Commit Graph

82 Commits

Author SHA1 Message Date
Wiktor Garbacz
15fb5b9608 Allow sigaltstack
`absl::GetStackTrace` on Aarch64 since
bb7bbb12c7 will call sigaltstack.

PiperOrigin-RevId: 581914257
Change-Id: I316bdd64d1cef8a6327838681bda0067a0dc50fc
2023-11-13 04:22:29 -08:00
Chris Kennelly
f5830c93cd Ensure that TCMalloc can execute NumCPUs.
PiperOrigin-RevId: 565683514
Change-Id: I391ab5f184f487ef3ffc553d10581cd6eaee54de
2023-09-15 08:21:13 -07:00
Wiktor Garbacz
5f9698612e Better network proxy tests
Fix sending error on `connect` failure.

PiperOrigin-RevId: 562693682
Change-Id: I70c710a9001f22e172cbe4df328983bfa7188d3d
2023-09-05 00:57:27 -07:00
Wiktor Garbacz
2c9ac02b68 Rework network_proxy related tests/examples
PiperOrigin-RevId: 561632543
Change-Id: I85843cc1cac8348273a5593339b38ae08e07592c
2023-08-31 06:06:09 -07:00
Wiktor Garbacz
127176d72f Bulk IWYU and build_cleaner fixes
PiperOrigin-RevId: 559733768
Change-Id: Ia38f4c176e9f0abbfdb3a8f1109f482d8870eb0f
2023-08-24 06:23:36 -07:00
Christian Blichmann
72452e1582 Mostly internal change: Optimize OSS transforms
This should only affect the Bazel `BUILD.bazel` files and their formatting.

PiperOrigin-RevId: 538426054
Change-Id: I0162726d3fb4bcb4d7938cddc6f39e0d9f2b4a3d
2023-06-07 02:23:18 -07:00
Wiktor Garbacz
1755ba08e1 Internal Code Change
PiperOrigin-RevId: 519725866
Change-Id: Ibac005b875127ae68e28346fb78e74e789cff01e
2023-03-27 08:14:10 -07:00
Wiktor Garbacz
9f657e6a62 Consistently exclude examples from coverage runs
PiperOrigin-RevId: 514443652
Change-Id: Ia020371928e94d8b9bd98a9318c5d884f96c9f86
2023-03-06 10:03:12 -08:00
Wiktor Garbacz
6827dc0059 Remove superfluous set_rlimit_as(RLIM64_INFINITY)
Address space limit is set to infinite by default.

PiperOrigin-RevId: 513755637
Change-Id: I42e79b21bc9b0f4b52e461994fef2ed104752957
2023-03-03 01:14:31 -08:00
Wiktor Garbacz
5a8a25e9ac Change the default action instead of appending ALLOW
Also create a visibility restricted version of the function.

PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c
2023-03-01 05:36:24 -08:00
Sandboxed API Team
90ee0a7464 Update clients of PolicyBuilder to support architectures other than x86_64.
PiperOrigin-RevId: 499424110
Change-Id: I6e7ed7436db84a65b1920f78dfc00cb2f9894b3c
2023-01-04 01:44:20 -08:00
Christian Blichmann
c3889ce379 Fix command-line handling in sandbox2tool
This addresses #164.

PiperOrigin-RevId: 483675926
Change-Id: I1461c9bb2c3865d86cd99f9285e51ce20ac460b8
2022-10-25 08:05:23 -07:00
Christian Blichmann
4c87556901 Use Abseil's log/flags instead of glog/gflags
Follow-up changes might be required to fully fix up the contrib sandboxes.

PiperOrigin-RevId: 482475998
Change-Id: Iff631eb838a024b2f047a1be61bb27e35a8ff2f4
2022-10-20 06:48:51 -07:00
Christian Blichmann
79b6784b82 #Cleanup: Consistently use std::make_unique
PiperOrigin-RevId: 480597371
Change-Id: I145586382ad7a7694384cc672986132376a47465
2022-10-12 05:23:42 -07:00
Christian Blichmann
b9c2830ebc Use new sandbox2::Comms ctor for default connection params
This change allows Sandbox2 to change how the default FD for comms is chosen.

