPU logic can't determine how many CPUs
there are. Unfortunately, some of those sandboxes also disable namespaces. The
solution is to provide two functions: AllowRestartableSequencesWithProcFiles(),
which allows syscalls and files; and AllowRestartableSequences(), which allows
syscalls only. Sandboxes should usually call the former; sandboxes that disable
namespaces should instead call the latter and are responsible for allowing the
files via the deprecated Fs mechanism.

2. Make the mmap(2) policy evaluate prot AND flags, not prot OR flags.

3. Order the code and the comments identically for better readability.

PiperOrigin-RevId: 386414028
Change-Id: I016b1854ed1da9c9bcff7b351c5e0041093b8193
2021-07-23 02:23:22 -07:00
Christian Blichmann
9c21744460 Revert memfd file sealing for embeded files
Ideally, we'd seal the embedded SAPI binary using fcntl(). However, in rare
cases, adding the file seals `F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW |
F_SEAL_WRITE` results in `EBUSY` errors.

This is likely because of an interaction of `SEAL_WRITE` with pending writes
to the mapped memory region (see `memfd_wait_for_pins()` in Linux'
`mm/memfd.c`). Since `fsync()` is a no-op on memfds, it doesn't help to
ameliorate the problem.

On systems where it is enabled, ksmd might also be a source of pending writes.

PiperOrigin-RevId: 385741435
Change-Id: I21bd6a9039be4b6298774e837ce3628180ed91a8
2021-07-20 02:29:21 -07:00
Christian Blichmann
7b711b85e8 Rename static singleton accessor
PiperOrigin-RevId: 384699374
Change-Id: I674baffc77bc6b3815f94512058a14d37d164c6f
2021-07-14 08:00:59 -07:00
Wiktor Garbacz
34c7be759a Another round of file descriptor handling fixes
PiperOrigin-RevId: 384646707
Change-Id: Ia1b51a348bcb2a1426ba26a4ed045b0522168745
2021-07-14 01:33:34 -07:00
Christian Blichmann
5267d14248 Take a vector in Policy::AllowUnsafeKeepCapabilities()
The existing function signature took a `unique_ptr<>` owning a vector, and
took `nullptr` to mean an empty set of capabilities. This is more naturally
modeled by taking the vector directly and `std::move`-ing it.

PiperOrigin-RevId: 384214849
Change-Id: I177f04a06803ae00429b19a1f3f12e7be04d2908
2021-07-12 05:43:21 -07:00
Christian Blichmann
002cb9ae01 More efficient fork request handling and #Cleanup
- Assign to `*mutable_XXX()` instead of looping
- Use a const ref for capabilities

PiperOrigin-RevId: 384192675
Change-Id: I4db3d0c8ce0d7f6acc9fd486a2409962516b5fe7
2021-07-12 02:37:42 -07:00
Paul Wankadia
372b8e2696 Fix constant name in log message
PiperOrigin-RevId: 384187707
Change-Id: I3d322f6d00fa63fc7a2b33f8c7844c4291e4fef1
2021-07-12 01:56:42 -07:00
Christian Blichmann
a290ffc8bc Seal memfd in embed_file.cc
PiperOrigin-RevId: 383358851
Change-Id: I839a9b816f9c7f486908fbccdc3ecd621bd1c402
2021-07-07 00:58:57 -07:00
Wiktor Garbacz
424c543eb7 Automated rollback of commit 4a38f59728.
PiperOrigin-RevId: 381815277
Change-Id: I344c9bb1a505cc0a0dcf7e9ff979c172c484d963
2021-06-28 02:03:06 -07:00
Wiktor Garbacz
fe2ee5dfac Do not expose stack_trace.h in public API
PiperOrigin-RevId: 381412175
Change-Id: I30729c5af378c358e6400e4b7366d435518ae7d7
2021-06-25 00:03:54 -07:00
Wiktor Garbacz
fe08d724e4 Simplify the dup fix and add better error handling
Original fix might fail if RLIMIT_NOFILE is set to 1024.

PiperOrigin-RevId: 381034115
Change-Id: I39e33a90083533cf85eb04072604665c299b861f
2021-06-23 08:14:01 -07:00
Sandboxed API Team
4a38f59728 Automated rollback of commit a850aa44d2.
PiperOrigin-RevId: 380897565
Change-Id: Iacc50697a5ff25b79272a1549291bbf32152d3f6
2021-06-22 14:50:33 -07:00
Wiktor Garbacz
0ec4f07f96 Fix rare failure while starting the global forkserver
This bug only manifests if a lot of fds are open when global forkserver is started.
If the allocated exec_fd number was equal Comms::kSandbox2ClientCommsFD then it would be replaced by the comms fd and result in EACCESS at execveat.

PiperOrigin-RevId: 380805414
Change-Id: I31427fa929abfc60890477b55790cc14c749f7f5
2021-06-22 07:48:58 -07:00
Wiktor Garbacz
a850aa44d2 Better error handling in stacktraces
PiperOrigin-RevId: 380789060
Change-Id: I655428fd45bf305f787b75cc925d31c6ab60c074
2021-06-22 05:52:15 -07:00
Wiktor Garbacz
e5cfce71a3 Add new x86-64 syscalls
PiperOrigin-RevId: 377460610
Change-Id: I06833ca7fcc88447ed482e9e6914b9113781a114
2021-06-04 01:01:34 -07:00
Wiktor Garbacz
e87a052e61 Fix restarting global forkserver
PiperOrigin-RevId: 376643949
Change-Id: I5811e8b8a9f5e74cab21d021c8e83b2a4b91818a
2021-05-31 02:19:28 -07:00
Sandboxed API Team
aa568597b0 Add rt_sigprocmask to AllowLogForwarding
PiperOrigin-RevId: 376142747
Change-Id: I6470a6eea8a4e85b0921de6dc332097a6c9440a4
2021-05-27 04:40:28 -07:00
Christian Blichmann
d73f80cfa5 Enable AArch64 syscalls in examples
PiperOrigin-RevId: 375923215
Change-Id: I9523a074579975379b1a9d4644497268781499e1
2021-05-26 05:47:37 -07:00
Sandboxed API Team
f159359f65 Automated rollback of commit 5bb161b0db.
PiperOrigin-RevId: 375047066
Change-Id: I09ce8aafa92337c79a61f0f757ec66be2b2cefdc
2021-05-21 02:59:34 -07:00
Sandboxed API Team
5bb161b0db Automated rollback of commit e97ecfb955.
PiperOrigin-RevId: 375044368
Change-Id: Ib8bcf5d67e70fb37ef330c1433056343674a9f14
2021-05-21 02:38:05 -07:00
Christian Blichmann
e97ecfb955 Internal change
PiperOrigin-RevId: 375038366
Change-Id: I9180c2dc544d5ba12a73a67f5613e0c44e962505
2021-05-21 01:44:47 -07:00
Christian Blichmann
ab469deac3 Internal change
PiperOrigin-RevId: 374874118
Change-Id: Id669e3f099e058ada3effa62f9569daaf5b36f63
2021-05-20 08:17:10 -07:00
Wiktor Garbacz
78d749380b Fix a data race in Comms
PiperOrigin-RevId: 374397564
Change-Id: I630a7587242b7b25364aa66158d86d53aff5c343
2021-05-18 05:48:54 -07:00
Wiktor Garbacz
a986278550 Raw logging should not allocate memory
PiperOrigin-RevId: 374396461
Change-Id: I709103c7834d4803a26a0b292f342a3d629d332c
2021-05-18 05:37:38 -07:00
Christian Blichmann
2d3a040f64 Minor cleanup/formatting changes
PiperOrigin-RevId: 374164136
Change-Id: I505cbc3ac9f899ed965cde66aaae1aba55a90c64
2021-05-17 04:07:08 -07:00
Christian Blichmann
ca6ec4337d Add workaround for active Tomoyo LSM
Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.

