Commit Graph

536 Commits

Author SHA1 Message Date
Wiktor Garbacz
8fbe21ce0e Really give priority to main_pid
Do process all events as soon one for priority_pid arrives.

PiperOrigin-RevId: 553156575
Change-Id: I57a9b4ca54a0e0fe5f01245b130f53ef3f8678fc
2023-08-02 08:42:51 -07:00
Wiktor Garbacz
3bbb98c494 Better error when calling RunAsync on a Sandbox2 instance twice
PiperOrigin-RevId: 553129224
Change-Id: I92ff15d111ccd5e7d4310a2e1559811dd1cc7027
2023-08-02 06:44:21 -07:00
Oliver Kunz
eaa175c8d2 Sandbox2: Remove file sealing for in-memory files.
The `CreateMemFd` function sets the `MFD_ALLOW_SEALING` flag which enables seals to be set and creating an empty file seal.

PiperOrigin-RevId: 550850108
Change-Id: I1a84b7b14cc9396144048bbeb8995f2f7eca9fb7
2023-07-25 05:04:52 -07:00
Oliver Kunz
04ed89906b Adding AllowOpen to AllowLlvmSanitizers to avoid having to add AllowOpen in addition when it's only needed for running under the sanitizers.
In cases where SAPI users overwrite the default policy instead of extending it, the sandbox will fail with an `openat` violation. This is automatically inherited in the default policy.

The advantage with this implementation is that we don't expose the open* syscalls when not running under the sanitizers.

PiperOrigin-RevId: 550845188
Change-Id: I151d467848983b00b71ec8447d662394fa7176db
2023-07-25 04:38:43 -07:00
Wiktor Garbacz
9d1d4b7fd3 Disallow AddPolicyForSyscalls with an empty list
PiperOrigin-RevId: 549887306
Change-Id: I05a97b39a2c92ad5ab2002c7af7e83a8184392cf
2023-07-21 02:24:44 -07:00
Wiktor Garbacz
e86462db77 Remove redundant buffer test
It tested Comms rather than different Buffer functionality.

PiperOrigin-RevId: 549880115
Change-Id: I095464540fa21cc4b3bee1d87e1e046807b6f18c
2023-07-21 01:53:54 -07:00
Wiktor Garbacz
25f27ef935 Allow replacing a read-only node with writable for same target
PiperOrigin-RevId: 548942347
Change-Id: I4b22740ca27772831afcddb69d515c84aca04c51
2023-07-18 02:45:13 -07:00
Chris Kennelly
4ba75ea0a2 Allow TCMalloc users access to the possible cpus list.
This is to facilitate online/offline core counting for an accurate count of the
maximum CPU ID that may be seen.

PiperOrigin-RevId: 548715133
Change-Id: I159c0d51b9800fa633172986ba4f8eca352ae336
2023-07-17 09:31:22 -07:00
Wiktor Garbacz
f0e85cea13 Introduce AddFile(At)IfNamespaced/AddDirectory(At)IfNamespaced
Use the new interface in AllowRestartableSequences.

PiperOrigin-RevId: 548619728
Change-Id: I1f8aeb9a1cb412c50391d65a3cd148f77b46bd6f
2023-07-17 01:58:46 -07:00
Sandboxed API Team
39026f7678 Internal Code Change
PiperOrigin-RevId: 548043988
Change-Id: Iba4a828eeb53205f28dae85fc179cee21b104632
2023-07-14 00:30:56 -07:00
Christian Blichmann
64ac98bf4d Sandbox2: Remove commented out include
PiperOrigin-RevId: 542784635
Change-Id: Ie763ff5606e2241b2a5e3f89d57ed8d3e1c1ee63
2023-06-23 00:46:59 -07:00
Oliver Kunz
0463298780 Sandbox2: Improve logging of syscall information.
- If --sandbox2_danger_danger_permit_all_and_log is set, we write to a logfile (passed via the flag).

- If --sandbox2_danger_danger_permit_all is set, we do not write any log information.

This change introduces a means to also see the syscall information on stderr by passing --v=1 and --alsologtostderr.

PiperOrigin-RevId: 542232271
Change-Id: Ie4d30f0d8e25bb1de7c60bb37736b27b89406336
2023-06-21 06:11:57 -07:00
Sandboxed API Team
cf43c0f02c Allow prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...) with tcmalloc
PiperOrigin-RevId: 540905937
Change-Id: I9275b193ff42b4741925c3cf825841ca9a4071db
2023-06-16 09:34:07 -07:00
Kevin Hamacher
93c1423b15 sandbox2: Provide sandboxee rusage when using unotify monitor
PiperOrigin-RevId: 540841898
Change-Id: Icc635e107c138ac67e2b948eadbbcb4234f6c7f8
2023-06-16 04:37:18 -07:00
Kevin Hamacher
66aeb6e59d Error out if invalid custom forkserver path is specified
PiperOrigin-RevId: 540526350
Change-Id: Id7f4ea9290074c15c700c27c2d252b9f54a282bd
2023-06-15 03:17:02 -07:00
Wiktor Garbacz
654668fc4e stack_trace: avoid copying /proc/{pid}/exe if possible
The executable might not be inside the mount tree.

