Commit Graph

1213 Commits

Author SHA1 Message Date
Sandboxed API Team
5513e560eb Add option to block the ptrace system call instead of denying it.
PiperOrigin-RevId: 451347905
Change-Id: Iaed0f6f116bca3be4e6e7009dddd4dd6267823bb
2022-05-27 02:57:37 -07:00
Sandboxed API Team
65487bca39 Fix typo.
PiperOrigin-RevId: 451345082
Change-Id: Id443348448fa4cb6e682d18be64d39e363e20e0c
2022-05-27 02:42:14 -07:00
Oliver Kunz
a761362d71 Internal Changes
PiperOrigin-RevId: 449714418
Change-Id: I12241fff9fdf97f22258d4a18ff4d54b2587d6dc
2022-05-19 04:55:24 -07:00
Wiktor Garbacz
88b0a9e2e5 Fix possible crash when multiple termination conditions occur simultaneously
E.g. a failed `KillSandboxee` for a timeout would already set the exit status code while there could be an external kill pending at the same time which would try to `KillSandboxee` again and thus set exit status code again.

PiperOrigin-RevId: 448464765
Change-Id: Ic5744a576c4255504bfb1d5c4f33253b5bb32b6f
2022-05-13 04:35:27 -07:00
Wiktor Garbacz
5e61ce0853 More permissive ptrace handling in edge cases
This should make multithreaded sandboxees that exec (or send `SIGKILL`) behave more reliably.

PiperOrigin-RevId: 447458426
Change-Id: Ifdace340462199dc24c8cdf25d589ef6b24991e1
2022-05-09 06:58:27 -07:00
Christian Blichmann
69ed3d6946 clang_generator: Fix build breakage with most recent LLVM
PiperOrigin-RevId: 447443100
Change-Id: I7b7ca475be159dc5e2c2f4e6f1596ff7bb0438e2
2022-05-09 05:24:25 -07:00
Sandboxed API Team
84673bbe3e Allow readlinkat with sanitizers
Required after https://reviews.llvm.org/D124212

PiperOrigin-RevId: 445551132
Change-Id: I140c67544d0cf18ee6c75aa9407777bd3414d929
2022-04-29 18:23:59 -07:00
Christian Blichmann
51799f99ae Introduce a transitional logging utility library
Instead of calling `google::InitGoogleLogging()` directly, introduce an
indirection via a new utility library. After this change, Sandboxed API
should consistently use `sapi::InitLogging()` everywhere.

For now, `sapi::InitLogging()` simply calls its glog equivalent. However,
this enables us to migrate away from the gflags dependency and use Abseil
flags. Once a follow-up change lands, `sapi::InitLogging()` will instead
initialize the google logging library with flags defined from Aseil.

Later still, once Abseil releases logging, we can then drop the glog
dependency entirely.

PiperOrigin-RevId: 445363592
Change-Id: Ia23a7dc88b8ffe65a422ea4d5233bba7bdd1303a
2022-04-29 02:14:06 -07:00
Oliver Kunz
905c252e71 Remove AllowStaticStartup because AllowDynamicStartup calls this as well
PiperOrigin-RevId: 445349786
Change-Id: I28686ede2e22e641a8f90caacedf289b2d5c9a2e
2022-04-29 00:48:37 -07:00
Christian Blichmann
a420682099 Use an env var instead of -logtostderr
This should make it easier to migrate away from gflags.

PiperOrigin-RevId: 444834240
Change-Id: If9717131b7a803a8459992b68933491a0945182e
2022-04-27 06:00:37 -07:00
Christian Blichmann
1a856e1932 PFFFT: Use Abseil flags
PiperOrigin-RevId: 444790093
Change-Id: I01fdac7ff07a3ae65bec32cd20dba2c63841c9a7
2022-04-27 01:32:12 -07:00
Christian Blichmann
6cbde854d6 #Cleanup: Consistently use char* argv[] instead of char**
PiperOrigin-RevId: 444782296
Change-Id: If8e7647be28f794392675ae001abbe9b809da0ac
2022-04-27 00:43:51 -07:00
Christian Blichmann
30d42a381e bazel: Reorganize dependencies
Also revert the `.bazelversion` file again, as this will enforce a fixed
version, not a minimum version, which does not work well with our BazelCI.