As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace

Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729

To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:

```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```

The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.

PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
2021-05-10 07:04:04 -07:00
Christian Blichmann
5c7903ecd9 Check for either violate() or ViolateIndirect() in stack trace
Depending on architecture and optimization level, the compiler may choose to
not generate full stack frames, even with no-inline and no tail-call
attributes.

PiperOrigin-RevId: 372339987
Change-Id: I42043131bbb6092ff234e80ae9047f7a2bf31161
2021-05-06 07:36:13 -07:00
Christian Blichmann
0750216bc1 Make stack trace test more resilient against optimizer
This fixes tests for PPC, where the tail-call optimization would consistently
remove 'violate()' from the stack trace.

PiperOrigin-RevId: 371103794
Change-Id: Ifb1a7d588a455041a6b0f3c763276ed44de47e60
2021-04-29 06:01:24 -07:00
Christian Blichmann
00a7cc5a33 Use sapi::file::GetContents() and light Mini-ELF refactoring
Plus some style fixes.

PiperOrigin-RevId: 370901533
Change-Id: If4f9d7c3157fdfc2ca4302b06cd95e96e7a8ebdd
2021-04-28 07:49:17 -07:00
Christian Blichmann
08e1e733a0 Update third-party dependencies
Also include-what-you-use the `signal.h` header.

PiperOrigin-RevId: 370433834
Change-Id: I934fe6fbf65091e365127db0fc4544499720841c
2021-04-26 05:00:30 -07:00
Christian Blichmann
ab7943abdc Simplify ptrace emulation and code style fixes
PiperOrigin-RevId: 369862187
Change-Id: Ia0759c320cde1c9e3798f0df5c2a0d50ca20fd71
2021-04-22 06:56:45 -07:00
Wiktor Garbacz
d9824dff16 Use absl::Span in BPF disassembler
PiperOrigin-RevId: 369636095
Change-Id: I13a8ae08ba354e54c502e0f6cdd35287fdfbb723
2021-04-21 05:33:12 -07:00
Catalin Patulea
4344bbceba Add optional VLOG(1) for additional process info on Syscall Violation.
PiperOrigin-RevId: 368900451
Change-Id: I331d0e239e2f3176c435bd42012d155d60d0b1ac
2021-04-16 12:43:08 -07:00
Christian Blichmann
be6c878b01 Internal change touching the generator rules
PiperOrigin-RevId: 368802693
Change-Id: Ia0102d1a92a49b807d4432ee3d0a6a02f528ef00
2021-04-16 01:38:08 -07:00
Catalin Patulea
d5bd1cb38f Pretty-print ptrace event name on WIFSTOPPED.
PiperOrigin-RevId: 368688417
Change-Id: I4368268f1b05148213010768a6d4eaa87211ea45
2021-04-15 12:02:11 -07:00
Wiktor Garbacz
c15b5cb123 Log more info for seccomp setup failure
PiperOrigin-RevId: 368618345
Change-Id: Ia1559ece8f83cf27623adab4baa141cd8cfdf143
2021-04-15 05:09:38 -07:00
Wiktor Garbacz
6a679a407d Automated rollback of commit 54ac8f86fc.
PiperOrigin-RevId: 368616441
Change-Id: I6ff53b730b44b5f08986be62b32fda13932ec19a
2021-04-15 04:54:14 -07:00
Wiktor Garbacz
54ac8f86fc Automated rollback of commit 2ff96ba0e7.
PiperOrigin-RevId: 368597960
Change-Id: Ifa6c8a57fbd7761fb5e121b589a49ad67333e7cd
2021-04-15 02:17:50 -07:00
Wiktor Garbacz
2ff96ba0e7 Add missing TSAN syscalls
PiperOrigin-RevId: 368427218
Change-Id: I73cd330028b805d8a86712936fb0c5103ce9914a
2021-04-14 07:39:13 -07:00
Wiktor Garbacz
bc6bb0c7e5 Fix Mounts::ResolvePath for dir nodes.
PiperOrigin-RevId: 368390904
Change-Id: I4f59e8d74b0d81497255cb0838d6d3132cae160b
2021-04-14 02:45:41 -07:00
Martijn Vels
2efaa463c9 Implement enabling RSEQ inside AllowTcMalloc in terms of AllowRestartableSequences()
PiperOrigin-RevId: 368208391
Change-Id: Ie1204cb3a0824ebe54b770e2669ae31f7932ed51
2021-04-13 07:14:55 -07:00
Christian Blichmann
5eb412ac32 Internal change
PiperOrigin-RevId: 368172152
Change-Id: Ie1479862473bfef7f08d555109a577d47bfbabc7
2021-04-13 01:58:11 -07:00
Wiktor Garbacz
00649577d9 Fix Reg<long double> for MSAN
On x86 `long double` has 10 bytes of meaningful data, but `sizeof(long double)` is 16 - the remaining bytes are random garbage.

Roll forward after fixing a bug in the original commit.

PiperOrigin-RevId: 368170639
Change-Id: I4a1d2d95b92eed6b71c37145726f7320cfc00ba0
2021-04-13 01:44:01 -07:00
Sandboxed API Team
141fe911f5 Automated rollback of commit 16880d4e3c.
PiperOrigin-RevId: 367459654
Change-Id: I93e13da18cb322c13f7c3e3a3ca4e301ccc49fdd
2021-04-08 10:38:01 -07:00
Wiktor Garbacz
16880d4e3c Fix Reg<long double> for MSAN
On x86 `long double` has 10 bytes of meaningful data, but `sizeof(long double)` is 16 - the remaining bytes are random garbage.

PiperOrigin-RevId: 367423349
Change-Id: I769b3444ce4fa60f941ccd2115b0b09ccc809f13
2021-04-08 07:10:37 -07:00
Christian Blichmann
17f561f221 Use explicit conversion to std::string for look up in Protobuf maps
This is needed for some compiler versions where `absl::string_view` == `std::string_view`.

PiperOrigin-RevId: 367392064
Change-Id: Id91d23510501df4745f386475ef9049d94062e1b
2021-04-08 02:51:29 -07:00
Christian Blichmann
55049983c4
Add more compiler variants to GitHub Actions
This changes the workflow definition so that we always try to install
compiler toolchains that we need.

See https://github.com/actions/virtual-environments/issues/2950 for more
context.

Drive-by:
- Mini fix to enable compilation under Clang 6.0

Signed-off-by: Christian Blichmann <cblichmann@google.com>
2021-04-07 15:23:23 +02:00
Wiktor Garbacz
bc9d7a8db6 Properly handle unsigned-by-default char types
PiperOrigin-RevId: 364774936
Change-Id: I2e411555d98cad128945949ea3eedb045af0421d
2021-03-24 04:48:16 -07:00
Wiktor Garbacz
1be4d04f4e Avoid tail-call optimization in "violate" testcase
PiperOrigin-RevId: 364523883
Change-Id: I5e43534d7db37b4c16f18fc3326714664ab0ae00
2021-03-23 03:51:09 -07:00
Vincenzo Petrolo
34dcd72d7d
fix typo
Signed-off-by: Vincenzo Petrolo <vincenzo@kernel-space.org>
2021-03-22 13:08:58 +01:00
Wiktor Garbacz
df840ae38f Fix order-dependent test.
PiperOrigin-RevId: 363639702
Change-Id: I39f7ca1b4a2c65fe027bcc6ed71b10c2dcf46ca0
2021-03-18 05:56:40 -07:00
Christian Blichmann
03bf9f72c0 Replace usage of deprecated functions within Sandboxed API
PiperOrigin-RevId: 363637782
Change-Id: I804d60fb3990f891416f06d36cb71b094daf3e37
2021-03-18 05:39:50 -07:00
Martijn Vels
753eacd314 Reduce requirements for restartable sequences
PiperOrigin-RevId: 361780465
Change-Id: I299bc55c94d60575e16f0ea6b5f82b8b793af1cb
2021-03-09 04:33:29 -08:00
Martijn Vels
b30d56e871 Add policy helper to allow restartable sequences
PiperOrigin-RevId: 360266444
Change-Id: I0a3d2d071972bf7d6e7114a428c6954ed4bcef5c
2021-03-01 13:39:42 -08:00
Wiktor Garbacz
9979faf752 Internal change
PiperOrigin-RevId: 359245243
Change-Id: I1acea38c070e4533a0860152c66f8dbcf8c6fb7a
2021-02-24 03:06:55 -08:00
Sandboxed API Team
508c7066a6 asan uses mmap() internally, so allow mmap() calls in asan builds
PiperOrigin-RevId: 358802336
Change-Id: I26fa891cc9fffcfd32f6b18a63b39d6f2282ff7d
2021-02-22 06:02:35 -08:00
Wiktor Garbacz
298271f0a7 Deprecate IPC::comms()
PiperOrigin-RevId: 358380648
Change-Id: Iaf8f7dc0890be0e7e910649c6f519504f6b0a1a5
2021-02-19 04:43:14 -08:00
Wiktor Garbacz
3d0fa1f891 Replace GetNode with ResolvePath in Mounts
Now unwinding will properly handle binaries inside bind-mounted directories.

Drive-by:
 - Get rid of n^2 path handling
 - Get rid of namespace alias
PiperOrigin-RevId: 358353666
Change-Id: Ieec7690ec6a1ae6d358de375220566b69e8cb094
2021-02-19 00:43:34 -08:00
Sandboxed API Team
ec64f47bba Adds IsRetryable() method to Result class, currently just returns false.
Also fixes signature of `stack_trace()` method.

PiperOrigin-RevId: 356992845
Change-Id: I627caa9861cf7c0eb3496154504f0d948c789fb9
2021-02-11 09:34:23 -08:00
Christian Blichmann
42f540bc7e Be more strict about target_link_libraries()
Bazel readily enforces header visiblity for each target, CMake is more lenient.

PiperOrigin-RevId: 355407845
Change-Id: Ic59fa2162db8456d4c5cf4205c0fe42cc79874a9
2021-02-03 09:01:31 -08:00
Sandboxed API Team
637dc471ac Avoid buffer overflows when the sandboxee shrinks a shared buffer.
PiperOrigin-RevId: 355336078
Change-Id: I36aa106b3044cbc20b30718a12bd35d147c339c6
2021-02-02 23:59:12 -08:00
Wiktor Garbacz
0bbcb495ee Remove unneeded Executor ctors
absl::Span<const T> has an implicit ctor from container types.
PiperOrigin-RevId: 355155858
Change-Id: I70aea6b276b5e51f7682cba45bb2d4514cb1bc90
2021-02-02 06:55:30 -08:00
Wiktor Garbacz
8cc018a242 Internal change
PiperOrigin-RevId: 355126142
Change-Id: Iba8e54095e94f55811a92243d8af85d893418909
2021-02-02 02:41:13 -08:00
Christian Blichmann
1840083919 Avoid complex designated initializer, initialize internal struct padding
The former is to fix compilation on GCC 7, the latter to satisfy MSAN.

PiperOrigin-RevId: 355114355
Change-Id: I5c89a65df16fe9338bcfa24b2e48c246d240ce62
2021-02-02 00:56:58 -08:00
Christian Blichmann
55a8373ec3 Avoid sanitizer macros use Abseil's where necessary
Using C++17 means we can get rid of many `#ifdef`s by using `if constexpr`.
This way, we ensure that both branches compile and still retain zero runtime
overhead.

Note that open source builds of Sandboxed API do not ship with sanitizer
configurations yet. This will be added in follow-up changes.

PiperOrigin-RevId: 354932160
Change-Id: I3678dffc47ea873919f0a8c01f3a7d999fc29a5b
2021-02-01 07:11:15 -08:00
Sandboxed API Team
6dcef3d5c9 Integrate LLVM at llvm/llvm-project@1c762a81d2
Updates LLVM usage to match
[1c762a81d20f](https://github.com/llvm/llvm-project/commit/1c762a81d20f)

PiperOrigin-RevId: 354567452
Change-Id: I29758805e7e2030d014bbc0007f5c548f119246f
2021-01-29 11:02:56 -08:00
Wiktor Garbacz
