Commit Graph

33 Commits

Author SHA1 Message Date
Christian Blichmann
ca6ec4337d Add workaround for active Tomoyo LSM
Recenly, Debian based distribution kernels started activating the Tomoyo Linux
Security Module by default. Even if it is not used, this changes the behavior
of `/dev/fd` (pointing to `/proc/self/fd` by default), which Sandbox2 needs during
`execveat()`.

As a result, Sandbox2 and Sandboxed API always fail without one of the following
conditions
- `/proc` mounted within the sandboxee
- `/dev` mounted
- `/dev/fd` symlinked to `/proc/self/fd` in the sandboxee's mount namespace

Some code pointers to upstream Linux 5.12.2:
- https://elixir.bootlin.com/linux/v5.12.2/source/fs/exec.c#L1775
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/tomoyo.c#L107
- https://elixir.bootlin.com/linux/v5.12.2/source/security/tomoyo/domain.c#L729

To find out whether your system has Tomoyo enabled, use this command, similar to
what this change does in code:

```
$ cat /sys/kernel/security/lsm | grep tomoyo && echo "Tomoyo active"
capability,yama,apparmor,tomoyo
Tomoyo active
```

The config setting `CONFIG_DEFAULT_SECURITY` controls which LSMs are built into
the kernel by default.

PiperOrigin-RevId: 372919524
Change-Id: I2181819c04f15f57d96c44ea9977d0def4a1b623
2021-05-10 07:04:04 -07:00
Catalin Patulea
4344bbceba Add optional VLOG(1) for additional process info on Syscall Violation.
PiperOrigin-RevId: 368900451
Change-Id: I331d0e239e2f3176c435bd42012d155d60d0b1ac
2021-04-16 12:43:08 -07:00
Catalin Patulea
d5bd1cb38f Pretty-print ptrace event name on WIFSTOPPED.
PiperOrigin-RevId: 368688417
Change-Id: I4368268f1b05148213010768a6d4eaa87211ea45
2021-04-15 12:02:11 -07:00
Christian Blichmann
dbaf95c724 Move utility code into sandboxed_api/util
This change should make it less confusing where utility code comes from.
Having it in two places made sense when we were debating whether to publish
Sandbox2 separately, but not any longer.

Follow-up changes will move `sandbox2/util.h` and rename the remaining
`sandbox2/util` folder.

PiperOrigin-RevId: 351601640
Change-Id: I6256845261f610e590c25e2c59851cc51da2d778
2021-01-13 09:25:52 -08:00
Christian Blichmann
c3ac45be3e Reimplement raw logging to avoid Abseil internals
The defined raw logging macros should be compatible with Abseil and
we can remove our version once Abseil releases theirs.

PiperOrigin-RevId: 347354273
Change-Id: I178a89cfd2e19bcd707a06fa9dfd7b767e2b654b
2020-12-14 03:34:02 -08:00
Christian Blichmann
6a1e4b881c Introduce config header to centralize CPU architecture checks
This allows us to remove some uses of macros.

Related changes:
- Make it clear that we support hosting sandboxed binaries from 64-bit
  processes only. CPU architectures are x86-64 and POWER64 (little endian).
- Introduced CPU architecture macros, abstracting away compiler specifics

PiperOrigin-RevId: 330918134
Change-Id: Ife7ad5f14723eec9f68055127b0583b8aecd38dd
2020-09-10 05:48:00 -07:00
Christian Blichmann
eb62bae167 Refactor stack trace handling
- Drop `delim` argument from the `GetStackTrace()` family of functions.
  We only ever used plain spaces.
- Use an `std::vector<std::string>` for the symbolized stack frames and
  adjust the unwind proto accordingly.

