I believe it's possible for the `main_pid` to disappear between `kill` and `sigtimedwait` by means of an `exec` from a multithreaded process (`PTRACE_EVENT_EXIT` happens after the `exec`ing thread changes its tid to main_pid)
PiperOrigin-RevId: 555137959
Change-Id: Id22908fb31497c0906e4f4fda66400fbf9ac9efb
There is no strong reason why this shouln't be the case.
Some future refactorings will depend on this.
PiperOrigin-RevId: 553456024
Change-Id: I452a2804c59ed006326ab37cbe0dec80f53cd714
CRIU while restoring memfd sometimes reopens them, which might result in ETXTBUSY on execveat.
PiperOrigin-RevId: 553114741
Change-Id: I11ee7aabe48a2853a8921a270c6cdcc70b50a518
The `CreateMemFd` function sets the `MFD_ALLOW_SEALING` flag which enables seals to be set and creating an empty file seal.
PiperOrigin-RevId: 550850108
Change-Id: I1a84b7b14cc9396144048bbeb8995f2f7eca9fb7
In cases where SAPI users overwrite the default policy instead of extending it, the sandbox will fail with an `openat` violation. This is automatically inherited in the default policy.
The advantage with this implementation is that we don't expose the open* syscalls when not running under the sanitizers.
PiperOrigin-RevId: 550845188
Change-Id: I151d467848983b00b71ec8447d662394fa7176db
This causes whole repo (with history) to be fetched.
Protobuf repo is especially big (>200MiB).
PiperOrigin-RevId: 549285765
Change-Id: Ifb5e3a549a014adb51e6e5eef41e72abf0149558
This is to facilitate online/offline core counting for an accurate count of the
maximum CPU ID that may be seen.
PiperOrigin-RevId: 548715133
Change-Id: I159c0d51b9800fa633172986ba4f8eca352ae336
If a sandboxing target sets a `compatible_with` constraint, the current sapi.bzl doesn't propagate this to the subsequent target generations.
We implement the forwarding similarly to the `visibility` attribute.
PiperOrigin-RevId: 546838438
Change-Id: I8a0b2623ee3aa91ffe7e6f4b001177c03806f532
- If --sandbox2_danger_danger_permit_all_and_log is set, we write to a logfile (passed via the flag).
- If --sandbox2_danger_danger_permit_all is set, we do not write any log information.
This change introduces a means to also see the syscall information on stderr by passing --v=1 and --alsologtostderr.
PiperOrigin-RevId: 542232271
Change-Id: Ie4d30f0d8e25bb1de7c60bb37736b27b89406336
To avoid code that is being parsed to include the intrinsics headers, undefine
a few key preprocessor defines.
PiperOrigin-RevId: 539878995
Change-Id: I8afb7cbdadcab3214c943c0acb9006e8bcc30611
- Abseil
- Protobuf
- Benchmark
- Googletest
In turn, some code changes were necessary:
- Use absolute imports in `sapi_generator.py` when invoked by Bazel
- Add Abseil's source dir as include dir in generated proto `.cc` files
- Bazel: Use `@rules_proto` for `proto_library` and use native `cc_proto_library`
Drive-by:
- Update year in `README.md`
- Look for clang versions 16, 15, 14, and 13 as well in `code.py`
PiperOrigin-RevId: 539032012
Change-Id: Ib9cd1d7fb38409d884eb45e1fa08927f6af83a21
This should only affect the Bazel `BUILD.bazel` files and their formatting.
PiperOrigin-RevId: 538426054
Change-Id: I0162726d3fb4bcb4d7938cddc6f39e0d9f2b4a3d
Also make sure we don't kill everything (with a `kill(-1, SIGKILL)`) if reading the pid fails.
PiperOrigin-RevId: 536371566
Change-Id: I17f6ae36b73ec43735709ff16d276abaebb00d44
Drive-by:
- Add flags to link libgcc and libstdc++ statically into the binary, making it
"mostly static"
PiperOrigin-RevId: 532349354
Change-Id: I0a86eb29b6a40aec4cec3cffeaf9511726ee4dc8
Set `SAPI_CLANG_TOOL_EXECUTABLE` to specify the location of a pre-built Clang
tool based header generator.