552a510777 Fix overload for Executor ctor calls with brace-initializers
PiperOrigin-RevId: 354319778
Change-Id: I7b47ef2de734683f9168ef80f8b29357532d51ff
2021-01-28 08:43:22 -08:00
Wiktor Garbacz
ec870c3d15 Simplify Executor ctor hierarchy
Also accept `absl::string_view` and `absl::Span<const std::string>` arguments.

Drive-by:
 - Move using declaration into namespace
PiperOrigin-RevId: 354271016
Change-Id: Iadd873377e51cac7fa3800aab1f9e85ff94bd4e9
2021-01-28 02:20:37 -08:00
Christian Blichmann
a617f4e8f0 Improvements to limits.h header
- Directly initialize member fields
- Reword comments

PiperOrigin-RevId: 354093192
Change-Id: I19852c3f2bd1b05ed280102b0bed1ea62d8c4adc
2021-01-27 08:05:25 -08:00
Christian Blichmann
6f33cef716 Allow FUTEX_WAKE for recent libc allocators
PiperOrigin-RevId: 353827808
Change-Id: I6d1509016297fd16bec0ae6ea263896a1af9dc37
2021-01-26 02:32:26 -08:00
Christian Blichmann
1459cc612e Cleanup, fix OSS Bazel build
Bazel 4.0.0 is less lenient in handling escape sequences.

PiperOrigin-RevId: 353827443
Change-Id: I972841464449ed2262a0ef486343ae1ed444ad3c
2021-01-26 02:29:08 -08:00
Wiktor Garbacz
b98bed9860 Internal change
PiperOrigin-RevId: 353233756
Change-Id: Ib658a3602097dc0288af592e21db373eb12e2077
2021-01-22 07:00:05 -08:00
Christian Blichmann
75bbd0e1c1 Internal change
Only externally visible changes should be a few changed includes as well as
some formatting changes.

PiperOrigin-RevId: 353226662
Change-Id: Iebf5be13774efcbd94c5d5a17b9b27e47275b229
2021-01-22 06:01:34 -08:00
Christian Blichmann
19fd11b91e Move GetInternalDataDependencyFilePath() into internal namespace
Implements #79

PiperOrigin-RevId: 351778836
Change-Id: I726837d8e75880bf5ddfb1a327249dd666adec53
2021-01-14 05:11:22 -08:00
Christian Blichmann
dbaf95c724 Move utility code into sandboxed_api/util
This change should make it less confusing where utility code comes from.
Having it in two places made sense when we were debating whether to publish
Sandbox2 separately, but not any longer.

Follow-up changes will move `sandbox2/util.h` and rename the remaining
`sandbox2/util` folder.

PiperOrigin-RevId: 351601640
Change-Id: I6256845261f610e590c25e2c59851cc51da2d778
2021-01-13 09:25:52 -08:00
Sandboxed API Team
b61b2a37b7 Add IsStarted() method to GlobalForkClient.
PiperOrigin-RevId: 351170872
Change-Id: I5544eb27962606a562ce79b97d508f841ec0dc56
2021-01-11 09:34:13 -08:00
Sandboxed API Team
3d737e3830 Automated rollback of commit 7440916b80.
PiperOrigin-RevId: 351144593
Change-Id: Ic1401e16dcf2b6b009a9f53395929e31a68cfa77
2021-01-11 06:58:30 -08:00
Maciej Szawłowski
7440916b80 Internal tests tweak.
PiperOrigin-RevId: 351138044
Change-Id: I98e27ca5f0ea456a906c5382aa22135f21c8a1d9
2021-01-11 06:07:45 -08:00
Wiktor Garbacz
451c24c1c4 Fix fd leak
Support swapping and move assignment in FDCloser

PiperOrigin-RevId: 351119550
Change-Id: I9865d2fcad029a440cab60328b8731f8e1dc340f
2021-01-11 03:33:27 -08:00
Wiktor Garbacz
6dd0a52561 Use unique var name in SAPI_RETURN_IF_ERROR to avoid name clashes
PiperOrigin-RevId: 350724380
Change-Id: I07c11b1897043df188bbef7934b5a41185a82a79
2021-01-08 02:09:40 -08:00
Copybara-Service
918a409126 Merge pull request #78 from cblichmann:gen2-clang-path
PiperOrigin-RevId: 350524271
Change-Id: I46080c86c8e03f13a7468a73d752e968d5e9b56d
2021-01-07 03:19:55 -08:00
Christian Blichmann
f9b4083dee
Header generator: Enable to find latest Clang
This also allows to install `libclang1` instead of `libclang1-dev` as
one of the build dependencies on Ubuntu/Debian.

Signed-off-by: Christian Blichmann <cblichmann@google.com>
2021-01-07 11:15:13 +01:00
Wiktor Garbacz
195ac67c9d Fix dependencies in CMake build
PiperOrigin-RevId: 350313683
Change-Id: I133594e930cd3a710b6053de64bc94894d872241
2021-01-06 02:34:53 -08:00
Wiktor Garbacz
3e8a60c5b1 Fix raw_logging includes
PiperOrigin-RevId: 350142444
Change-Id: I15184e6e46594f7eecf75ff0a6f0961caa015f2d
2021-01-05 08:10:05 -08:00
Wiktor Garbacz
fe79c95a50 IWYU in sapi code generator
PiperOrigin-RevId: 350134692
Change-Id: I5389df8a02f6679a3881b20b599ff5d9fc81650e
2021-01-05 07:18:41 -08:00
Sandboxed API Team
142c35898c Allow TcMalloc to use membarrier syscall.
PiperOrigin-RevId: 348604579
Change-Id: Ibe54acc51597f36d1682368eb6baf1f8d45cf3dd
2020-12-22 02:50:16 -08:00
Anton D. Kachalov
d0c8224e61 Add support for ARM32 (hard float target)
This change enables support for 32-bit ARM, as used by embedded controllers and older phones.
Note: This does not support 32-bit sandboxees on AArch64. Both sandboxee and host code must have the same bitness.
PiperOrigin-RevId: 347835193
Change-Id: I6395882677530f9862f118d2dc10230a61049836
2020-12-16 09:18:25 -08:00
Chris Kennelly
324ab5974c Optimize calls to std::string::find() and friends for a single char.
The character literal overload is more efficient.

PiperOrigin-RevId: 347827459
Change-Id: I91ab1c5ea699886b6c15ad5016338063e0c98f40
2020-12-16 08:30:45 -08:00
Anton D. Kachalov
4763959227 Add pkg-config files generation.
PiperOrigin-RevId: 347812826
Change-Id: I1722d39759628ad976b99887c8406cff08195009
2020-12-16 06:46:03 -08:00
Christian Blichmann
507010781a Follow-up with more build fixes
Because any change that touches continuous integration needs a companion o.O

PiperOrigin-RevId: 347769780
Change-Id: I20525aaac2ce41c48f619b641baa31e880432e50
2020-12-16 00:09:28 -08:00
Christian Blichmann
07d4d02628 Build fixes for older GCC and Ubuntu
- Ubuntu 18.04 ships with GCC 7, which needs `std::move()` when returning an `absl::StatusOr<>`
- Ignore C++ AST nodes of type `cindex.TypeKind.UNEXPOSED` in Python generator
- Remove default values in `ubuntu-cmake.yml`

PiperOrigin-RevId: 347605109
Change-Id: Ibe167249ecf4ef1af1654d63c2e067fc02e5782d
2020-12-15 07:09:22 -08:00
Anton D. Kachalov
0e8d16e011 Enable shared libraries build and cross-compilation
This allows resource-constrained environments to benefit from the
space savings of dynamic linking. This is not meant to be used in
the general case.

PiperOrigin-RevId: 347398828
Change-Id: Ia634959148a31159878f48c44255dd733424a2b8
2020-12-14 09:16:14 -08:00
Christian Blichmann
319493f5f0 Remove FsDescription proto
FS checks are an internal feature that has been deprecated for a while in
favor of user namespaces.

PiperOrigin-RevId: 347378761
Change-Id: I1d7956cecd6db47b2b96fdedaada0b2a36f9b112
2020-12-14 07:12:59 -08:00
Christian Blichmann
c3ac45be3e Reimplement raw logging to avoid Abseil internals
The defined raw logging macros should be compatible with Abseil and
we can remove our version once Abseil releases theirs.

PiperOrigin-RevId: 347354273
Change-Id: I178a89cfd2e19bcd707a06fa9dfd7b767e2b654b
2020-12-14 03:34:02 -08:00
Anton D. Kachalov
8bf410f0bb Add gmouse@ to authors.
PiperOrigin-RevId: 347336942
Change-Id: Iaa8aef0084882ced82fb1331841bb2aa21753004
2020-12-14 03:33:52 -08:00
Wiktor Garbacz
742fafa433 Prefixed (unique) names for executables in cmake
PiperOrigin-RevId: 347335966
Change-Id: Ic8cc22b882fa489d37b636406a1a5fe51745d808
2020-12-14 01:13:31 -08:00
Sandboxed API Team
13ff7a42da Avoid double insertion of interpreter value.
PiperOrigin-RevId: 346985006
Change-Id: Id18346702cee973e487cc608ccf2bd08f40a0da6
2020-12-11 06:11:43 -08:00
Christian Blichmann
2a9320dbac Update/simplify linker flags for testcases
- Bazel: Use "incompatible" flag to fix fully static linking. The flag will
  become the default in Bazel 4.0.
- Bazel: Deduplicate features into `FULLY_STATIC_FEATURES` variable
- CMake: Remove the testcase properties. `sapi::base` already sets
  `POSITION_INDEPENDENT_CODE`. Note that `-pie` is incompatible with `-static`
  and `-static-pie` requires GCC 8 and GLIBC 2.27.

PiperOrigin-RevId: 346952478
Change-Id: I7a317c90a3bec9691b13df1a00e3fddf4481df4d
2020-12-11 01:12:05 -08:00
Wiktor Garbacz
81a68382d8 Use file helpers in minielf_test
PiperOrigin-RevId: 346949861
Change-Id: Ib323a9ecd8fd8f268f09b028d13b220d3d8b60d1
2020-12-11 00:48:23 -08:00
Sandboxed API Team
d4d58361e9 Bump Abseil-cpp version to 2020-11-19.
PiperOrigin-RevId: 346793646
Change-Id: I5dc41ed78439d117f46b08f609459e761392e802
2020-12-10 08:52:22 -08:00
Wiktor Garbacz
6d98090962 Do not fail if forkserver is disabled by env when lib_ctor is used
PiperOrigin-RevId: 346743575
Change-Id: I948aad88120746e15535e3c5270581a31a0b3d29
2020-12-10 02:49:54 -08:00
Christian Blichmann
2869e3f598 Fix missing argument in call to open() in namespace test
Calling `open()` with `O_CREAT` requires 3 arguments.

PiperOrigin-RevId: 346739861
Change-Id: I38167e9184f4755e48307eaa674277069bd4ccf8
2020-12-10 02:19:21 -08:00
Sandboxed API Team
c7d8e83d60 Declare global forkserver start mode flag in header file so it can be overridden in code more easily.
PiperOrigin-RevId: 346588150
Change-Id: I1013b928a45bab164e7db28d49be8504353dc064
2020-12-09 10:53:41 -08:00
Christian Blichmann
7ce4b24cb5 Update OSS build transform to move .github to the right place
PiperOrigin-RevId: 346538768
Change-Id: I3b25d67d1646a9bbbe4a7feefbb124f0f0679d70
2020-12-09 06:37:13 -08:00
Christian Blichmann
a2fa269080 Add GitHub workflow for CMake build
PiperOrigin-RevId: 346521211
Change-Id: Idf60be85aa3983ad625bcef53b48e8d0b797ed4a
2020-12-09 04:14:37 -08:00
Sandboxed API Team
3323ddc129 Permit sandboxee's bpf() to fail
The default policy causes immediate termination of a sandboxee that
calls `bpf`(2).

This does not allow for try-call use of `bpf()` to test for optional
features.

To support such try-call use cases, sandboxes would like to say:

```
  sandbox2::PolicyBuilder builder;
  builder.BlockSyscallWithErrno(__NR_bpf, EPERM);
```

but this doesn't work because the default policy unconditionally treats
`bpf()` as a sandbox violation.

Remove the bpf violation check from the policy if `bpf()` is explicitly
blocked with an errno.

PiperOrigin-RevId: 345239389
Change-Id: I7fcfd3a938c610c8679edf8e1fa0238b32cc9db4
2020-12-02 08:38:32 -08:00
Wiktor Garbacz
da64459e3f Allow shutting down the global forkserver
PiperOrigin-RevId: 345198374
Change-Id: I3b5c49f6e5abb76d2b0a57078ffeb0609e0be008
2020-12-02 03:05:37 -08:00
Christian Blichmann
6587e571f1 Skip entries with zero inode when parsing /proc/PID/maps
This also skips all entries that point to deleted files.

PiperOrigin-RevId: 344244273
Change-Id: Ic47c6ab0dff4eaf4b4dea2779c45685922adc608
2020-11-25 06:46:39 -08:00
Wiktor Garbacz
5001778443 Use binary search in syscall defs
The lookup is not on the hot path and this removes the SYSCALLS_UNUSED macros.

PiperOrigin-RevId: 344240762
Change-Id: I324bd798945851ac0b92e257206525eab4ec36e5
2020-11-25 06:15:29 -08:00
Wiktor Garbacz
f6247aad9d Fix SyscallTable::get to return proper table
PiperOrigin-RevId: 344236195
Change-Id: Ie370c1a771f1896c98ea387c0a84231a433c9d8c
2020-11-25 05:37:18 -08:00
Kevin Hamacher
510b5079ed Internal Change
PiperOrigin-RevId: 343296855
Change-Id: I995fa76f306fca8524a187f7fd1cbc498a92a885
2020-11-19 08:37:41 -08:00
Christian Blichmann
eaff70b558 Use actual ptrace() arguments in example
The semantics of the example remain unchanged. This change is in preparation
for the new Clang based header generator, which will parse most files in C++
mode. `ptrace`'s first argument cannot me implicitly converted from `int` in
C++.

PiperOrigin-RevId: 343280691
Change-Id: Ibc5318b19a48f1dad441e7dcdc318dc5ea6837f6
2020-11-19 06:47:31 -08:00
Christian Blichmann
c2631d88ae Improve syscall argument printing for x86-64
Updates syscall arguments mostly according to this list and more recent kernel sources:
https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#x86_64-64_bit

The list includes some more syscalls that were recently added.

Follow-up changes will do the same for x86-32, POWER and AArch64.

PiperOrigin-RevId: 341016698
Change-Id: If1771fd37a47b227ca8f572704a64190e4621a38
2020-11-06 02:55:13 -08:00
Wiktor Garbacz
5fb18d3c9d Add policy on both mmap & mmap2
PiperOrigin-RevId: 341007959
Change-Id: I3c2e74cc973d2603cf7b3a858fa8aabd05c41137
2020-11-06 01:30:18 -08:00
Wiktor Garbacz
f8a2729c32 Start global fork-server on demand
Allow disabling global fork-server with a flag.

PiperOrigin-RevId: 340860588
Change-Id: I184603dc3a81eb90f715053e14fb3b8d66a6f104
2020-11-05 08:48:03 -08:00
Christian Blichmann
c99076bf94 Replace std::unique_ptr<uint8_t[]> with vector
No need for the smart pointer indirection when an `std::vector` can also hold
the BPF policy.

PiperOrigin-RevId: 340809220
Change-Id: I8a63567e8042d9ff875cba739e8552db87b6901a
2020-11-05 02:03:46 -08:00
Christian Blichmann
7c30aebe2d Use Abseil hash maps instead of std::map<T>
PiperOrigin-RevId: 340807499
Change-Id: I2689bd1d32be45e3085dcc7a0ba4b8fedd7d53b0
2020-11-05 01:49:14 -08:00
Peter Lundblad
2955d20c9f Enable log forwarding from sandboxee if enabled by the supervisor.
If the sandboxer calls `IPC::EnableLogServer()` (and modifies the sandbox policy
accordingly), sandbox logs will be sent back to the sandboxer.

PiperOrigin-RevId: 340663308
Change-Id: I5e8d89314178dfd1b49fc25b8cd2dd02642be43a
2020-11-04 09:24:50 -08:00
Christian Blichmann
2acec65a58 Add an AllowAccess() convenience function to PolicyBuilder
Drive-by: Apply convenience functions in policies.
PiperOrigin-RevId: 340404977
Change-Id: I906106b61c1837d23ddaff15d8792ec79d3d3189
2020-11-03 02:21:21 -08:00
Christian Blichmann
728355da87 Emit non-type template args as part of forward decls
This change allows us to emit forward declarations to classes that are
templated. For headers generated by the proto compiler this is sometimes
necessary.

Note:
- This will only emit types for a single level of template instantiations.
  That is, template template arguments are not supported.
- Typedefs only occurring in template arguments will be fully desugared
  and thus will not be available under their aliased name in the generated
  API code. This is consistent with the Python based generator (which
  does not emit these at all and relies on text extraction).

Signed-off-by: Christian Blichmann <cblichmann@google.com>
2020-10-28 16:48:04 +01:00
Sandboxed API Team
ea379ef4d6 Cleans up statusor.h includes.
PiperOrigin-RevId: 339050213
Change-Id: Iea5747f907b294503cdb37e1c25cf787c7e83dcf
2020-10-26 09:08:41 -07:00
Christian Blichmann
609a370634 Build fixes and parameter passing for the Clang header generator
PiperOrigin-RevId: 338994867
Change-Id: I40f03738ae38bac4bf217c24bd935d5d3572c1f2
2020-10-26 01:42:47 -07:00
Christian Blichmann
19a8e38a51 Support AArch64 and PPC64 in third party dependencies
PiperOrigin-RevId: 338992825
Change-Id: I2f77ea8379e55007a22ad0461efc98f41a01ad44
2020-10-26 01:22:23 -07:00
Maciej Szawłowski
28bb32add6 Allow empty sapi_embedded_dir flag in the header generator - empty sapi_embedded_name still disallowed
PiperOrigin-RevId: 338656398
Change-Id: Ib2ca3d63ff9bed654669d948286f73d430753a20
2020-10-23 05:36:01 -07:00
Christian Blichmann
040d76be28 Simplify libunwind build files
Sandbox2 and SAPI only use the `unwind-ptrace-wrapped` target.

PiperOrigin-RevId: 338450188
Change-Id: Iee7d7aeda244cad90dae8b5228316f506efc3deb
2020-10-22 05:03:15 -07:00
Sandboxed API Team
834d356bce Cleans up statusor.h includes.
PiperOrigin-RevId: 337370254
Change-Id: Ibcbc2921f96d32675720ddc7adb621dd53894dfa
2020-10-15 13:25:30 -07:00
Wiktor Garbacz
29e5d03201 Use string_view instead of char* in CStr ctor
PiperOrigin-RevId: 337045297
Change-Id: If97b405cc2bf1904456bf502fc7d027c7df2ac7a
2020-10-14 02:04:05 -07:00
Christian Blichmann
afa232cc17 Clang generator: Remember "seen" types when collecting related types
This change includes a small refactoring to remember which types the generator
has already seen during header generations. Otherwise we may loop indefinitely
on certain complex types. One such type is `std::FILE` in Clang's libc++.

PiperOrigin-RevId: 335589238
Change-Id: I5bbe03b6c7fc89c743163f5534075d7912ed4e58
2020-10-06 01:04:49 -07:00
Christian Blichmann
b74cf8839b Minor ForkClient improvements
- Use a `constexpr inline` string constant for the forkserver env var
- Add annotation for the comms channel mutex

PiperOrigin-RevId: 335395005
Change-Id: Ic058c19c3704f182aa7ed7b8e8964b2fc5082800
2020-10-05 05:10:16 -07:00
Wiktor Garbacz
83a08daff7 Change int64 to size_t in Buffer
PiperOrigin-RevId: 334802978
Change-Id: I7e421b1a6a98138139003cc4dc2a548ebe366e3e
2020-10-01 06:45:38 -07:00
Christian Blichmann
575f24f5df Internal change
PiperOrigin-RevId: 334569306
Change-Id: Ibf1b3a24b57b02ce1c5e6106e5331520dfdf7112
2020-10-01 06:45:25 -07:00
Maciej Szawłowski
d806e0df3b Deferred cursor.mangled_name access - on some versions of libclang this causes sigsegv when accessing certain cursor's mangled_name
PiperOrigin-RevId: 334360148
Change-Id: I27ef72b1938052d68b65f99d05d34dcb9f7433f8
2020-09-29 05:48:27 -07:00
Sandboxed API Team
376ca05c56 Allow sandboxes to specify custom notifiers.
PiperOrigin-RevId: 334154462
Change-Id: Ia62242913731ab017a9bf8733a77a647582af243
2020-09-28 07:38:30 -07:00
Christian Blichmann
88c980218f Build fixes for recent Bazel versions