This change now prints each stack frame on its own line while skipping
duplicate ones:

```
I20200717 11:47:16.811381 3636246 monitor.cc:326] Stack trace: [
I20200717 11:47:16.811415 3636246 monitor.cc:337]   map:/lib/x86_64-linux-gnu/libc-2.30.so+0xceee7(0x7fb871602ee7)
I20200717 11:47:16.811420 3636246 monitor.cc:337]   Rot13File+0x130(0x55ed24615995)
I20200717 11:47:16.811424 3636246 monitor.cc:337]   ffi_call_unix64+0x55(0x55ed2461f2dd)
I20200717 11:47:16.811429 3636246 monitor.cc:337]   map:[stack]+0x1ec80(0x7ffee4257c80)
I20200717 11:47:16.811455 3636246 monitor.cc:339]   (last frame repeated 196 times)
I20200717 11:47:16.811460 3636246 monitor.cc:347] ]
```

PiperOrigin-RevId: 322089140
Change-Id: I05b0de2f4118fed90fe920c06bbd70ea0d1119e2
2020-07-20 00:24:40 -07:00
Sandboxed API Team
a5d931ec5f Qualify uses of std::string
PiperOrigin-RevId: 297528932
Change-Id: I750c43e356be55a5bd37a8bb59d998238bd8f1bb
2020-02-27 00:03:55 -08:00
bielec
5a4e3f3d29 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 296206385
Change-Id: I53b23122abece1fe318ed4c6a7e37bf3228c8f5f
2020-02-20 07:45:44 -08:00
Sandboxed API Team
05280287e0 Automated rollback of commit 800339d672.
PiperOrigin-RevId: 294644781
Change-Id: I88ad35abd96468476294039a41b6f2a8234db6ca
2020-02-17 10:39:08 +01:00
bielec
800339d672 Now network proxy server supports IP filtering. API to policybuilder is added to make a list of allowed pairs of allowed IP, mask and port where mask and port are optional.
PiperOrigin-RevId: 294640297
Change-Id: I4c6520685a658f8b7762af238588830f71b3f54a
2020-02-17 10:38:44 +01:00
Christian Blichmann
441201884a Update license header with recommended best practices
PiperOrigin-RevId: 290250533
Change-Id: Ic34b253446463cf971a055b70a242df93a598ee3
2020-01-17 05:05:29 -08:00
Sandboxed API Team
3e442b252c Allow stack trace collection when namespaces are disabled, if sandbox_libunwind_crash_handler==false.
PiperOrigin-RevId: 288267119
Change-Id: I5fce1b28521d3d685186717f153f20fb498c94e2
2020-01-06 02:34:03 -08:00
Wiktor Garbacz
e969deea33 Global deadline for ptrace attach instead of per process
PiperOrigin-RevId: 286196033
Change-Id: Ic456b881c18518c4b52ca051fa5c58590794da17
2019-12-18 08:23:55 -08:00
Wiktor Garbacz
d43d09c746 fail soft if sandboxee exits before init is ptraced
PiperOrigin-RevId: 270254470
Change-Id: Ifa13f4fe0e7ae91b79fc689e1d7dcb2a49b09cde
2019-09-20 06:13:44 -07:00
Wiktor Garbacz
da3c6c138e Fail in monitor if init process pid not received
PiperOrigin-RevId: 266886637
Change-Id: I4e896ebda8d9e15d0aefcb4139c8dc07ab938502
2019-09-03 02:37:09 -07:00
Christian Blichmann
2dd7d27952 Fix unused variable warning in monitor
PiperOrigin-RevId: 265439933
Change-Id: Idc62e0e1640bd2b866bd1a6f3c60370ae1b70592
2019-08-26 06:03:03 -07:00
Christian Blichmann
747ccb57e8 Rename stack-trace{.h,.cc,._test.cc} to use underscores
PiperOrigin-RevId: 257144753
Change-Id: I4ce0dffad552c25b61102adfb1c03b8aea427dd9
2019-07-09 01:32:25 -07:00
Christian Blichmann
ffd4e1270a Internal change
PiperOrigin-RevId: 251590551
Change-Id: Ic69f8f5f798006c0d096357b7a746cdc4ce530a3
2019-06-05 00:26:14 -07:00
Wiktor Garbacz
71a317e65f Do not emit an error on ESRCH in PTRACE_CONT
Process might be killed between waitpid and PTRACE_CONT,
even though a PTRACE_EVENT_EXIT will be gererated, continuing
will fail with ESRCH in that case.

