Sandboxed API Team
dd2a84b980
Clarify behavior of Buffer::CreateFromFd
...
PiperOrigin-RevId: 250834142
Change-Id: I7aac739c9b590adc0599926e3246bc87e21d951a
2019-05-30 23:50:54 -07:00
Sandboxed API Team
6666f41ba2
Fix unnecessary unique_ptr in LogServer.
...
PiperOrigin-RevId: 250050562
Change-Id: I6840e68504c741de1e66489279237f4a4a6bc533
2019-05-26 08:47:38 -07:00
Wiktor Garbacz
08ff939ea7
Call DisableNamespaces where needed
...
PiperOrigin-RevId: 249637351
Change-Id: I5105d89ea0e8cfb2fca1e5ac342fa67e9caac930
2019-05-23 07:21:03 -07:00
Wiktor Garbacz
85059ef40d
Add DisableNamespaces to PolicyBuilder
...
Currently mostly no-op, but this is the first step to turn namespaces on
by default.
PiperOrigin-RevId: 249439158
Change-Id: I5eeb1216dc868c660f62ad50c34f626afbf7db61
2019-05-22 06:54:12 -07:00
Wiktor Garbacz
71a317e65f
Do not emit an error on ESRCH in PTRACE_CONT
...
Process might be killed between waitpid and PTRACE_CONT,
even though a PTRACE_EVENT_EXIT will be gererated, continuing
will fail with ESRCH in that case.
PiperOrigin-RevId: 249245726
Change-Id: Ib673529229a306d2266fa60caa3039b6bcd80a65
2019-05-21 07:30:56 -07:00
Wiktor Garbacz
15993a34e2
Log stack traces with INFO instead of ERROR
...
PiperOrigin-RevId: 249035379
Change-Id: Ie62366f45f29741ee0c8b25369d0bb169275ccfd
2019-05-20 06:16:50 -07:00
Wiktor Garbacz
207b2d9a95
Remove stale comment
...
PiperOrigin-RevId: 248715509
Change-Id: I7aa3f4388920e39a79ac349890de403ac3384504
2019-05-17 07:21:31 -07:00
Wiktor Garbacz
34d17b77ac
Remove dead code
...
IPC always creates comms object from a fd.
PiperOrigin-RevId: 248683525
Change-Id: Ib4285ec0494d551257237c12f92f983b943205cb
2019-05-17 02:02:03 -07:00
Wiktor Garbacz
8678af23d0
Extract GetRlimitName into util
...
PiperOrigin-RevId: 248682931
Change-Id: I702533a8d36465de956a1a90a40c634434b7a671
2019-05-17 01:55:35 -07:00
Wiktor Garbacz
6e1c3c3055
Fix prlimit error message
...
PiperOrigin-RevId: 248491089
Change-Id: Id4116939d02b6a592c74218955675acf2e3c70fe
2019-05-16 02:24:59 -07:00
Wiktor Garbacz
7294e9976e
Replace custom synchronization with absl::Notification
...
PiperOrigin-RevId: 248334969
Change-Id: I7614a3792babd399912c5d5a167ab5e0a0574d20
2019-05-15 08:09:56 -07:00
Wiktor Garbacz
42761c8b72
Add a resource starvation test
...
PiperOrigin-RevId: 248334209
Change-Id: Iff0f0b3024c67a767c429a547695cc48a2d02a30
2019-05-15 08:04:58 -07:00
Wiktor Garbacz
6588aa2a68
Reintroduce monitor changes.
...
Signal handling in Monitor::MainLoop was fixed.
PiperOrigin-RevId: 248331692
Change-Id: I0f85d319802258632d2074742c53597bb922555a
2019-05-15 07:46:49 -07:00
Sandboxed API Team
d8f7d861d2
Log the progress of dynamic libraries being resolved while creating a sandboxee's virtual FS chroot. This provides valuable insight while debugging problems with dynamically linked sandoxed binaries.
...
PiperOrigin-RevId: 247625021
Change-Id: I9bf77af7410deb8766fd49910c8564e148020601
2019-05-10 09:41:07 -07:00
Christian Blichmann
5f3c7171b7
Use Abseil's flag library released in aa468ad75539619b47979911297efbb629c52e44
...