PiperOrigin-RevId: 539564862
Change-Id: I94e748608a36c8e9203ffe4b6de443e026e4546a
2023-06-12 00:14:40 -07:00
Christian Blichmann
72452e1582 Mostly internal change: Optimize OSS transforms
This should only affect the Bazel `BUILD.bazel` files and their formatting.

PiperOrigin-RevId: 538426054
Change-Id: I0162726d3fb4bcb4d7938cddc6f39e0d9f2b4a3d
2023-06-07 02:23:18 -07:00
Wiktor Garbacz
6cd83d68de Fix deadlock in forkserver if setting ns fails
Also make sure we don't kill everything (with a `kill(-1, SIGKILL)`) if reading the pid fails.

PiperOrigin-RevId: 536371566
Change-Id: I17f6ae36b73ec43735709ff16d276abaebb00d44
2023-05-30 05:49:40 -07:00
Wiktor Garbacz
7ba0a794d1 Fix check for init process
PiperOrigin-RevId: 532473530
Change-Id: Ia5f84073e372a63f70425d0fa68ac178019e80be
2023-05-16 08:51:15 -07:00
Wiktor Garbacz
9b307fc204 Remove leftover stack_trace sources from sandbox2 target
PiperOrigin-RevId: 531168602
Change-Id: Ib9c0942e5ba9cf0d577f88a6091245ca02d5674e
2023-05-11 04:59:29 -07:00
Wiktor Garbacz
5b12071ba0 Remove WaitForSanitizers from ptrace monitor & add to global forkserver
This makes should ensure global forkserver will be single threaded before forking the sandboxees as it does not go through WaitAndFork.

Waiting for sanitizers is not needed in the monitor and should reduce latency
by 1 second for all sanitizer builds. Currently it'll always wait up to 1 seconds for the process to become single-threaded, which will never happen as monitor itself is running in a separate thread.

PiperOrigin-RevId: 530878018
Change-Id: Ie9f663848502f2738721861b0ba2dc6f3cc9f1c9
2023-05-10 05:06:18 -07:00
Kevin Hamacher
fb1571c801 Automated rollback of commit f6fd27618b.
PiperOrigin-RevId: 529395980
Change-Id: I6a5d451ed84f8d4a522777815c6cc2d7d7a8923c
2023-05-04 06:53:48 -07:00
Christian Blichmann
7e9f6c3df3 Fix typo
PiperOrigin-RevId: 529325261
Change-Id: Ia663900a55d51805e330d989ed0965dc4e8f9b17
2023-05-04 00:46:53 -07:00
Oliver Kunz
9ab20c5411 Implements the ability to control who is allowed to enable unrestricted networking.
PiperOrigin-RevId: 529309275
Change-Id: Icd88a4469b0c36af96638d44f9e909085c7120d5
2023-05-03 23:29:34 -07:00
Sandboxed API Team
f6fd27618b Automated rollback of commit 8c53262539.
PiperOrigin-RevId: 529101664
Change-Id: Ica452c6ee8f54b78be09fa830a09d6a89800cf44
2023-05-03 08:45:11 -07:00
Kevin Hamacher
8c53262539 Allow forkserver to use waitpid as alternative to sa_nochldwait
PiperOrigin-RevId: 529074278
Change-Id: If63015586673610e111ee589995e5264523be7a7
2023-05-03 06:41:07 -07:00
Wiktor Garbacz
0caa3e740c Do not expose forkserver.h
PiperOrigin-RevId: 520562657
Change-Id: I89fbe3012a5e63a50c46fd4f1e4ade8d36616c0b
2023-03-30 00:49:44 -07:00
Wiktor Garbacz
5efae5cdf5 Do not exit from within ForkServer to get more precise coverage data
PiperOrigin-RevId: 520273079
Change-Id: I3f37d9eacc2c284c45f37842e1e63364cf64faf2
2023-03-29 02:22:16 -07:00
Wiktor Garbacz
a4d602298b Dump coverage prior to execveat
PiperOrigin-RevId: 520002416
Change-Id: Ic792b0b71b8e7b2f00b669db9b6831acd8341c5c
2023-03-28 05:50:43 -07:00
Wiktor Garbacz
1755ba08e1 Internal Code Change
PiperOrigin-RevId: 519725866
Change-Id: Ibac005b875127ae68e28346fb78e74e789cff01e
2023-03-27 08:14:10 -07:00
Sandboxed API Team
9f2ba9d6a1 Comms constructor for non abstract sockets
Allows to create a Comms with unix domain sockets that are not abstract. This allows to use Comms to talk across network namespaces

PiperOrigin-RevId: 518854724
Change-Id: I4fd65466bba9512f448b73bde367f38a0fbb584d
2023-03-23 07:34:32 -07:00
Sandboxed API Team
18894d57f9 Add a helper method to allow the eventfd* family of syscalls.
PiperOrigin-RevId: 518565738
Change-Id: I2a3efe069ab1da65dd5f7cdcd3762637b7274b49
2023-03-22 07:46:56 -07:00
Wiktor Garbacz
b50bc23138 Remove no longer needed friend declaration
Drive-by dependencies cleanup