PiperOrigin-RevId: 249245726
Change-Id: Ib673529229a306d2266fa60caa3039b6bcd80a65
2019-05-21 07:30:56 -07:00
Wiktor Garbacz
15993a34e2 Log stack traces with INFO instead of ERROR
PiperOrigin-RevId: 249035379
Change-Id: Ie62366f45f29741ee0c8b25369d0bb169275ccfd
2019-05-20 06:16:50 -07:00
Wiktor Garbacz
34d17b77ac Remove dead code
IPC always creates comms object from a fd.

PiperOrigin-RevId: 248683525
Change-Id: Ib4285ec0494d551257237c12f92f983b943205cb
2019-05-17 02:02:03 -07:00
Wiktor Garbacz
8678af23d0 Extract GetRlimitName into util
PiperOrigin-RevId: 248682931
Change-Id: I702533a8d36465de956a1a90a40c634434b7a671
2019-05-17 01:55:35 -07:00
Wiktor Garbacz
6e1c3c3055 Fix prlimit error message
PiperOrigin-RevId: 248491089
Change-Id: Id4116939d02b6a592c74218955675acf2e3c70fe
2019-05-16 02:24:59 -07:00
Wiktor Garbacz
7294e9976e Replace custom synchronization with absl::Notification
PiperOrigin-RevId: 248334969
Change-Id: I7614a3792babd399912c5d5a167ab5e0a0574d20
2019-05-15 08:09:56 -07:00
Wiktor Garbacz
6588aa2a68 Reintroduce monitor changes.
Signal handling in Monitor::MainLoop was fixed.

PiperOrigin-RevId: 248331692
Change-Id: I0f85d319802258632d2074742c53597bb922555a
2019-05-15 07:46:49 -07:00
Christian Blichmann
5f3c7171b7 Use Abseil's flag library released in aa468ad75539619b47979911297efbb629c52e44
PiperOrigin-RevId: 247424939
Change-Id: I22a4696f705f9dcfa7394b329c78bd126f42bd16
2019-05-09 07:57:55 -07:00
Sandboxed API Team
63f0adbfbb Revert of monitor code update.
PiperOrigin-RevId: 247255592
Change-Id: I3656ea1628418321b1b8b02660b6a51a58c2c61f
2019-05-08 11:34:26 -07:00
Wiktor Garbacz
3f5360a7bc Simplify monitor code.
Make setting result code the condition for main loop exit.

PiperOrigin-RevId: 247218505
Change-Id: I8699012683bc301e8a9f4f41cd5ab018e3cd514c
2019-05-08 08:34:56 -07:00
Sandboxed API Team
f29a5a81ed Print final FS mounts in sandboxee's chroot
After all requested filesystem mounts are fully mounted under a sandboxee's virtual chroot, print a list of the outside paths and a list of the inside chroot paths that the outside paths are mapped to. This provides a valuable insight while debugging sandboxed binaries.

PiperOrigin-RevId: 247130923
Change-Id: I42b4b3db68d826587c0fe8127aabbead38bc6f20
2019-05-07 18:30:13 -07:00
Christian Blichmann
f04be9276f Formatting fixes and include file hygiene.
PiperOrigin-RevId: 240346890
Change-Id: I1a9617f10a62a848b6314a6196512e016ae02643
2019-03-26 07:54:21 -07:00
Sandboxed API Team
5aa13876a4 Formatting fixes.
PiperOrigin-RevId: 239159980
Change-Id: Ic6185368392622bf3f4c661e37f6b9fcca0d60a6
2019-03-19 03:41:32 -07:00
Christian Blichmann
177b969e8c
Sandboxed API OSS release.
PiperOrigin-RevId: 238996664
Change-Id: I9646527e2be68ee0b6b371572b7aafe967102e57

Signed-off-by: Christian Blichmann <cblichmann@google.com>
2019-03-18 19:00:48 +01:00