PiperOrigin-RevId: 247424939
Change-Id: I22a4696f705f9dcfa7394b329c78bd126f42bd16
2019-05-09 07:57:55 -07:00
Christian Blichmann
7800fd7402
Disable compiler warnings for consistency with internal settings.
...
PiperOrigin-RevId: 247405215
Change-Id: I236170f7b47d9ecd32324db907ef7afc2e797d9a
2019-05-09 05:21:34 -07:00
Sandboxed API Team
63f0adbfbb
Revert of monitor code update.
...
PiperOrigin-RevId: 247255592
Change-Id: I3656ea1628418321b1b8b02660b6a51a58c2c61f
2019-05-08 11:34:26 -07:00
Wiktor Garbacz
3f5360a7bc
Simplify monitor code.
...
Make setting result code the condition for main loop exit.
PiperOrigin-RevId: 247218505
Change-Id: I8699012683bc301e8a9f4f41cd5ab018e3cd514c
2019-05-08 08:34:56 -07:00
Sandboxed API Team
f29a5a81ed
Print final FS mounts in sandboxee's chroot
...
After all requested filesystem mounts are fully mounted under a sandboxee's virtual chroot, print a list of the outside paths and a list of the inside chroot paths that the outside paths are mapped to. This provides a valuable insight while debugging sandboxed binaries.
PiperOrigin-RevId: 247130923
Change-Id: I42b4b3db68d826587c0fe8127aabbead38bc6f20
2019-05-07 18:30:13 -07:00
Christian Blichmann
6bfa83befe
CMake support for Sandbox2
...
- Add a superbuild in cmake/SuperBuild.cmake that downloads and builds
dependencies
- Builds for sandbox2/ and a its tests
- Helper CMake function to strip proto paths
- Module to find libcap
- Custom build for libunwind that wraps its symbols
- Fix environment so that CTest executes tests similar to Bazel
- Filewrapper functionality, like Bazel's cc_embed_data()
- Build forkserver with embedded binary
- Enable ASM language so that libunwind builds correctly
- Allow glog target to propagate transitively (to propagate its include dirs)
Signed-off-by: Christian Blichmann <cblichmann@google.com>
2019-05-06 14:03:29 +02:00
Wiktor Garbacz
523620f8ab
Internal change
...
PiperOrigin-RevId: 245409785
Change-Id: I37b1611bed459522803fa1e49c4252d2cad80076
2019-04-26 06:18:59 -07:00
Wiktor Garbacz
5e645a9190
Fix build
...
PiperOrigin-RevId: 245400890
Change-Id: I899ef49edd8e371b8714478fa3c911cfb771419b
2019-04-26 04:42:52 -07:00
Sandboxed API Team
f3c9c6e388
Internal change
...
PiperOrigin-RevId: 245377524
Change-Id: If41601b2d68c6ff0f7d3f37811aac62c32441d1f
2019-04-26 00:46:11 -07:00
Sandboxed API Team
afec50fdb5
automated internal change
...
PiperOrigin-RevId: 245070237
Change-Id: Ib6b0d9201f8b603e185eb91c1bc9f500f1af1ed6
2019-04-24 10:31:13 -07:00
Christian Blichmann
feba2c35d7
Apply special whole-archive linker options only where necessary
...
PiperOrigin-RevId: 245038294
Change-Id: I99367e7c982a340a88acf730619a467d34d53203
2019-04-24 07:07:14 -07:00
Wiktor Garbacz
c6d16a58eb
Internal change
...
PiperOrigin-RevId: 244882748
Change-Id: I0342f445df8f60f864d3e7f56145051b821a86e0
2019-04-23 10:47:34 -07:00
Wiktor Garbacz
53d85ab4f2
Internal change
...
PiperOrigin-RevId: 244882228
Change-Id: I506b92326fa83f214b1e7fab6c5b2e0889f8b197
2019-04-23 10:46:58 -07:00
Wiktor Garbacz
63006c1476
Internal change
...