We need to add the `oss-internship-2020` and `examples/hello_sapi`
directories to `.bazelignore`, so that `bazel build ...` works on a clean
working copy. This is because the Bazel builds in these directories use their
own `WORKSPACE.bazel` and this does not nest well, leading to all kinds of
hard to debug errors.

PiperOrigin-RevId: 333728800
Change-Id: Ie2e68dd39bf6f8eb21af29d8ae3ae12971b408db
2020-09-25 07:25:31 -07:00
Maciej Szawłowski
1b8e8aa757 Disallow empty sapi_embedded_dir flag in the header generator
Ignore cursors with types that are not implemented in python bindings

PiperOrigin-RevId: 333708345
Change-Id: I618a61c960247a9bdf89bc56dcac92e2d37b3220
2020-09-25 04:30:55 -07:00
Christian Blichmann
35f9268e23 Restructure the Clang based header generator
- Support multiple input files
- Better testability
- Support for the `--sapi_isystem` argument, same as the Python generator

PiperOrigin-RevId: 333686891
Change-Id: I3e618165c1bd58bb755e1193617fb0737c29ee77
2020-09-25 01:14:18 -07:00
Wiktor Garbacz
f91f843f50 Use size_t/uintptr_t instead of uintptr_t or uint64_t where appropriate
PiperOrigin-RevId: 332449107
Change-Id: I623c320c7f31bb73b92799dfbeb9a1e8ce0cdb3b
2020-09-18 07:45:03 -07:00
Wiktor Garbacz
c33f1fb03e Simplify casts
Drive-by: check for malloc failure in sapi:✌️:Array
PiperOrigin-RevId: 332446225
Change-Id: I375ea94845e04dffc3353d70737402daa66ae50a
2020-09-18 07:23:19 -07:00
Wiktor Garbacz
08a956a415 Use opaque void* instead of uint8_t* in Comms
PiperOrigin-RevId: 332441641
Change-Id: I09902e98726a0bd57b47d3454ddcb6ef05021d56
2020-09-18 06:48:57 -07:00
Wiktor Garbacz
9ffa5afba6 Remove unnecessary TLV struct
Drive-by: Zero-copy RecvString
PiperOrigin-RevId: 332412385
Change-Id: I169ffa78f016ec2d55c1a3677ea97beed095123c
2020-09-18 02:23:22 -07:00
Christian Blichmann
13c28403a6 Implement system include detection for CMake build
The Bazel build already queries the current toolchain for its system include
directories. This change brings feature parity and is necessary for systems
with unusual include locations.

PiperOrigin-RevId: 332195812
Change-Id: Ie81d614d21e90b4bd9edf2084ef80bf0d85dd750
2020-09-17 03:08:11 -07:00
Maciej Szawłowski
a68b851c2c Added TypeKind.CHAR_U handling in the generator.
PiperOrigin-RevId: 331988119
Change-Id: I8301c5041c32da185202ed34292e6a2988ecff46
2020-09-16 06:00:55 -07:00
Christian Blichmann
ed0086eb66 Fix dynamic binary startup on PPC and newer glibc (> 2.19)
This allows the `_llseek` syscall when it is defined.

PiperOrigin-RevId: 331498182
Change-Id: I2760b264e3a82000b38d278a9c280501a3dbc724
2020-09-14 01:18:33 -07:00
Christian Blichmann
21f7373e76 Initial changes to support AArch64
This is a work in progress:
- Syscall tables need work
- Only tested on real hardware using one of our test hosts

As a drive-by, this change also enables the open source version to function on
POWER.

Another side-effect of this change is that the default policies no longer
check for different host architectures at runtime. On x86_64, we do not need
to check for PPC or AArch64 specifice and vice versa.

PiperOrigin-RevId: 331137472
Change-Id: Ic6d6be5cbe61d83dbe13d5a0be036871754b2eb8
2020-09-11 06:34:27 -07:00
Christian Blichmann
c19949eb7b Use inclusive language
PiperOrigin-RevId: 331116936
Change-Id: I7084b24440a1c78c0d70030da900330f0b8d954f
2020-09-11 03:14:12 -07:00
Christian Blichmann
6a1e4b881c Introduce config header to centralize CPU architecture checks
This allows us to remove some uses of macros.

Related changes:
- Make it clear that we support hosting sandboxed binaries from 64-bit
  processes only. CPU architectures are x86-64 and POWER64 (little endian).
- Introduced CPU architecture macros, abstracting away compiler specifics

PiperOrigin-RevId: 330918134
Change-Id: Ife7ad5f14723eec9f68055127b0583b8aecd38dd
2020-09-10 05:48:00 -07:00
Kevin Hamacher
1f8e88586b Log details when executor fails to open the sandboxee binary
PiperOrigin-RevId: 330680717
Change-Id: I4ec855861196177321783dc94f2e05a28e84d512
2020-09-09 02:12:29 -07:00
Sandboxed API Team
776e34502a Internal cleanup migrating StatusOr.
PiperOrigin-RevId: 330561315
Change-Id: Ie8d8857e7fa5819be3358b26425790ede97c99f8
2020-09-08 12:24:35 -07:00
Christian Blichmann
fdf0483ca0 Migrate to open-source absl::StatusOr<>
This removes our own fork of `absl::StatusOr<>`. Sandboxed API still includes
a custom matcher for Googletest, as that is not open source yet. For
compatibility, the `statusor.h` header is still retained and now aliases
`sapi::StatusOr<>` to `absl::StatusOr<>`.

PiperOrigin-RevId: 329916309
Change-Id: I0544b73a9e312dce499bc4128c28457e04ab9929
2020-09-03 07:40:48 -07:00
Sandboxed API Team
23da55c19a Internal BUILD refactoring
PiperOrigin-RevId: 329720214
Change-Id: I25fbb94dea17db3bdca6438d17508fa304d9706f
2020-09-03 07:40:33 -07:00
Sandboxed API Team
1c833d6f25 Internal cleanup migrating StatusOr.
PiperOrigin-RevId: 329304527
Change-Id: Id6c141272df54c4e165829d690f9f5b2e9ee90cc
2020-08-31 08:13:29 -07:00
Sandboxed API Team
cfac8eb2d9 Internal cleanup migrating StatusOr.
PiperOrigin-RevId: 329250595
Change-Id: I0447d8154a57b1132981b116f02b4d5bceedfd4c
2020-08-31 00:13:54 -07:00
Wiktor Garbacz
c53f2a900f Automated rollback of commit e7a195ce42.
PiperOrigin-RevId: 328918626
Change-Id: Iabe93ec7062ea6e750e4185e2b0b672a37111ee7
2020-08-28 04:49:41 -07:00
Sandboxed API Team
e7a195ce42 Automated rollback of commit 82c56775ef.
PiperOrigin-RevId: 328340042
Change-Id: Ib225f8012fb373c74e3f1b3e6201b2daca7da40b
2020-08-25 09:01:22 -07:00
Wiktor Garbacz
82c56775ef StatusOr cleanups
PiperOrigin-RevId: 328318284
Change-Id: I207570c0fee6797dbc8995d36ef2130b0bff28fa
2020-08-25 06:22:05 -07:00
Christian Blichmann
b76cb15f26 Rename accessors, move away from time_t API
- `GetPid()` -> `pid()`
- `GetRpcChannel()` -> `rpc_channel()`
- `IsActive()` -> `is_active()`
- Suggest `SetWallTimeLimit(time_t)` -> `SetWallTimeLimit(absl::Duration)`

In addition, remove the protected zero-argument contructor.

PiperOrigin-RevId: 325390292
Change-Id: Iba044ad5ce44e78c4064c0a09faaa4227c4d19a5
2020-08-07 00:30:28 -07:00
Christian Blichmann
11fd8ba330 Collect Bazel files into bzl_library targets
PiperOrigin-RevId: 325221214
Change-Id: Iab03b900e143b9b95bed151097abb59ac1e0f996
2020-08-06 06:53:44 -07:00
Sandboxed API Team
8633f22185 Increase limit on symbol table size and section size.
PiperOrigin-RevId: 325215228
Change-Id: I2e6ca131d92d86e7aa0d5cc37a3507dce03db25f
2020-08-06 06:04:14 -07:00
Christian Blichmann
833c9740aa Use absl::StrFormat() in Reg<T>::ToString()
PiperOrigin-RevId: 322528126
Change-Id: Ia5344e53366a8b3c11ec0dbba7cff8e4192a7605
2020-07-22 01:21:02 -07:00
Christian Blichmann
aaa3eded8f Rename SYNC_* constants to conform to style guide
PiperOrigin-RevId: 322137271
Change-Id: I03d7f2e4841f42e439359727a686d55f1b4ab081
2020-07-20 07:05:44 -07:00
Christian Blichmann
c7a27dd4b1 Modernize a few files
- Use default initialization
- Rely on `static_assert()` and use `if constexpr` when checking SAPI
  variable type
- Small style fixes

PiperOrigin-RevId: 322107281
Change-Id: I48cf43f354b60e31e6207552dbbfa16e3acd5615
2020-07-20 03:07:54 -07:00
Christian Blichmann
eb62bae167 Refactor stack trace handling
- Drop `delim` argument from the `GetStackTrace()` family of functions.
  We only ever used plain spaces.
- Use an `std::vector<std::string>` for the symbolized stack frames and
  adjust the unwind proto accordingly.

This change now prints each stack frame on its own line while skipping
duplicate ones:

```
I20200717 11:47:16.811381 3636246 monitor.cc:326] Stack trace: [
I20200717 11:47:16.811415 3636246 monitor.cc:337]   map:/lib/x86_64-linux-gnu/libc-2.30.so+0xceee7(0x7fb871602ee7)
I20200717 11:47:16.811420 3636246 monitor.cc:337]   Rot13File+0x130(0x55ed24615995)
I20200717 11:47:16.811424 3636246 monitor.cc:337]   ffi_call_unix64+0x55(0x55ed2461f2dd)
I20200717 11:47:16.811429 3636246 monitor.cc:337]   map:[stack]+0x1ec80(0x7ffee4257c80)
I20200717 11:47:16.811455 3636246 monitor.cc:339]   (last frame repeated 196 times)
I20200717 11:47:16.811460 3636246 monitor.cc:347] ]
```

PiperOrigin-RevId: 322089140
Change-Id: I05b0de2f4118fed90fe920c06bbd70ea0d1119e2
2020-07-20 00:24:40 -07:00
Wiktor Garbacz
f7d3f442df Extract ForkClient to a separate target
PiperOrigin-RevId: 321757582
Change-Id: I48b89ab4e4b1d87dd9444874de5bf5bd2526531a
2020-07-17 04:54:54 -07:00
Wiktor Garbacz
e9f7293e21 Fix ptrace_hook dependency graph
PiperOrigin-RevId: 321748143
Change-Id: Idb453054b78e932ce13c5f44f7d408cc0f9c31f2
2020-07-17 03:20:43 -07:00
Wiktor Garbacz
405cc00683 Workaround for issue#32
PiperOrigin-RevId: 321154163
Change-Id: Ida6defa3d5586b39e69e958524cee7579085826f
2020-07-14 07:28:16 -07:00
Christian Blichmann
b7d137721a Do not keep a reference to a temporary
PiperOrigin-RevId: 321117444
Change-Id: If6951058fcd32fe638f9241bef79181d6785e9cf
2020-07-14 01:42:05 -07:00
Christian Blichmann
1f1de9e229 Fix logging/display of syscall tables
Initializing `absl::Span`s like by assigning them from a temporary
array leaves them pointing to invalid data. Due to the way the linker
initializes these constant tables, _most_ of them will still be valid
_most_ of the time, leading to crashes when running sandboxees with the
`--sandbox2_danger_danger_permit_all_and_log` option.

PiperOrigin-RevId: 321112099
Change-Id: I891118da08cbb6000b3e2e275618bc4edaa1d020
2020-07-14 00:47:54 -07:00
Christian Blichmann
5f35b4fc8c Fix mix-up in main_zlib.cc
The example compresses from stdin to stdout, not vice versa.

PiperOrigin-RevId: 320941406
Change-Id: I41c7fed1b7f6306541567c0df46a8590844db69b
2020-07-13 06:12:35 -07:00
Chris Kennelly
63a8b3ff15 Refactoring for internal change
PiperOrigin-RevId: 320612442
Change-Id: I65729ac5d83c76dac047a47f866b7ad4af3c56c1
2020-07-10 09:01:49 -07:00
Christian Blichmann
c3861819bc Update Hello SAPI's WORKSPACE for newer Bazel versions
Bazel 3.x now requires specifying `commit`, `tag` or `branch` in its
`git_repository` rule.

PiperOrigin-RevId: 320572176
Change-Id: I81048d997f595202f4dfbd3c1e9c8321240a28a3
2020-07-10 02:50:00 -07:00
Sandboxed API Team
a602177943 Fix AllowLlvmSanitizers for Msan.
PiperOrigin-RevId: 319947612
Change-Id: I6485d8282381c4cb2be05e138e007ccbb3e5d956
2020-07-07 02:40:24 -07:00
Sandboxed API Team
228f3e7ed1 Migrate usage of StatusOr::operator bool to StautsOr::ok.
PiperOrigin-RevId: 319931897
Change-Id: I31b4bb71c7eeaf6687a499248bbfbb26c78b94ff
2020-07-07 00:14:07 -07:00
Sandboxed API Team
88e9dbf8d4 Allow Asan to get sigaltstack
Include sigaltstack into AllowHandleSignals

PiperOrigin-RevId: 319293484
Change-Id: I4d60715893bd07eff047d2bced1450a3cd29bcec
2020-07-01 14:09:03 -07:00
Wiktor Garbacz
6008dc6db4 Reduce dependencies on libcap
PiperOrigin-RevId: 319228803
Change-Id: I1a9497f9e33bbe1e84749505305cd9c148b6d700
2020-07-01 08:23:46 -07:00
Wiktor Garbacz
0d375e69e1 Remove abort from ExecuteProcess
Otherwise ExecuteProcess is implicitly `[[noreturn]]` and this
might cause policy violations in `__asan_handle_no_return`
for ASAN builds.

PiperOrigin-RevId: 319203128
Change-Id: I5c8ba71ce88261f803aa3f16730eccea0d803dd1
2020-07-01 04:54:29 -07:00
Christian Blichmann
2ffea13759 Mark zlib as found when using SAPI CMake build
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-06-30 08:59:50 +02:00
Sandboxed API Team
5de6b84111 Internal change
PiperOrigin-RevId: 317068509
Change-Id: I268381ca50eabed88b189bf79ccc9313e5b7d9ae
2020-06-18 03:19:01 -07:00
Christian Blichmann
89e80d4c80 Internal change.
PiperOrigin-RevId: 316414698
Change-Id: Ib0d43bfc7c95a3029618b4ed758990f78cb25529
2020-06-15 00:59:33 -07:00
Copybara-Service
fdf5fd5854 Merge pull request #45 from cblichmann:20200609-include-guard-test
PiperOrigin-RevId: 315673526
Change-Id: If6efb2deb8dc0da8a10db26aec683c730ae2d97a
2020-06-10 05:34:35 -07:00
Christian Blichmann
c0c9d1dbf9 Copybara import of the project:
--
fd2e99fa87c34f2fb1a20052c030ad7a4139b4e1 by Christian Blichmann <mail@blichmann.eu>:

Support LLVM >= 7.0.1 in Clang based header generator

This change glosses over small API changes introduced since LLVM/Clang
7.0.1, which ships with Debian Stable "Buster". Ubuntu 18.04 LTS "Bionic"
also shipped this (and subsequently updated to version 9).

Hence, compiling the generator should now work on all reasonable Debian
based distributions.

COPYBARA_INTEGRATE_REVIEW=https://github.com/google/sandboxed-api/pull/44 from cblichmann:20200609-llvm-version-compat fd2e99fa87c34f2fb1a20052c030ad7a4139b4e1
PiperOrigin-RevId: 315637014
Change-Id: I6585041d8bebade15e44c057b1a69287bbc0e733
2020-06-09 23:32:03 -07:00
Christian Blichmann
b02061a3d2
Add scaffolding and first test for Clang-based generator
- Fix `GetIncludeGuard()` to always uppercase
2020-06-09 13:37:52 +02:00
Christian Blichmann
726cabe2f7 Fix up generated header include paths
The "hello_sapi" example lives in a different WORKSPACE as it is intended to
show how to embed SAPI in your own projects. However, this is not compatible
with simply running `bazel build //sandboxed_api/...` after checkout.

This change simply replace `copts = ["-I."]` with `includes = ["."]`, so that
generated headers can be found reliably, regardless of how the example is
compiled.

PiperOrigin-RevId: 313782756
Change-Id: Iac26e828146b01545c81d9500f5f68fa0f2d4ddf
2020-05-29 08:13:58 -07:00
Christian Blichmann
5aff251a92 Move filewrapper to tools directory
This decouples it from the underlying build system

PiperOrigin-RevId: 313764652
Change-Id: I64de2f8533d307567de297942a3d02d26b0839f4
2020-05-29 05:40:52 -07:00
Christian Blichmann
e76e73dfe8 Merge pull request #40 from cblichmann:clang-tool
PiperOrigin-RevId: 313577454
Change-Id: I4de93e1ffca003899ae3c7110ab3fd10f700907c
2020-05-28 16:01:09 +02:00
Christian Blichmann
507eb00a90
Add sandboxee embedding
- Implement `--sapi_embed_name` and `--sapi_embed_dir` flags
- Do not emit full AST-serialization for C++ classes
2020-05-15 17:03:25 +02:00
Christian Blichmann
143e539d79 First MVP of a LibTooling based SAPI header generator
- Extract dependent types directly from the Clang AST and re-serialize
  back into compilable code
- Collect types and emit diagnostics
- Format generated code

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-05-15 15:35:42 +02:00