PiperOrigin-RevId: 479526309
Change-Id: I69add85a244bc0385eaa164ab0ea3b036503c6d3
2022-10-07 02:08:20 -07:00
Sandboxed API Team
81871a98f7 Internal-only change.
PiperOrigin-RevId: 455553721
Change-Id: I923ab39b9bcd92a6a8e0dd8f95b01cc135ace919
2022-06-17 00:37:39 -07:00
Christian Blichmann
51799f99ae Introduce a transitional logging utility library
Instead of calling `google::InitGoogleLogging()` directly, introduce an
indirection via a new utility library. After this change, Sandboxed API
should consistently use `sapi::InitLogging()` everywhere.

For now, `sapi::InitLogging()` simply calls its glog equivalent. However,
this enables us to migrate away from the gflags dependency and use Abseil
flags. Once a follow-up change lands, `sapi::InitLogging()` will instead
initialize the google logging library with flags defined from Aseil.

Later still, once Abseil releases logging, we can then drop the glog
dependency entirely.

PiperOrigin-RevId: 445363592
Change-Id: Ia23a7dc88b8ffe65a422ea4d5233bba7bdd1303a
2022-04-29 02:14:06 -07:00
Christian Blichmann
6cbde854d6 #Cleanup: Consistently use char* argv[] instead of char**
PiperOrigin-RevId: 444782296
Change-Id: If8e7647be28f794392675ae001abbe9b809da0ac
2022-04-27 00:43:51 -07:00
Christian Blichmann
a60ff1a95c Remove OsErrorMessage in favor of Abseil's new ErrnoToStatus
#Cleanup

PiperOrigin-RevId: 443359044
Change-Id: I2b3e385a1846feac79edd28fcbf6e85b1429a44a
2022-04-21 06:15:38 -07:00
Christian Blichmann
839914d6dd cmake: Rename build options to follow Abseil naming
`BUILD_TESTING` is a CMake provided option and we should use similar naming,
just like how Abseil does it.

- `SAPI_ENABLE_TESTS` -> `SAPI_BUILD_TESTING`
- `SAPI_ENABLE_CONTRIB_TESTS` -> `SAPI_CONTRIB_BUILD_TESTING`
- `SAPI_ENABLE_EXAMPLES` -> `SAPI_BUILD_EXAMPLES`

Drive-by:
- Fix option name in GitHub action
PiperOrigin-RevId: 443305932
Change-Id: Ice2b42be1229a0f9ae7c2ceda9ce87187baf22c4
2022-04-21 01:17:39 -07:00
Christian Blichmann
456d9f341e Sandbox2: Check for substring in CRC4 test
PiperOrigin-RevId: 442793060
Change-Id: If2483e13a9bdab5803e949bc4b568caa9569a818
2022-04-19 06:15:34 -07:00
Oliver Kunz
44cd37c94e Make use of the new AllowPrctlSetName convenience function.
PiperOrigin-RevId: 436727461
Change-Id: Iab1945c422b8db98a220cdeacdec7c9868ea9e84
2022-03-23 06:59:40 -07:00
Wiktor Garbacz
612ff57913 Replace deprecated SetWalltimeLimit call
PiperOrigin-RevId: 433414976
Change-Id: I0597a2d8215d4b228794da409e3533651972a98c
2022-03-09 01:01:49 -08:00
Christian Blichmann
aefdb94575 Update zlib examples
- Link `zipe.c` statically (safe)
- Update policy to allow any use of `stat()`

