Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.
As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace
Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729
To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:
```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```
The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.
PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
This is needed for some compiler versions where `absl::string_view` == `std::string_view`.
PiperOrigin-RevId: 367392064
Change-Id: Id91d23510501df4745f386475ef9049d94062e1b
This changes the workflow definition so that we always try to install
compiler toolchains that we need.
See https://github.com/actions/virtual-environments/issues/2950 for more
context.
Drive-by:
- Mini fix to enable compilation under Clang 6.0
Signed-off-by: Christian Blichmann <cblichmann@google.com>
Now unwinding will properly handle binaries inside bind-mounted directories.
Drive-by:
- Get rid of n^2 path handling
- Get rid of namespace alias
PiperOrigin-RevId: 358353666
Change-Id: Ieec7690ec6a1ae6d358de375220566b69e8cb094
Using C++17 means we can get rid of many `#ifdef`s by using `if constexpr`.
This way, we ensure that both branches compile and still retain zero runtime
overhead.
Note that open source builds of Sandboxed API do not ship with sanitizer
configurations yet. This will be added in follow-up changes.
PiperOrigin-RevId: 354932160
Change-Id: I3678dffc47ea873919f0a8c01f3a7d999fc29a5b
Also accept `absl::string_view` and `absl::Span<const std::string>` arguments.
Drive-by:
- Move using declaration into namespace
PiperOrigin-RevId: 354271016
Change-Id: Iadd873377e51cac7fa3800aab1f9e85ff94bd4e9
Only externally visible changes should be a few changed includes as well as
some formatting changes.
PiperOrigin-RevId: 353226662
Change-Id: Iebf5be13774efcbd94c5d5a17b9b27e47275b229
This change should make it less confusing where utility code comes from.
Having it in two places made sense when we were debating whether to publish
Sandbox2 separately, but not any longer.
Follow-up changes will move `sandbox2/util.h` and rename the remaining
`sandbox2/util` folder.
PiperOrigin-RevId: 351601640
Change-Id: I6256845261f610e590c25e2c59851cc51da2d778
This change enables support for 32-bit ARM, as used by embedded controllers and older phones.
Note: This does not support 32-bit sandboxees on AArch64. Both sandboxee and host code must have the same bitness.
PiperOrigin-RevId: 347835193
Change-Id: I6395882677530f9862f118d2dc10230a61049836