PiperOrigin-RevId: 531425738
Change-Id: I723d19122cc738d9906c8c568d156d44c58d9746
Tested on Debian 10.13 with `LLVM-{11,12,13,14,15,16,17}` packages from https://apt.llvm.org/.
PiperOrigin-RevId: 531211601
Change-Id: I91babb5d85be2a22a4b17d757a5f626de6c03881
`SAPI_ENABLE_GENERATOR` => `SAPI_ENABLE_CLANG_TOOL`
This prepares further changes in this area.
PiperOrigin-RevId: 531201213
Change-Id: I56bd450e6ed2dd1dbbf45db2825a75c56d277037
This makes should ensure global forkserver will be single threaded before forking the sandboxees as it does not go through WaitAndFork.
Waiting for sanitizers is not needed in the monitor and should reduce latency
by 1 second for all sanitizer builds. Currently it'll always wait up to 1 seconds for the process to become single-threaded, which will never happen as monitor itself is running in a separate thread.
PiperOrigin-RevId: 530878018
Change-Id: Ie9f663848502f2738721861b0ba2dc6f3cc9f1c9
Allows to create a Comms with unix domain sockets that are not abstract. This allows to use Comms to talk across network namespaces
PiperOrigin-RevId: 518854724
Change-Id: I4fd65466bba9512f448b73bde367f38a0fbb584d
Fixes incorrect timeout calculation and increases the wakeup interval.
Also makes poll behave correctly in presence of signals.
PiperOrigin-RevId: 516514260
Change-Id: I035701e1bb351f9ad26157b59b13b4f300cc229a
Unotify based monitor should bring big performance wins
if the sandboxee heavily uses threading or signals.
Some of the features are not supported in that mode:
- execveat is always allowed instead of just the initial one
- stack traces are not collected on normal exit or if the process is terminated by signal
PiperOrigin-RevId: 515040101
Change-Id: Ia5574d34b4ff7e91e3601edb8c9cb913e011fbf6
When symbolize.cc is built with unwind tables function from the lib calling into symbolize.cc might be duplicated in stack trace (libunwind fallback to LR)
PiperOrigin-RevId: 514324815
Change-Id: I76ee4ccf5aaf388924714284d9896fa367f5f752
Running with a permissive test policy should not interfere with sanitizers
or coverage.
Most tests should run with such a permissive policy.
The exception are tests which actually tests policy enforcement.
PiperOrigin-RevId: 513548936
Change-Id: I9a4c2cc8074997cff08cc22d15f4736219ce4d63
Check unwinding recursive calls.
Verify we can unwind in absence of unwind tables.
PiperOrigin-RevId: 513506498
Change-Id: Ib87240b7481dae3a4513c944e17a7924a54926e9
This allows to split monitor & stack_trace related targets.
Also move stack traces related functionality into MonitorBase.
PiperOrigin-RevId: 510112916
Change-Id: I60eabf9c9b3204dc369713edd8ae05fded306875
This is a preparatory step to introduce a Sandbox2 mode that does not use ptrace.
PiperOrigin-RevId: 503919613
Change-Id: I446adecc66e697c592ad938627fbfdbea12516e1
If the platform does not have `std::string_view` (i.e. `absl::string_view` is not an alias of `std::string_view`) the lookup will cause build failure.
PiperOrigin-RevId: 503159858
Change-Id: Ide8229ae0219d1cb6f3b36aba26da8d53183bc4b
Libunwind sandbox no longer needs to join sandboxee's userns.
This cleans up a lot of special handling for the libunwind sandbox.
PiperOrigin-RevId: 503140778
Change-Id: I020ea3adda05ae6ff74137b668a5fa7509c138f8
when the sandboxee did not exit normally.
Disabled by default, enabled with a flag.