PiperOrigin-RevId: 444178761
Change-Id: Ib6d1d126d850640ca7d692543784263790b8c418
2022-04-24 23:51:33 -07:00
Christian Blichmann
ff9009458c Disable deprecation warnings
Internally, we rely on clang-tidy to warn about using deprecated declarations.
And for using deprecated declarations within SAPI itself, we should not warn.

Drive-by:
- Fix warning in `mounts_test.cc`
PiperOrigin-RevId: 443634512
Change-Id: I7ef66f0ba77201026490baab07766510c1c55c6a
2022-04-22 04:58:02 -07:00
Christian Blichmann
28d6122d6b bazel: Add 5.1.1 as version in .bazelversion
PiperOrigin-RevId: 443634342
Change-Id: I6e23268ad7859dca8e84a1857f14e23b3437a45c
2022-04-22 04:56:56 -07:00
Christian Blichmann
a60ff1a95c Remove OsErrorMessage in favor of Abseil's new ErrnoToStatus
#Cleanup

PiperOrigin-RevId: 443359044
Change-Id: I2b3e385a1846feac79edd28fcbf6e85b1429a44a
2022-04-21 06:15:38 -07:00
Copybara-Service
d8d7d74ae2 Merge pull request #160 from oshogbo:libxls
PiperOrigin-RevId: 443307436
Change-Id: Ic2550e45cf3f55cac9fcfce37cf669c6a6f9fc96
2022-04-21 01:27:49 -07:00
Christian Blichmann
839914d6dd cmake: Rename build options to follow Abseil naming
`BUILD_TESTING` is a CMake provided option and we should use similar naming,
just like how Abseil does it.

- `SAPI_ENABLE_TESTS` -> `SAPI_BUILD_TESTING`
- `SAPI_ENABLE_CONTRIB_TESTS` -> `SAPI_CONTRIB_BUILD_TESTING`
- `SAPI_ENABLE_EXAMPLES` -> `SAPI_BUILD_EXAMPLES`

Drive-by:
- Fix option name in GitHub action
PiperOrigin-RevId: 443305932
Change-Id: Ice2b42be1229a0f9ae7c2ceda9ce87187baf22c4
2022-04-21 01:17:39 -07:00
Christian Blichmann
c0cfeed925 cmake: Include CTest in all projects, honor BUILD_TESTING setting
Including the `CTest` modules ensures that the `BUILD_TESTING` option is
defined and automatically calls `enable_testing()` if needed. It does not
change the default or introduce any dependencies on its own.

This follows what Abseil already does in their top-level `CMakeLists.txt`.

PiperOrigin-RevId: 443305646
Change-Id: If067c17470f497437c7748aab4aab5227c26e84f
2022-04-21 01:15:34 -07:00
Christian Blichmann
8dd9d47ba7 Update to latest Abseil
PiperOrigin-RevId: 443303135
Change-Id: Ia769b1269be000ba5c3937803c56d5d0b2c66ca0
2022-04-21 00:59:21 -07:00
Christian Blichmann
5159addd1b bazel: Drop dependency on util/flags.h in runfiles helper
Bazel's `Runfiles::Create()` does not actually need a value for `argv0` in
order to find runfiles for the current `cc_binary`.

- Rename `runfiles.cc` to `runfiles_nobazel.cc`

PiperOrigin-RevId: 443061178
Change-Id: I31e16d69d24aecbc403f9407fc08c615bb1e8f9f
2022-04-20 04:46:08 -07:00
Christian Blichmann
456d9f341e Sandbox2: Check for substring in CRC4 test
PiperOrigin-RevId: 442793060
Change-Id: If2483e13a9bdab5803e949bc4b568caa9569a818
2022-04-19 06:15:34 -07:00
Oliver Kunz
418c73b128 Bazel definitions for Android.
PiperOrigin-RevId: 442749255
Change-Id: I58eafe8780813cdcfb3d439c4158b16ae442dac6
2022-04-19 02:06:21 -07:00
Copybara-Service
5125c8fe1b Merge pull request #138 from oshogbo:brotli
PiperOrigin-RevId: 442741238
Change-Id: Ic8183c0fa74db45ecab0d677d4b901a78a98df40
2022-04-19 01:16:35 -07:00
Mariusz Zaborski
d1108b1817 Sandbox libxls 2022-04-12 19:02:29 -04:00
Sandboxed API Team
ce5da915a2 Add default member initializer for sandbox2::Executor::Process members
PiperOrigin-RevId: 440877694
Change-Id: I0899393b05d064cd8318e11eef796f89b3c0ad0e
2022-04-11 06:59:17 -07:00
Christian Blichmann
c6166b1364 CMake: Workaround for compile_commands.json being incomplete
When building contrib libraries as a Sandboxed API super-project or when
building Sandboxed API as a sub-project, CMake may not include all files
when writing a `compile_commands.json`, leading to missing include paths
for the libtooling interface generator.