Copybara-Service
dd4e81bccb Merge pull request #39 from cblichmann:master
PiperOrigin-RevId: 311518877
Change-Id: Ib29354cb55ed6289d0aa303189c12222b9f92ea8
2020-05-14 06:17:42 -07:00
Christian Blichmann
2c8c9a489a
Add external embedding example
This change contains a "hello world"-style example library to be
sandboxed. It consists of a stand-alone CMake and Bazel project that
uses Sandboxed API as its dependency.

To use Sandboxed API in an external project, it should be enough to
copy the files in the `sandboxed_api/examples/hello_sapi` directory
as a starting point.
2020-05-14 11:40:02 +02:00
Christian Blichmann
ba47adc21d Allow empty sapi_embedded_dir flag in the header generator
PiperOrigin-RevId: 311478848
Change-Id: If94d2279989b3cfc76304bb0bb8624e0f0532ba6
2020-05-13 23:49:25 -07:00
Christian Blichmann
d6b8e0b3e3 CMake: Fix inclusion and paths for external embedding
When using SAPI from an external project via CMake, the small zlib patch
cannot be found during the config phase.

This change also fixes an oversight in that the tests depend on some of
the example code.

Regardless embedding code should set `SAPI_ENABLE_EXAMPLES` to `OFF`.
Disabling tests by setting `SAPI_ENABLE_TESTS` to `OFF` stays optional.

PiperOrigin-RevId: 311290454
Change-Id: Ibe105895859b793b20f47c89b1a9e11cbfef2e2f
2020-05-13 02:09:33 -07:00
Christian Blichmann
6d97220e5c
Use common repository prefix everywhere
Build macros in earlier versions of Bazel (pre-1.0) needed to specify
targets in a different format, depending from where they were
included/expanded at build time.

For example, a `sapi_library()` macro invocation in one of the directories
under `examples`, always needed to depend on the SAPI main library as
`//sandboxed_api:sapi`. When using SAPI from another Bazel project, the
same macro would have needed to depend on
`@com_google_sandboxed_api//sandboxed_api:sapi`. The `sapi_library()`
macro was thus checking the repository name and conditionally changed
the dependencies. This approach is brittle and as of Bazel 3.1.0 no
longer works.

This CL simple removes the conditional prefix and unconditionally uses
`@com_google_sandboxed_api`.

Tested on Bazel 1.2.1, 2.2.0 and 3.1.0
2020-05-11 16:51:53 +02:00
Christian Blichmann
aafc597630 Add zlib as dependency for examples
Similar to what the Bazel build does, this change adds zlib as an additional
dependency when `SAPI_ENABLE_EXAMPLES` is set to `ON`.

PiperOrigin-RevId: 309203959
Change-Id: I201a9e6415789afb1e058bc48cebbc0fc0004fe9
2020-04-30 04:57:33 -07:00
Sandboxed API Team
79049b09c0 Add helper function for MADV_WIPEONFORK.
BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning.

PiperOrigin-RevId: 309173849
Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234
2020-04-30 00:08:55 -07:00
Christian Blichmann
7ec20bd5d5 Update dependencies to latest versions
- Abseil (HEAD)
- Benchmark (HEAD)
- Google Flags (HEAD)
- Google Logging (HEAD)
- Google Test/Mock (HEAD)
- Protocol Buffers (3.11.4)

PiperOrigin-RevId: 309012925
Change-Id: I826846afb3f2c4e92180915796890fce6b5a1d6c
2020-04-29 06:45:44 -07:00
Christian Blichmann
8faccffbad Update StatusOr<> and tests
Fixes some template issues that could lead to code not compiling when it
otherwise should.

PiperOrigin-RevId: 308809964
Change-Id: I9f2f9d4aff5f1a9cb967fb705a86fd7f49114f7a
2020-04-28 06:12:58 -07:00
Christian Blichmann
a2e292792e Move .bazelrc to correct location next to WORKSPACE
PiperOrigin-RevId: 308792839
Change-Id: Id70f6bbd3ba2b8fe769eb1013a9310f00a300610
2020-04-28 03:17:28 -07:00
Christian Blichmann
dfc51704c0 Fix linker issue introduced in b2764c5
The underlying issue is with a Copybara transform and the internal Blaze BUILD file.

PiperOrigin-RevId: 308787839
Change-Id: I32af664b3eac4c925d39f50b967756198eff23f3
2020-04-28 02:30:47 -07:00
Sandboxed API Team
b2764c5937 Internal change.
PiperOrigin-RevId: 308273962
Change-Id: If41d229d37eda610eb4bf202e20dc4f5976f2333
2020-04-24 10:02:21 -07:00
Sandboxed API Team
f18f524100 Internal change.
PiperOrigin-RevId: 307871367
Change-Id: Iefae576ae58b88a72f0cd923b3e76ce560af6e58
2020-04-22 12:23:46 -07:00
Sandboxed API Team
9b85dc49c1 Split sanitizer.h into a separate library
PiperOrigin-RevId: 305327952
Change-Id: I6708729d379d019c3d299e9cb54b76338ced23bf
2020-04-07 13:26:51 -07:00
Christian Blichmann
496672c333 Cleanup calls to sapi::StatusOr<>::ValueOrDie()
PiperOrigin-RevId: 304398197
Change-Id: I85d09457a5e27f65c0792fe93aebbd8219801ef6
2020-04-02 07:42:45 -07:00
Christian Blichmann
2b2e7ac498 Bring sapi::StatusOr<> up to date with internal Abseil changes
Note: This intentionally omits perfect-forwarding value assignments. This
avoids overly complex template expressions. The regular assignments are still
efficient.
PiperOrigin-RevId: 304159053
Change-Id: I3460f46ca5779a0619cf90ae22625de8fad7669c
2020-04-01 04:40:38 -07:00
Sandboxed API Team
2fa0bf85f4 Fix an ODR violation
PiperOrigin-RevId: 303066199
Change-Id: I0cde5fce6f9538136b913edccc5a3195e0b4e503
2020-03-26 01:59:05 -07:00
Sandboxed API Team
22c6417307 Adding new build rule for sanitizer
PiperOrigin-RevId: 302687093
Change-Id: I090352c70df67e51eba79a618315b7ca9696bcfe
2020-03-24 09:54:49 -07:00
Kevin Hamacher
dadf55f647 Show a warning when tmpfs size is not specified
PiperOrigin-RevId: 302441519
Change-Id: Ia4130c9067f00ed48065ea3b4854c844e7b88f85
2020-03-23 08:44:28 -07:00
Christian Blichmann
57d374e667 Fix libffi configure directory in Bazel/CMake builds 2020-03-23 13:52:02 +01:00
Christian Blichmann
45d825b3b7 Merge branch 'master' of https://github.com/google/sandboxed-api 2020-03-22 16:47:41 +01:00
Christian Blichmann
0772d71264 Download libffi at CMake config time (fixes #35)
Drive-by:
- Make Bazel config action more robust
- Disable dependency tracking in libunwind configure

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-03-22 16:44:39 +01:00
Anna Sapek
4665335604 Use file::IsAbsolutePath consistently
PiperOrigin-RevId: 302073992
Change-Id: Ib3b9fbedc6e85a1abd87cbc683d8a8c3dc3daf87
2020-03-20 12:08:25 -07:00
Christian Blichmann
604b671d12 Internal change.
PiperOrigin-RevId: 301836978
Change-Id: Ic959f224701bf370294fdbbe3126edd01c615e2a
2020-03-19 09:58:28 -07:00
Christian Blichmann
69bdb54bf9 Update README, graphical assets
PiperOrigin-RevId: 301830652
Change-Id: I60a67c372869a30ff5ba575387d67700ffc20134
2020-03-19 09:27:42 -07:00
Christian Blichmann
f44cca6c98 Fix path to generated proto sources when embedding
When embedding SAPI in an external CMake project, the version of
`protobuf_generate_cpp` that we lifted from upstream protobuf produces
the wrong generated file paths.

For example, given this project structure:

```
/parent/
+-- myproject/
+-- myproject_build/  <- CMake build directory
+-- sandboxed-api/    <- Checkout from GitHub
```

And a CMake file in `myproject/CMakeLists.txt` that embeds SAPI like
this:

```
cmake_minimum_required(VERSION 3.12)
project(SandboxedTest LANGUAGES CXX)
set(CMAKE_CXX_STANDARD 17)
set(CMAKE_CXX_STANDARD_REQUIRED ON)

add_subdirectory(
  ${PROJECT_SOURCE_DIR}/../sandboxed-api
  ${PROJECT_BINARY_DIR}/sandboxed-api
)
```

Then `protobuf_generate_cpp` correctly invokes the protoc compiler to
generate
`/parent/myproject_build/sandboxed-api/sandboxed_api/proto_arg.proto.pb.cc'.
However, the path of the generated source file that is passed to the C++
compiler will be
`/parent/myproject_build/sandboxed-api/sandboxed_api/../../myproject_build/sandboxed-api/sandboxed_api/proto_arg.pb.cc`.
Note the duplicated project build directory component in the
canonicalized version:
`/parent/myproject_build/myproject_build/sandboxed-api/sandboxed_api/proto_arg.pb.cc`.

This change simple omits the computation of any relative file paths and
simply uses `_pb_PROTOC_OUT_DIR` which defauls to
`CMAKE_CURRENT_BINARY_DIR`, which should always contain the correct
path.

Signed-off-by: Christian Blichmann <mail@blichmann.eu>
2020-03-18 18:47:02 +01:00
bielec
d17482e2eb Split network_proxy example to 2 examples: with automatic handler, and without.
Created documentation for network proxy. fixed 2 things in documentation (namespaces are enabled by default for a while).

PiperOrigin-RevId: 300321016
Change-Id: Id9c54b29551e8d3b70e814e2fdbfee594126aa90
2020-03-11 07:32:50 -07:00
Christian Blichmann
f6c3db4c6e Replace sapi::Status with absl::Status
PiperOrigin-RevId: 297614681
Change-Id: I89fe1357a172ed4d28df6dd84b80fee364ce1c14
2020-02-27 09:24:12 -08:00
Sandboxed API Team
a5d931ec5f Qualify uses of std::string
PiperOrigin-RevId: 297528932
Change-Id: I750c43e356be55a5bd37a8bb59d998238bd8f1bb
2020-02-27 00:03:55 -08:00
Maciej Szawłowski
edd6b437ae Filter functions based on files we scan.
Currently we extract all functions from the compilation unit - it doesn't really make sense as it will try to process functions in included files too.
As we require sapi_in flag, we have information which files are of interest.

This change stores the top path in _TranslationUnit and uses it when looking for function definitions to filter only functions from the path we provided.

PiperOrigin-RevId: 297342507
Change-Id: Ie411321d375168f413f9f153a606c1113f55e79a
2020-02-26 06:02:15 -08:00
Sandboxed API Team
6332df5ef6 Fix or ignore type errors generated by the next release of pytype.
The next release contains one major change: for function parameter annotations,
pytype will no longer treat (x: X = None) as equivalent to
(x: Optional[X] = None). This pytype behavior was based on an outdated version
of the type-checking spec. Annotations that were relying on the behavior now
need to explicitly declare themselves as Optional.

PiperOrigin-RevId: 297065077
Change-Id: Iade679e5928bb3839485e8b8571945456ba6e982
2020-02-25 01:15:54 -08:00
bielec
5a4e3f3d29 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 296206385
Change-Id: I53b23122abece1fe318ed4c6a7e37bf3228c8f5f
2020-02-20 07:45:44 -08:00
Christian Blichmann
5d81c822d8 Automated rollback of commit e56f562fe2.
PiperOrigin-RevId: 296178631
Change-Id: I0f871aeecd70e9d2f99c7d52d94c6043a1668325
2020-02-20 04:26:37 -08:00
Maciej Szawłowski
fc514451e0 Internal BUILD changes
PiperOrigin-RevId: 296174640
Change-Id: I94c8e36d76d6cbb2b9d65f35d8700018b62d3db1
2020-02-20 04:26:23 -08:00
Sandboxed API Team
e56f562fe2 Automated rollback of commit 4eede550e7.
PiperOrigin-RevId: 295946052
Change-Id: Ie8c23fe8eec99ab52245ae7f482f1e6b99ec010e
2020-02-19 05:19:15 -08:00
Christian Blichmann
4eede550e7 Prepare for upcoming changes in Abseil
- Move canonical errors into status.

PiperOrigin-RevId: 295941935
Change-Id: I9408d21b6d34239b0ef3f3cd24975f39f1405505
2020-02-19 04:43:29 -08:00
Christian Blichmann
d578b18c22 Modernize the transaction API
PiperOrigin-RevId: 295712938
Change-Id: Iaf4c9668bb0b48555679fef822fe424277540d1f
2020-02-18 05:27:38 -08:00
Wiktor Garbacz
5b1119aa6d Internal change
PiperOrigin-RevId: 295579669
Change-Id: I2488a87a78cf76f0d4ddf73d115e443bd801e420
2020-02-17 06:54:52 -08:00
Sandboxed API Team
05280287e0 Automated rollback of commit 800339d672.
PiperOrigin-RevId: 294644781
Change-Id: I88ad35abd96468476294039a41b6f2a8234db6ca
2020-02-17 10:39:08 +01:00
bielec
800339d672 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 294640297
Change-Id: I4c6520685a658f8b7762af238588830f71b3f54a
2020-02-17 10:38:44 +01:00
Wiktor Garbacz
f1ce6fcb87 Internal change
PiperOrigin-RevId: 292529030
Change-Id: Ie6b315d9edd5f253386474be4afff1a59e24a91e
2020-01-31 05:39:25 -08:00
Sandboxed API Team
daa1c7a64e Allow sandboxee to read from /proc when sanitizers are allowed.
Sanitizers read from /proc. For example:
69445f095c/lib/sanitizer_common/sanitizer_linux.cpp (L1101)

PiperOrigin-RevId: 292363903
Change-Id: Icc383ededcad363b4e96f5551f140f012b07b495
2020-01-30 09:30:42 -08:00
Sandboxed API Team
b9c866410d Replace deprecated thread annotations macros.
PiperOrigin-RevId: 292326427
Change-Id: Iebd745bf0c6b0b14e090462a9df44ebd7d374c7d
2020-01-30 05:07:40 -08:00
Sandboxed API Team
54cd192442 Replace deprecated thread annotations macros.
PiperOrigin-RevId: 292326369
Change-Id: I47cb8416b198872c96921207e257745451285680
2020-01-30 05:06:55 -08:00
Wiktor Garbacz
539d1cac34 Replace if (!cond) { LOG(FATAL, msg) } with CHECK(cond, msg)
PiperOrigin-RevId: 291916344
Change-Id: Ib522a3f202b20bf8f1ab4ca5774952d4b8f43e91
2020-01-28 05:59:33 -08:00
Wiktor Garbacz
d88c9f7598 Log mount flags in human readable format
PiperOrigin-RevId: 291690800
Change-Id: I6c4acdad93aeed29616d1ea44f797dad6fc7f277
2020-01-27 03:19:56 -08:00
Wiktor Garbacz
d74215d30d Properly test read-only mounts
PiperOrigin-RevId: 291337704
Change-Id: I806d0d09051ab205813d6626ea70e9e57a28a7a5
2020-01-24 02:38:11 -08:00
Wiktor Garbacz
e3d638466d Internal change
PiperOrigin-RevId: 290621061
Change-Id: I4b575ac65a9c225453552db74416eed45f1f4ebd
2020-01-20 08:35:24 -08:00
Wiktor Garbacz
bd22a18f87 Internal change
PiperOrigin-RevId: 290586117
Change-Id: I637ca27121ef541d48a717903496cab256214a0a
2020-01-20 02:55:04 -08:00
Christian Blichmann
441201884a Update license header with recommended best practices
PiperOrigin-RevId: 290250533
Change-Id: Ic34b253446463cf971a055b70a242df93a598ee3
2020-01-17 05:05:29 -08:00
Wiktor Garbacz
96d9ce90e5 Properly set mount flags
PiperOrigin-RevId: 290052082
Change-Id: I35222d25a24c3d641a998b2734b90bd178759df6
2020-01-16 06:05:11 -08:00
Wiktor Garbacz
c2bd47e978 Change mount propagation to private
PiperOrigin-RevId: 289639932
Change-Id: Iac976134d5f43dcdfe895446d7caab463cc70d1a
2020-01-14 06:32:23 -08:00
Christian Blichmann
18776b6f16 Refactor syscall definitions to rely less on macros
PiperOrigin-RevId: 288478535
Change-Id: I56bf8b8817f31d60db4726b2847f8400215b7b8c
2020-01-07 05:27:21 -08:00
Sandboxed API Team
3e442b252c Allow stack trace collection when namespaces are disabled, if sandbox_libunwind_crash_handler==false.
PiperOrigin-RevId: 288267119
Change-Id: I5fce1b28521d3d685186717f153f20fb498c94e2
2020-01-06 02:34:03 -08:00
Sandboxed API Team
aea1ecd58d Improve diagnostics when dynamically linked binary is sandboxed, but can't be exec'd.
PiperOrigin-RevId: 286391400
Change-Id: I016deb34eb895480131da24bc95a6244d92f3710
2019-12-19 07:48:32 -08:00