PiperOrigin-RevId: 428971638
Change-Id: Ib0f5f496ea2389582986b41a8830592e6c1d4390
2022-02-16 00:08:28 -08:00
Christian Blichmann
4ad8484e63 Tag additional test as not compatible with QEMU user-mode emulation
PiperOrigin-RevId: 427409251
Change-Id: I5d853908353923b5b31c8bbb6152bc4f94219b45
2022-02-09 01:41:38 -08:00
Christian Blichmann
d451478e26 Change license link to HTTPS URL
PiperOrigin-RevId: 424811734
Change-Id: If5ea692edc56ddc9c99fd478673df41c0246e9cc
2022-01-28 01:39:09 -08:00
Wiktor Garbacz
4a945a1748 Replace deprecated calls
PiperOrigin-RevId: 423037776
Change-Id: Id568d54854dde3778686b778648555e0b48204bc
2022-01-20 04:40:23 -08:00
Wiktor Garbacz
99b56fee19 Remove redundant glog dependency for sandbox2::sanitizer
PiperOrigin-RevId: 421500119
Change-Id: I720a3efef52868099d388685abee45be887ba430
2022-01-13 01:15:50 -08:00
Christian Blichmann
aa3f60148c Do not run static test on AArch64 user mode emulation
PiperOrigin-RevId: 417556328
Change-Id: Ib04b3c6bbe8e5fcece11652c7a751a319899b73c
2021-12-21 00:17:22 -08:00
Christian Blichmann
354cbe89f9 Add more convenience functions to PolicyBuilder
- Allow to specify multiple syscalls with `BlockSyscallsWithErrno()`
- Add functions to allow `unlink()` and `rename()` in all their spellings

PiperOrigin-RevId: 414987303
Change-Id: Ic0e680b785e8e3a3498f20e6a7403737e63fe876
2021-12-08 06:41:21 -08:00
Wiktor Garbacz
c3308b56fc Replace deprecated AddTmpfs call
PiperOrigin-RevId: 413907279
Change-Id: I3a32be4b19acab8b2b2092961df3dd9f3699261b
2021-12-03 04:56:40 -08:00
Christian Blichmann
85a463372f Sandbox2: Mark tests that won't run under QEMU user emulation
PiperOrigin-RevId: 412861975
Change-Id: I0f168bc71b5738ed55b836f148ded94bf397d27d
2021-11-29 05:20:48 -08:00
Christian Blichmann
2c42654333 Improve examples
- CRC4: More readable policy, added explanatory comment
- Use `AllowLlvmSaniters()` in policies

PiperOrigin-RevId: 402296504
Change-Id: I6853199abedf2441eaffff9186d4d354c142e485
2021-10-11 07:50:27 -07:00
Christian Blichmann
221e929018 Include shell-based tests in OSS builds
These were previously dependent on an internal-only testing target.

For now, this only works with Bazel, but should enable us to have better test coverage in GitHub actions.
Eventually, all of these shell-based tests should be converted to `cc_test`s.

PiperOrigin-RevId: 400713615
Change-Id: I1cabb5b72977987ef4a1803480f699b58c4d56e9
2021-10-04 07:18:36 -07:00
Christian Blichmann
98e590463b Internal change
PiperOrigin-RevId: 400144449
Change-Id: Ic0cbd6a3b27012cfb406694bdf2944a5b9905580
2021-10-04 07:18:06 -07:00
Christian Blichmann
f6d9e7fd7c Fix warning about multi-line comment
PiperOrigin-RevId: 399648071
Change-Id: I793a640310d772804726527761ad911772ff19c6
2021-09-29 03:44:32 -07:00
Sandboxed API Team
fb81c00fd1 Replace auto with explicit type declarations
PiperOrigin-RevId: 399419917
Change-Id: I4b7acd8ab6e2542e2971b29bed0745378b2b6743
2021-09-28 05:50:57 -07:00
Christian Blichmann
ccd7b03026 Introduce sapi::OsErrorMessage() for error handling
This should make handling OS error less repetetive.

PiperOrigin-RevId: 387074642
Change-Id: I09b8c5e37e7f7b08341e22ba01ccda21a916a4bc
2021-07-27 04:10:04 -07:00
Christian Blichmann
d73f80cfa5 Enable AArch64 syscalls in examples
PiperOrigin-RevId: 375923215
Change-Id: I9523a074579975379b1a9d4644497268781499e1
2021-05-26 05:47:37 -07:00
Wiktor Garbacz
298271f0a7 Deprecate IPC::comms()
PiperOrigin-RevId: 358380648
Change-Id: Iaf8f7dc0890be0e7e910649c6f519504f6b0a1a5
2021-02-19 04:43:14 -08:00
Christian Blichmann
55a8373ec3 Avoid sanitizer macros use Abseil's where necessary
Using C++17 means we can get rid of many `#ifdef`s by using `if constexpr`.
This way, we ensure that both branches compile and still retain zero runtime
overhead.

