Commit Graph

67 Commits

Author SHA1 Message Date
Wiktor Garbacz
f87b6feb18 stack_trace: do not add common libraries when not a custom fork-server
Avoids duplicate entries warnings and tightens the namespace.
Drive-by: modernize the policy.
PiperOrigin-RevId: 503108939
Change-Id: If34d23dd83ca39682799dfb36bd0b9b9ceb19fdc
2023-01-19 02:47:49 -08:00
Sandboxed API Team
bc6937ac82 Add logging of stack traces of all threads that were terminated by a signal or
when the sandboxee did not exit normally.
Disabled by default, enabled with a flag.

PiperOrigin-RevId: 502807175
Change-Id: Icb5236cbfac0168a2d855c68967f7a1e8bd13fe3
2023-01-18 01:45:01 -08:00
Sandboxed API Team
756176f206 On new process, check for the clone3 syscall.
PiperOrigin-RevId: 499918752
Change-Id: I7279e76593976c224a15be901834bf6225aebe85
2023-01-05 10:02:09 -08:00
Wiktor Garbacz
5b3450ac8d Internal change
PiperOrigin-RevId: 494153465
Change-Id: Ice7f3e7b95f8de1348ccb281bbfa6fc7164b3353
2022-12-09 06:14:19 -08:00
Christian Blichmann
4c87556901 Use Abseil's log/flags instead of glog/gflags
Follow-up changes might be required to fully fix up the contrib sandboxes.

PiperOrigin-RevId: 482475998
Change-Id: Iff631eb838a024b2f047a1be61bb27e35a8ff2f4
2022-10-20 06:48:51 -07:00
Christian Blichmann
79b6784b82 #Cleanup: Consistently use std::make_unique
PiperOrigin-RevId: 480597371
Change-Id: I145586382ad7a7694384cc672986132376a47465
2022-10-12 05:23:42 -07:00
Wiktor Garbacz
d2c8c70d8e Internal change
PiperOrigin-RevId: 475224729
Change-Id: Id7c05c7542c44f58e7f4027c6932acd42f3a7857
2022-09-19 01:17:22 -07:00
Sandboxed API Team
75c7081622 For the SECCOMP event, check if the event msg is in the range of one of the known architectures.
If it isn't, assume that the process has exited and the event msg contains an exit code.

PiperOrigin-RevId: 471258449
Change-Id: I44408c30fe7fb39e20b55cea871f3efb68fcde67
2022-08-31 08:09:37 -07:00
Sandboxed API Team
deb3c8e77b Batch threads waiting for the monitor's attention.
Instead of doing waitpid() and processing one thread at a time, gather all waiting threads and then process them.

This avoids starving older threads when newer threads raise a lot of events.

PiperOrigin-RevId: 466366533
Change-Id: I81a878f038feac86407a8e961ecba181004f0f8a
2022-08-09 08:28:03 -07:00
Sandboxed API Team
78ee270388 Remove information about in-progress syscalls on process exit.
PiperOrigin-RevId: 463091104
Change-Id: I402cb61e9e816a20a87274ea874cddf91c101e14
2022-07-25 08:28:25 -07:00
Sandboxed API Team
e5bc3e69cd "Stack traces have been disabled" message goes to VLOG instead of INFO.
PiperOrigin-RevId: 456755121
Change-Id: I7eb7badcd5901a33dd2b2afc0833f00eeedacada
2022-06-23 06:42:35 -07:00
Wiktor Garbacz
88b0a9e2e5 Fix possible crash when multiple termination conditions occur simultaneously
E.g. a failed `KillSandboxee` for a timeout would already set the exit status code while there could be an external kill pending at the same time which would try to `KillSandboxee` again and thus set exit status code again.

PiperOrigin-RevId: 448464765
Change-Id: Ic5744a576c4255504bfb1d5c4f33253b5bb32b6f
2022-05-13 04:35:27 -07:00
Wiktor Garbacz
5e61ce0853 More permissive ptrace handling in edge cases
This should make multithreaded sandboxees that exec (or send `SIGKILL`) behave more reliably.