PiperOrigin-RevId: 244881751
Change-Id: I3f3200c4d85906058ac17ed941e69ea22d9a4090
2019-04-23 10:42:14 -07:00
Wiktor Garbacz
0fd468be7c
Internal change
...
PiperOrigin-RevId: 244879634
Change-Id: Ifa63ef7b0cc10e87d18f17b85cce55af03cd37cf
2019-04-23 10:31:51 -07:00
Wiktor Garbacz
6cbaaead8b
Make StatusMatcher more flexible
...
PiperOrigin-RevId: 244879203
Change-Id: I5f7994130a898e84f041b18c0b5313d7e8b32780
2019-04-23 10:30:45 -07:00
Sandboxed API Team
726b1fb451
n/a
...
PiperOrigin-RevId: 244836017
Change-Id: I034cfb1af4835256aa9b8b7ac3e80a341e9a9271
2019-04-23 05:14:22 -07:00
Kevin Hamacher
8ad4fcd0a8
minielf: Increase maximum amount of symbols loaded
...
PiperOrigin-RevId: 243775723
Change-Id: I5398ec23bd76be01c48c69bd4decb015a48386fc
2019-04-16 03:00:28 -07:00
Kevin Hamacher
af44845246
Try to demangle c++ symbols when logging the stacktrace
...
PiperOrigin-RevId: 243612828
Change-Id: I09c748da0c119ba2024b2906802858b5b9bcfeb0
2019-04-15 07:37:23 -07:00
Chris Kennelly
d90b2c6328
Allow TCMalloc to access the rseq syscall.
...
PiperOrigin-RevId: 243441655
Change-Id: I82918459c20f164b56cc0c5b621b004315a011ec
2019-04-13 13:45:35 -07:00
Chris Kennelly
e2eb0597cb
Internal change
...
PiperOrigin-RevId: 243440925
Change-Id: I085535962e1d754f7bc32e08b1785a574062edaa
2019-04-13 13:45:25 -07:00
Kevin Hamacher
ac6a5dfc85
Delete copy constructor of FDCloser
...
PiperOrigin-RevId: 243263443
Change-Id: If22d287ce1872ad070454824e8daa36585ab0258
2019-04-12 07:54:31 -07:00
Wiktor Garbacz
79525950fe
Add support for new SECCOMP_RET_* in disassembler
...
PiperOrigin-RevId: 242642525
Change-Id: Iea9a54f01d56cadf19a020340d07c1790c858a0f
2019-04-09 14:38:05 +02:00
Kevin Hamacher
1b50485be6
Move forkserver into a dedicated binary
...
PiperOrigin-RevId: 242637894
Change-Id: I16f19d077e2b5b9d0d4ef58344d5caaef95af7c6
2019-04-09 14:37:41 +02:00
Kevin Hamacher
e44231e28a
Wrap waitpid with TEMP_FAILURE_RETRY and use __WALL to make sure we reap all children
...
PiperOrigin-RevId: 242111281
Change-Id: I322623303487b0292c2aea53d6eae5d9f53d79b6
2019-04-05 05:50:12 -07:00
Kevin Hamacher
77ad64ac30
Use high FD numbers in the forkserver to avoid collision with FDs mapped by the user
...
PiperOrigin-RevId: 242106285
Change-Id: I0f4bd130f8e66e6b47ad1d7311e0fff519aa9e90
2019-04-05 04:51:41 -07:00
Wiktor Garbacz
29fac2d393
mounts: Validate interpreter as early as possible
...
PiperOrigin-RevId: 240972700
Change-Id: I9049af7d053152cebd264fbfc352d2971a06d363
2019-03-29 07:07:55 -07:00
Sandboxed API Team
137f772f2b
Allow TCMalloc to call madvise with MADV_NOHUGEPAGE
...
PiperOrigin-RevId: 240555428
Change-Id: I05fd61ecd09fc0a3f76dade0341d35b04a590b90
2019-03-27 07:40:57 -07:00
Christian Blichmann
f04be9276f
Formatting fixes and include file hygiene.
...