Note that open source builds of Sandboxed API do not ship with sanitizer
configurations yet. This will be added in follow-up changes.

PiperOrigin-RevId: 354932160
Change-Id: I3678dffc47ea873919f0a8c01f3a7d999fc29a5b
2021-02-01 07:11:15 -08:00
Christian Blichmann
75bbd0e1c1 Internal change
Only externally visible changes should be a few changed includes as well as
some formatting changes.

PiperOrigin-RevId: 353226662
Change-Id: Iebf5be13774efcbd94c5d5a17b9b27e47275b229
2021-01-22 06:01:34 -08:00
Christian Blichmann
19fd11b91e Move GetInternalDataDependencyFilePath() into internal namespace
Implements #79

PiperOrigin-RevId: 351778836
Change-Id: I726837d8e75880bf5ddfb1a327249dd666adec53
2021-01-14 05:11:22 -08:00
Christian Blichmann
dbaf95c724 Move utility code into sandboxed_api/util
This change should make it less confusing where utility code comes from.
Having it in two places made sense when we were debating whether to publish
Sandbox2 separately, but not any longer.

Follow-up changes will move `sandbox2/util.h` and rename the remaining
`sandbox2/util` folder.

PiperOrigin-RevId: 351601640
Change-Id: I6256845261f610e590c25e2c59851cc51da2d778
2021-01-13 09:25:52 -08:00
Wiktor Garbacz
451c24c1c4 Fix fd leak
Support swapping and move assignment in FDCloser

PiperOrigin-RevId: 351119550
Change-Id: I9865d2fcad029a440cab60328b8731f8e1dc340f
2021-01-11 03:33:27 -08:00
Christian Blichmann
507010781a Follow-up with more build fixes
Because any change that touches continuous integration needs a companion o.O

PiperOrigin-RevId: 347769780
Change-Id: I20525aaac2ce41c48f619b641baa31e880432e50
2020-12-16 00:09:28 -08:00
Anton D. Kachalov
0e8d16e011 Enable shared libraries build and cross-compilation
This allows resource-constrained environments to benefit from the
space savings of dynamic linking. This is not meant to be used in
the general case.

PiperOrigin-RevId: 347398828
Change-Id: Ia634959148a31159878f48c44255dd733424a2b8
2020-12-14 09:16:14 -08:00
Wiktor Garbacz
742fafa433 Prefixed (unique) names for executables in cmake
PiperOrigin-RevId: 347335966
Change-Id: Ic8cc22b882fa489d37b636406a1a5fe51745d808
2020-12-14 01:13:31 -08:00
Christian Blichmann
21f7373e76 Initial changes to support AArch64
This is a work in progress:
- Syscall tables need work
- Only tested on real hardware using one of our test hosts

As a drive-by, this change also enables the open source version to function on
POWER.

Another side-effect of this change is that the default policies no longer
check for different host architectures at runtime. On x86_64, we do not need
to check for PPC or AArch64 specifice and vice versa.

PiperOrigin-RevId: 331137472
Change-Id: Ic6d6be5cbe61d83dbe13d5a0be036871754b2eb8
2020-09-11 06:34:27 -07:00
Christian Blichmann
fdf0483ca0 Migrate to open-source absl::StatusOr<>
This removes our own fork of `absl::StatusOr<>`. Sandboxed API still includes
a custom matcher for Googletest, as that is not open source yet. For
compatibility, the `statusor.h` header is still retained and now aliases
`sapi::StatusOr<>` to `absl::StatusOr<>`.

PiperOrigin-RevId: 329916309
Change-Id: I0544b73a9e312dce499bc4128c28457e04ab9929
2020-09-03 07:40:48 -07:00