This change sets `CMAKE_EXPORT_COMPILE_COMMANDS` as a cache variable so
that it persists across project boundaries. Writing compilation databases,
even when they are otherwise unused, is harmless.

PiperOrigin-RevId: 439820022
Change-Id: Ice96e78cf41fff5792aa0a8734f1ccf80f541e4c
2022-04-06 06:24:20 -07:00
Christian Blichmann
0d833be608 clang_generator: Remove .isystem parameter file support
The corresponding command-line option `sapi_isystem` will be ignored for
compatibility.

PiperOrigin-RevId: 439806387
Change-Id: I8ad6d7feed2fba5fca9940281f03cfc757ada5be
2022-04-06 05:17:44 -07:00
Christian Blichmann
eb20966666 CMake: Do not generate .isystem files for libtooling interface generator
The generated `compile_commands.json` contains everything that the interface
generator needs.

PiperOrigin-RevId: 439800377
Change-Id: I5b364edc20eaae9554ce10a96caa3559fb780210
2022-04-06 04:47:59 -07:00
Christian Blichmann
c5afd39cc4 contrib: Fix Jsonnet examples
PiperOrigin-RevId: 439765726
Change-Id: I8371b7b1e5b7527e882e04e583e51e126ad735b9
2022-04-05 23:58:29 -07:00
Christian Blichmann
944e931a95 contrib: Fix pffft
PiperOrigin-RevId: 439752452
Change-Id: I93f359ee2a89ce911a4d77787d739b01705d8703
2022-04-05 21:52:51 -07:00
Christian Blichmann
cc97c3762d GitHub Actions: Build and test contrib libraries
This adds basic workflows to build jsonnet and pffft, to be expanded later.

PiperOrigin-RevId: 439564724
Change-Id: Ia408545f8badd70b7aeeddb7a789d0d267cd0652
2022-04-05 06:31:22 -07:00
Christian Blichmann
b29e09b4da GitHub Actions: Improve caching, cleanup
- Set the correct cache path, previously cache was ineffective
- Build in `${GITHUB_WORKSPACE}/build` sub-directory
- Update `actions/cache` to `v3`
- Reformat build steps
- Use CMake's `-S` and `-B` options to specify source and build directories

PiperOrigin-RevId: 439560955
Change-Id: I6b07fa4e3a6416725fa1d3d2b7174a4186648033
2022-04-05 06:12:27 -07:00
Christian Blichmann
761c4ac45d Update to latest Abseil, Bazel Skylib
PiperOrigin-RevId: 439558257
Change-Id: I36ac05e51f800ada02e8890594b095db8ee654ee
2022-04-05 05:58:26 -07:00
Copybara-Service
00fbfeb647 Merge pull request #136 from oshogbo:zstd_type
PiperOrigin-RevId: 439542219
Change-Id: Ie6bdff05b5aa50c6fccb0786b073240e72c4b215
2022-04-05 04:24:50 -07:00
Christian Blichmann
07ca5064d1 Internal change
PiperOrigin-RevId: 439541914
Change-Id: Ib0a0941436da61b499d7359e0ea06d244a111970
2022-04-05 04:22:55 -07:00
Christian Blichmann
fc85310da2 bazel: Add copts, defines, and data to sapi_library()
This makes `sapi_library()` more compatible with Bazel's native `cc_library()`
rule.

PiperOrigin-RevId: 439512659
Change-Id: If731f600d56db56f78d2897e0c41a200daa93b75
2022-04-05 01:12:53 -07:00
Sandboxed API Team
1db315207a Allow access to /sys/devices/system/cpu/
PiperOrigin-RevId: 439506287
Change-Id: I5d41ed234860f02329c960144b1da725e24549dd
2022-04-05 00:29:08 -07:00
Mariusz Zaborski
dd3cb0f1b5 Sandbox brotli 2022-04-04 04:51:19 -04:00
Christian Blichmann
e98133c7b4 bazel: Use linkopts instead of srcs for consuming archives
This should fix the build on Debian 10 with LLVM 11.