PiperOrigin-RevId: 240346890
Change-Id: I1a9617f10a62a848b6314a6196512e016ae02643
2019-03-26 07:54:21 -07:00
Christian Blichmann
33206c5d3f
Use a longer string in the CRC4 buffer overflow example.
...
On some newer compiler versions, compiler optimizations and loop unrolling
change the memory layout so that 64 bytes are not enough to overwrite the
return address reliably.
PiperOrigin-RevId: 240343358
Change-Id: Ifb1a1dc1cb482793b7387887f0fd68a237879227
2019-03-26 07:28:15 -07:00
Kevin Hamacher
1dd0428713
Add missing chdir() in the init process
...
PiperOrigin-RevId: 239425921
Change-Id: Ia1b02ae0a2f319faa601d6098a9f94a3043656a8
2019-03-20 10:36:11 -07:00
Christian Blichmann
52f4c1f927
Disable "mini" debug format support in libunwind to avoid additional library dependency
...
PiperOrigin-RevId: 239397518
Change-Id: Icd8c641f9d5aac721a2cf1e4e0d3347743f49d58
2019-03-20 08:03:08 -07:00
Christian Blichmann
30c25286f3
Merge pull request #8 from shaan1337:patch-1
...
PiperOrigin-RevId: 239384106
Change-Id: Ibeb4b6a76226a1384fc21df33378101a31764012
2019-03-20 14:33:36 +01:00
Wiktor Garbacz
2e9f50a68f
Rename deathrattle_fatalmsg proto
...
PiperOrigin-RevId: 239377742
Change-Id: I169407087f5e6f3275e282a51232bb6eea330e49
2019-03-20 05:19:55 -07:00
Sandboxed API Team
c8a4131e74
Test that isatty is being allowed by AllowTCGETS.
...
PiperOrigin-RevId: 239370864
Change-Id: Id98f3e5d8dceedb3cfbcd23b980e828f576d3e8d
2019-03-20 04:11:21 -07:00
Christian Blichmann
3600a8a090
Merge pull request #2 from disconnect3d:patch-3
...
PiperOrigin-RevId: 239354706
Change-Id: Ib9b5eca822bcf114a90c7dc96a9a2dacd318d016
2019-03-20 09:42:47 +01:00
Christian Blichmann
0babaf094d
Improve internal<->external code transforms #3
...
Note: These commits only change very minor formatting issues in
the GitHub version. There is more than meets the eye, though. These
changes help to be able to accept pull requests.
PiperOrigin-RevId: 239225828
Change-Id: Ib31bf114e7cc4ccda49f7dcc4e9e24eebc735065
2019-03-19 10:58:21 -07:00
Christian Blichmann
cb36b974eb
Improve internal<->external code transforms #2
...
PiperOrigin-RevId: 239221234
Change-Id: I5b50ed6472df894c43310addb9d8e8ca35b2c822
2019-03-19 10:38:52 -07:00
Christian Blichmann
90d276f913
Improve internal<->external code transforms
...
This includes changing the way libcap headers are included.
PiperOrigin-RevId: 239173120
Change-Id: I5562d924b96bab26a29342903895324bfe385e5a
2019-03-19 05:51:53 -07:00
Kevin Hamacher
5d216fb191
Only spawn init processes when using PID NS
...
PiperOrigin-RevId: 239169620
Change-Id: I9f26cfab90189a1baa5b87a700ce892cf0c95a89
2019-03-19 05:14:29 -07:00
Sandboxed API Team
5aa13876a4
Formatting fixes.
...
PiperOrigin-RevId: 239159980
Change-Id: Ic6185368392622bf3f4c661e37f6b9fcca0d60a6
2019-03-19 03:41:32 -07:00
Disconnect3d
95d35615b8
Fix user namespaces link in howitoworks.md
2019-03-18 21:22:53 +01:00
Christian Blichmann
177b969e8c
Sandboxed API OSS release.
...
PiperOrigin-RevId: 238996664
Change-Id: I9646527e2be68ee0b6b371572b7aafe967102e57
Signed-off-by: Christian Blichmann <cblichmann@google.com>
2019-03-18 19:00:48 +01:00