PiperOrigin-RevId: 502807175
Change-Id: Icb5236cbfac0168a2d855c68967f7a1e8bd13fe3
New wrappers:
- `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`)
- `AllowInotifyInit` (`inotify_init`, `inotify_init1`)
- `AllowSelect` (`select`, `pselect6`)
- `AllowDup` (`dup`, `dup2`, `dup3`)
- `AllowPipe` (`pipe`, `pipe2`)
- `AllowChmod` (`chmod`, `fchmod`, `fchmodat`)
- `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`)
- `AllowReadlink` (`readlink`, `readlinkat`)
- `AllowLink` (`link`, `linkat`)
- `AllowSymlink` (`symlink`, `symlinkat`)
- `AllowMkdir` (`mkdir`, `mkdirat`)
- `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`)
- `AllowAlarm` (`alarm`, `setitimer`)
- `AllowGetPGIDs` (`getpgid`, `getpgrp`)
- `AllowPoll` (`poll`, `ppoll`)
Updated wrappers:
- `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms.
- `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident.
- `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms.
PiperOrigin-RevId: 495045432
Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
On successful completion, `unw_step()` returns a positive value
if the updated cursor refers to a valid stack frame,
or `0` if the previous stack frame was the last frame in the
chain. On error, the negative value of one of the error-codes
below is returned.
PiperOrigin-RevId: 491588164
Change-Id: Ie361023ef69eed6c895856832a8208f2791f644d
This change adds support for using the `includes`, `include_prefix` and
`strip_include_prefix` attributes of the `cc_library()` rule. Without it,
the libtooling based header generator will not be able to find all
necessary includes as it is much stricter than the current libclang based
one in that regard.
PiperOrigin-RevId: 491574088
Change-Id: Icb9f7d2719472ee1afa5df85b185c527a3c64994
Use locally unqualified types to filter ordered type declarations in
`TypeCollector::GetTypeDeclarations()`. This is necessary, as
`clang::TypeName::getFullyQualifiedName()` and
`TypeDecl::getQualifiedNameAsString()` have different ideas which
qualifiers belong to the name. The former works on `QualType`s, while
the latter deals with the declaration directly. This change decays a
`TypeDecl` into its locally unqualified `QualType`.
PiperOrigin-RevId: 490500091
Change-Id: Ie2f4eece4e673f8b06ab6661d7b6611daf34fba9
Do not try to peel off all layers of pointers/references when collecting
types, recursion works well here. Also collect the function type itself,
even if it is a pointer or if the function was the underlying type of a
typedef.
PiperOrigin-RevId: 490475937
Change-Id: I13cb3d9d3de7d25b9e627f43112c46758c7e6a22
This change changes the emitter to work on `clang::TypeDecl`s instead of
`clang::QualType`s, as the latter only describe complete definitions. This
allows us to better deal with situations where we would otherwise have a kind
of circular type dependencies: For example, a `typedef` that depends on a
`struct` which in turn has a member that references the typedef.
For this to work, we now also record the actual source order of declarations,
similar to what the libclang based header generator does.
Also add some more tests for the newly covered cases.
PiperOrigin-RevId: 488370914
Change-Id: I2d1baa863fb12d1801bf11a20f3f88df7fde3129
When generating headers from libraries that export functions as `extern "C"`
but still use namespaces (C-compatible C++ libraries), we want to generate
a Sandboxed API that includes fully-qualified namespace names as well.
In addition, we want the generated API to have the same source order as the
original library. Not only is this less surprising when reading the generated
code, it's also more accurate. Previously, we'd bundle all definitions in a
namespace and sort those alphabetically, but for code that relies on symbols
from another namespace to be available, generation will fail:
```c++
namespace zzz {
using entity_count_t = uint64_t;
} // namespace zzz
namespace sheep_counter {
using sheep_count_t = :💤:entity_count_t;
extern "C" void IncreaseSheepCounter(sheep_count_t increment);
} // namespace sheep_counter
```
PiperOrigin-RevId: 486586024
Change-Id: I419c9db8e9cb5b904364b353e2dc3d7f1030fab3
An `absl::StatusCode` of `kCancelled` now indicates warnings inside the emitter.
PiperOrigin-RevId: 485851898
Change-Id: I10a57cbc1b6c2d4b708c3c19aa0fa71451845a22