- Keep order of files to look up in `ls` invocation
- Use `--start-group`/`--end-group` linker options
- Drive-by: use `splitlines()` instead of manual `split("\n")[:-1]`

PiperOrigin-RevId: 439248079
Change-Id: I919bb292ac8a5f514431aa004345f1c6478b1cc9
2022-04-04 01:00:54 -07:00
Copybara-Service
e46b7fc50a Merge pull request #146 from oshogbo:matchers
PiperOrigin-RevId: 439247791
Change-Id: I631cc3c30f78e5496e1d104717bdc4908b727a0c
2022-04-04 00:59:25 -07:00
Christian Blichmann
3afdedd2de BazelCI: Install the packages with sudo
PiperOrigin-RevId: 438800858
Change-Id: Ib7584313ff51869e3e62d5c54c2f04e2969bae50
2022-04-01 05:24:17 -07:00
Christian Blichmann
3f72b3cab7 bazel: Set generator version to default v1
No change in behavior.

PiperOrigin-RevId: 438766481
Change-Id: Iaf52d32856007fb83ee0032d4d5097482f45f47d
2022-04-01 01:45:50 -07:00
Christian Blichmann
4b2c730c5e Bazel: Make generator configurable
This change introduces an experimental `generator_version` attribute to the
`sapi_library()` rule. Version `1` will select the current interface
generator, which is based on libclang and Python. Setting the attribute to
version `2`, will select the newer interface generator written in C++ that
uses a full clang compiler frontend for parsing. Both emit equivalent header
output, differences in parsing and/or edge cases notwithstanding.

The default, as of now, is still the old version `1` generator.

Note: CMake allows to select the new interface generator globally by setting
`SAPI_ENABLE_GENERATOR`.
PiperOrigin-RevId: 438765013
Change-Id: I69c49a6bcf1751724edb0bce5c3b2beea2097138
2022-04-01 01:34:48 -07:00
Christian Blichmann
5d7ea8dd28 Update BazelCI config with LLVM and Clang dev packages
This should make the build much faster when compiling the new interface
generator on BazelCI.

PiperOrigin-RevId: 438762508
Change-Id: Ie7efe14d7bd2b14d58cbbb7865b36751918d9145
2022-04-01 01:15:43 -07:00
Christian Blichmann
74bb2c35ca bazel: Add build rules for the new interface generator
This adds a workspace rule that inspects the current system first and
downloads a suitable version of LLVM/Clang from GitHub if it can't
find one. In the latter case, the necessary parts are build from source,
which can take a while (~10-15m, depending on the build machine).

In order to be found, LLVM/Clang system libraries must be version 11
or higher. On Debian/Ubuntu, install `llvm-13-dev` and `libclang-13-dev`.

The new `llvm_config.bzl` implements this logic. It is loosely based on
upstream's https://github.com/llvm/llvm-project/blob/main/utils/bazel/configure.bzl.
Note that due to the way Bazel separates local repositories, we have to
duplictate some of this code.

PiperOrigin-RevId: 438759950
Change-Id: Ia65f473b4cdef6507e3816bf09794ea10963d87a
2022-04-01 00:55:30 -07:00
Copybara-Service
2a6cf7afb8 Merge pull request #115 from DemiMarie:woff2
PiperOrigin-RevId: 438754304
Change-Id: Icb763ee93ea1b36ab52a05a9e2bebb217fccffe7
2022-04-01 00:10:43 -07:00
Christian Blichmann
1174e529c8 bazel: Set host C++ standard
Update `.bazelrc` for local (host target) tooling. This is a necessary
precondition to compile the new interface generator with Bazel.

PiperOrigin-RevId: 438541332
Change-Id: I9341ee4d1f4434c1d083e0d49774c61f9ebd7d7b
2022-03-31 05:18:50 -07:00
Oliver Kunz
ed853afbe5 Extend ValidateInterpreter with Android_Arm64 interpreter
PiperOrigin-RevId: 438325813
Change-Id: I13fc285f19ff333e56ef018a77ec5c789d8b09ff
2022-03-30 09:45:58 -07:00
Oliver Kunz
c1ac5c3833 Changes to comms_test module to run unittests with --config=android_arm64
PiperOrigin-RevId: 438017732
Change-Id: I10a8ec154793f57f194a265e590f39b36c3d3043
2022-03-29 07:16:43 -07:00