PiperOrigin-RevId: 518551045
Change-Id: I132dfc42945f500e8efec58a4d58d3bee4d1f191
2023-03-22 06:27:21 -07:00
Wiktor Garbacz
8a38e4de47 Copy environ in sandbox2_test to get better coverage data
PiperOrigin-RevId: 518544187
Change-Id: Id13a5503060817e1dead7ee4a5e310d322de3a5e
2023-03-22 05:47:00 -07:00
Wiktor Garbacz
99931c2ad6 Move abort into ExecuteProcess and mark it noreturn
PiperOrigin-RevId: 518528953
Change-Id: Ieaa03af484188bb35f9734d69d987eabbdcc23ab
2023-03-22 04:07:10 -07:00
Sandboxed API Team
b62d103426 Internal change
PiperOrigin-RevId: 518204712
Change-Id: Idcb8cc7b20198dcc0f3692aa0c89e9c620b9d65d
2023-03-21 01:49:22 -07:00
Wiktor Garbacz
9867ce3beb Make SAPI_RAW_LOG(FATAL, ...) noreturn
PiperOrigin-RevId: 517941912
Change-Id: I655aaf7101c566f8f01c1a5296539186701a10de
2023-03-20 05:43:28 -07:00
Wiktor Garbacz
10b89d4d33 Add missing LOAD_SYSCALL_NR
PiperOrigin-RevId: 516777043
Change-Id: Icccb8260c7e54299c5aa2ddfee4086232e2b8ffb
2023-03-15 03:29:56 -07:00
Wiktor Garbacz
690b31a038 Fix the poll in wait_for_sandboxee branch
PiperOrigin-RevId: 516544270
Change-Id: Ibb10611b9b7713ac6513199b6213c15d22772ea5
2023-03-14 09:19:30 -07:00
Wiktor Garbacz
5a2bdd436d Fix poll in unotify monitor
Fixes incorrect timeout calculation and increases the wakeup interval.
Also makes poll behave correctly in presence of signals.

PiperOrigin-RevId: 516514260
Change-Id: I035701e1bb351f9ad26157b59b13b4f300cc229a
2023-03-14 07:04:18 -07:00
Wiktor Garbacz
cb63dfead5 Add tests for util.cc
PiperOrigin-RevId: 516439597
Change-Id: I2ac88b6188738e47f0e0bdb04382a50aa5aa9366
2023-03-14 00:04:14 -07:00
Wiktor Garbacz
10d44614fd Partial support for sandbox2::Notify in UnotifyMonitor
PiperOrigin-RevId: 515562555
Change-Id: Ie73c34bc7e35942b307c458cfef80510e0b734c3
2023-03-10 00:59:37 -08:00
Wiktor Garbacz
a31584ff49 Add explicit cast to fix build error
PiperOrigin-RevId: 515263097
Change-Id: Ib5b6c28587be889b5e2ef8d013fa57cbb0d8ffd3
2023-03-09 01:03:36 -08:00
Wiktor Garbacz
e031c11bdc Update naming and lambda capture for stack size
PiperOrigin-RevId: 515254988
Change-Id: I394dc039bcfcbd2ccd7c705a91974f4183b28c39
2023-03-09 00:14:39 -08:00
Wiktor Garbacz
0d3d5d4bcb Seccomp_unotify based monitor
Unotify based monitor should bring big performance wins
if the sandboxee heavily uses threading or signals.
Some of the features are not supported in that mode:
- execveat is always allowed instead of just the initial one
- stack traces are not collected on normal exit or if the process is terminated by signal

PiperOrigin-RevId: 515040101
Change-Id: Ia5574d34b4ff7e91e3601edb8c9cb913e011fbf6
2023-03-08 08:09:34 -08:00
Sandboxed API Team
80cc894c39 Allow sched_getaffinity with sanitizers
PiperOrigin-RevId: 515024410
Change-Id: I7c48d701b0c3ecab41c3363f8cb46a1c8fa6d97e
2023-03-08 06:51:19 -08:00
Wiktor Garbacz
e3b2d232b4 Add test for bpf disassembler
Also always handle the new return values.

PiperOrigin-RevId: 514698931
Change-Id: Ib4ce06e4f17c438271a0452053d3b0bc368e9970
2023-03-07 05:04:09 -08:00
Wiktor Garbacz
e46a526865 Add explicit casts to avoid build failures
PiperOrigin-RevId: 514698583
Change-Id: I0ebf2c14a74330ead3a362a48d1776060ea70fbe
2023-03-07 05:02:45 -08:00
Wiktor Garbacz
a8db8bfcf7 PTHREAD_STACK_MIN is not always a constexpr
PiperOrigin-RevId: 514695823
Change-Id: Iecf16f0bd563d85f80b0697d14293ff2d3133aef
2023-03-07 04:47:53 -08:00
Wiktor Garbacz
9f657e6a62 Consistently exclude examples from coverage runs
PiperOrigin-RevId: 514443652
Change-Id: Ia020371928e94d8b9bd98a9318c5d884f96c9f86
2023-03-06 10:03:12 -08:00