PiperOrigin-RevId: 447458426
Change-Id: Ifdace340462199dc24c8cdf25d589ef6b24991e1
2022-05-09 06:58:27 -07:00
Wiktor Garbacz
52d1ea8984 Avoid hard failures in StartSubProcess
PiperOrigin-RevId: 433453289
Change-Id: Ib8b08ddd31c4daa9a377960d52f0a7eb7b17de19
2022-03-09 05:17:15 -08:00
Sandboxed API Team
3f042fa54f Fix monitor for Android-ARM64
PiperOrigin-RevId: 431926820
Change-Id: Ie5adc1ec6accc7e68782c26b65fac0c32cded498
2022-03-02 06:42:42 -08:00
Christian Blichmann
d451478e26 Change license link to HTTPS URL
PiperOrigin-RevId: 424811734
Change-Id: If5ea692edc56ddc9c99fd478673df41c0246e9cc
2022-01-28 01:39:09 -08:00
Wiktor Garbacz
4a945a1748 Replace deprecated calls
PiperOrigin-RevId: 423037776
Change-Id: Id568d54854dde3778686b778648555e0b48204bc
2022-01-20 04:40:23 -08:00
Sandboxed API Team
2546d9e85b Ability to inspect a syscall's return value.
PiperOrigin-RevId: 421552017
Change-Id: I7103720723b5e5828f80731a724c5672895dfa54
2022-01-13 06:49:19 -08:00
Sandboxed API Team
85c8ae5125 Automated rollback of commit fac8713fbe.
PiperOrigin-RevId: 421356226
Change-Id: I4a179aeed226e005449c980e11b049759dad3878
2022-01-12 11:47:06 -08:00
Sandboxed API Team
fac8713fbe Ability to inspect a syscall's return value.
PiperOrigin-RevId: 421300791
Change-Id: I93b7e97a532f82c2b077766e22fb2fe9effe6ba2
2022-01-12 08:09:09 -08:00
Wiktor Garbacz
e4ef46631d Replace raw_logging with regular logging in Monitor
PiperOrigin-RevId: 413928700
Change-Id: I0bc4dd86b45c0ddd679a435003fbad2aea27fbf2
2021-12-03 07:17:36 -08:00
Kevin Hamacher
aea8bb2ed0 Automated rollback of commit 2036f5b2f0.
PiperOrigin-RevId: 395893427
Change-Id: Iabd32de9cd83de5cc8567834e1f91e48c521ac60
2021-09-10 03:34:44 -07:00
Sandboxed API Team
2036f5b2f0 Automated rollback of commit 4b018757c3.
PiperOrigin-RevId: 395067992
Change-Id: I5db335ed881aa81748a0fc8082091b160fe83e86
2021-09-06 04:07:11 -07:00
Kevin Hamacher
4b018757c3 Use absl::flat_hash_set + Status in favor of std::set in the sanitizer API
PiperOrigin-RevId: 395061068
Change-Id: I31548eb6fc9f27f55acf25bd6d3d0b941a529e63
2021-09-06 03:15:39 -07:00
Wiktor Garbacz
59f5fa8042 Allow collecting stacktraces on normal process exit
This mainly a debugging facility.
It makes diagnosing problems where sandboxed process just randomly exits whereas unsandboxed one runs to completion due to differences in the setup/environment much easier.

PiperOrigin-RevId: 391005548
Change-Id: Ia19fe6632748da93c1f4291bb55e895f50a4e2b0
2021-08-16 03:13:15 -07:00
Christian Blichmann
85c58dc2d7 Reduce logspam: Log Tomoyo LSM check only with VLOG
PiperOrigin-RevId: 387114844
Change-Id: Ib670799e3327fcc991ad012ccee20b96089c2f48
2021-07-27 08:32:10 -07:00
Christian Blichmann
002cb9ae01 More efficient fork request handling and #Cleanup
- Assign to `*mutable_XXX()` instead of looping
- Use a const ref for capabilities

PiperOrigin-RevId: 384192675
Change-Id: I4db3d0c8ce0d7f6acc9fd486a2409962516b5fe7
2021-07-12 02:37:42 -07:00
Paul Wankadia
372b8e2696 Fix constant name in log message
PiperOrigin-RevId: 384187707
Change-Id: I3d322f6d00fa63fc7a2b33f8c7844c4291e4fef1
2021-07-12 01:56:42 -07:00
Wiktor Garbacz
424c543eb7 Automated rollback of commit 4a38f59728.
PiperOrigin-RevId: 381815277
Change-Id: I344c9bb1a505cc0a0dcf7e9ff979c172c484d963
2021-06-28 02:03:06 -07:00
Sandboxed API Team
4a38f59728 Automated rollback of commit a850aa44d2.
PiperOrigin-RevId: 380897565
Change-Id: Iacc50697a5ff25b79272a1549291bbf32152d3f6
2021-06-22 14:50:33 -07:00
Wiktor Garbacz
a850aa44d2 Better error handling in stacktraces
PiperOrigin-RevId: 380789060
Change-Id: I655428fd45bf305f787b75cc925d31c6ab60c074
2021-06-22 05:52:15 -07:00
Sandboxed API Team
f159359f65 Automated rollback of commit 5bb161b0db.
PiperOrigin-RevId: 375047066
Change-Id: I09ce8aafa92337c79a61f0f757ec66be2b2cefdc
2021-05-21 02:59:34 -07:00
Sandboxed API Team
5bb161b0db Automated rollback of commit e97ecfb955.
PiperOrigin-RevId: 375044368
Change-Id: Ib8bcf5d67e70fb37ef330c1433056343674a9f14
2021-05-21 02:38:05 -07:00
Christian Blichmann
e97ecfb955 Internal change
PiperOrigin-RevId: 375038366
Change-Id: I9180c2dc544d5ba12a73a67f5613e0c44e962505
2021-05-21 01:44:47 -07:00
Christian Blichmann
ca6ec4337d Add workaround for active Tomoyo LSM
Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.

As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace

Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729

To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:

```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```

The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.

PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
2021-05-10 07:04:04 -07:00
Catalin Patulea
4344bbceba Add optional VLOG(1) for additional process info on Syscall Violation.
PiperOrigin-RevId: 368900451
Change-Id: I331d0e239e2f3176c435bd42012d155d60d0b1ac
2021-04-16 12:43:08 -07:00
Catalin Patulea
d5bd1cb38f Pretty-print ptrace event name on WIFSTOPPED.
PiperOrigin-RevId: 368688417
Change-Id: I4368268f1b05148213010768a6d4eaa87211ea45
2021-04-15 12:02:11 -07:00
Christian Blichmann
dbaf95c724 Move utility code into sandboxed_api/util
This change should make it less confusing where utility code comes from.
Having it in two places made sense when we were debating whether to publish
Sandbox2 separately, but not any longer.

Follow-up changes will move `sandbox2/util.h` and rename the remaining
`sandbox2/util` folder.

PiperOrigin-RevId: 351601640
Change-Id: I6256845261f610e590c25e2c59851cc51da2d778
2021-01-13 09:25:52 -08:00
Christian Blichmann
c3ac45be3e Reimplement raw logging to avoid Abseil internals
The defined raw logging macros should be compatible with Abseil and
we can remove our version once Abseil releases theirs.

PiperOrigin-RevId: 347354273
Change-Id: I178a89cfd2e19bcd707a06fa9dfd7b767e2b654b
2020-12-14 03:34:02 -08:00
Christian Blichmann
6a1e4b881c Introduce config header to centralize CPU architecture checks
This allows us to remove some uses of macros.

Related changes:
- Make it clear that we support hosting sandboxed binaries from 64-bit
  processes only. CPU architectures are x86-64 and POWER64 (little endian).
- Introduced CPU architecture macros, abstracting away compiler specifics

PiperOrigin-RevId: 330918134
Change-Id: Ife7ad5f14723eec9f68055127b0583b8aecd38dd
2020-09-10 05:48:00 -07:00
Christian Blichmann
eb62bae167 Refactor stack trace handling
- Drop `delim` argument from the `GetStackTrace()` family of functions.
  We only ever used plain spaces.
- Use an `std::vector<std::string>` for the symbolized stack frames and
  adjust the unwind proto accordingly.

This change now prints each stack frame on its own line while skipping
duplicate ones:

```
I20200717 11:47:16.811381 3636246 monitor.cc:326] Stack trace: [
I20200717 11:47:16.811415 3636246 monitor.cc:337]   map:/lib/x86_64-linux-gnu/libc-2.30.so+0xceee7(0x7fb871602ee7)
I20200717 11:47:16.811420 3636246 monitor.cc:337]   Rot13File+0x130(0x55ed24615995)
I20200717 11:47:16.811424 3636246 monitor.cc:337]   ffi_call_unix64+0x55(0x55ed2461f2dd)
I20200717 11:47:16.811429 3636246 monitor.cc:337]   map:[stack]+0x1ec80(0x7ffee4257c80)
I20200717 11:47:16.811455 3636246 monitor.cc:339]   (last frame repeated 196 times)
I20200717 11:47:16.811460 3636246 monitor.cc:347] ]
```

PiperOrigin-RevId: 322089140
Change-Id: I05b0de2f4118fed90fe920c06bbd70ea0d1119e2
2020-07-20 00:24:40 -07:00
Sandboxed API Team
a5d931ec5f Qualify uses of std::string
PiperOrigin-RevId: 297528932
Change-Id: I750c43e356be55a5bd37a8bb59d998238bd8f1bb
2020-02-27 00:03:55 -08:00
bielec
5a4e3f3d29 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 296206385
Change-Id: I53b23122abece1fe318ed4c6a7e37bf3228c8f5f
2020-02-20 07:45:44 -08:00
Sandboxed API Team
05280287e0 Automated rollback of commit 800339d672.
PiperOrigin-RevId: 294644781
Change-Id: I88ad35abd96468476294039a41b6f2a8234db6ca
2020-02-17 10:39:08 +01:00
bielec
800339d672 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 294640297
Change-Id: I4c6520685a658f8b7762af238588830f71b3f54a
2020-02-17 10:38:44 +01:00
Christian Blichmann
441201884a Update license header with recommended best practices
PiperOrigin-RevId: 290250533
Change-Id: Ic34b253446463cf971a055b70a242df93a598ee3
2020-01-17 05:05:29 -08:00
Sandboxed API Team
3e442b252c Allow stack trace collection when namespaces are disabled, if sandbox_libunwind_crash_handler==false.
PiperOrigin-RevId: 288267119
Change-Id: I5fce1b28521d3d685186717f153f20fb498c94e2
2020-01-06 02:34:03 -08:00
Wiktor Garbacz
e969deea33 Global deadline for ptrace attach instead of per process
PiperOrigin-RevId: 286196033
Change-Id: Ic456b881c18518c4b52ca051fa5c58590794da17
2019-12-18 08:23:55 -08:00
Wiktor Garbacz
d43d09c746 fail soft if sandboxee exits before init is ptraced
PiperOrigin-RevId: 270254470
Change-Id: Ifa13f4fe0e7ae91b79fc689e1d7dcb2a49b09cde
2019-09-20 06:13:44 -07:00
Wiktor Garbacz
da3c6c138e Fail in monitor if init process pid not received
PiperOrigin-RevId: 266886637
Change-Id: I4e896ebda8d9e15d0aefcb4139c8dc07ab938502
2019-09-03 02:37:09 -07:00