- Bazel: Use "incompatible" flag to fix fully static linking. The flag will
become the default in Bazel 4.0.
- Bazel: Deduplicate features into `FULLY_STATIC_FEATURES` variable
- CMake: Remove the testcase properties. `sapi::base` already sets
`POSITION_INDEPENDENT_CODE`. Note that `-pie` is incompatible with `-static`
and `-static-pie` requires GCC 8 and GLIBC 2.27.
PiperOrigin-RevId: 346952478
Change-Id: I7a317c90a3bec9691b13df1a00e3fddf4481df4d
The default policy causes immediate termination of a sandboxee that
calls `bpf`(2).
This does not allow for try-call use of `bpf()` to test for optional
features.
To support such try-call use cases, sandboxes would like to say:
```
sandbox2::PolicyBuilder builder;
builder.BlockSyscallWithErrno(__NR_bpf, EPERM);
```
but this doesn't work because the default policy unconditionally treats
`bpf()` as a sandbox violation.
Remove the bpf violation check from the policy if `bpf()` is explicitly
blocked with an errno.
PiperOrigin-RevId: 345239389
Change-Id: I7fcfd3a938c610c8679edf8e1fa0238b32cc9db4
The lookup is not on the hot path and this removes the SYSCALLS_UNUSED macros.
PiperOrigin-RevId: 344240762
Change-Id: I324bd798945851ac0b92e257206525eab4ec36e5
Updates syscall arguments mostly according to this list and more recent kernel sources:
https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#x86_64-64_bit
The list includes some more syscalls that were recently added.
Follow-up changes will do the same for x86-32, POWER and AArch64.
PiperOrigin-RevId: 341016698
Change-Id: If1771fd37a47b227ca8f572704a64190e4621a38
No need for the smart pointer indirection when an `std::vector` can also hold
the BPF policy.
PiperOrigin-RevId: 340809220
Change-Id: I8a63567e8042d9ff875cba739e8552db87b6901a
- Use a `constexpr inline` string constant for the forkserver env var
- Add annotation for the comms channel mutex
PiperOrigin-RevId: 335395005
Change-Id: Ic058c19c3704f182aa7ed7b8e8964b2fc5082800
This is a work in progress:
- Syscall tables need work
- Only tested on real hardware using one of our test hosts
As a drive-by, this change also enables the open source version to function on
POWER.
Another side-effect of this change is that the default policies no longer
check for different host architectures at runtime. On x86_64, we do not need
to check for PPC or AArch64 specifice and vice versa.
PiperOrigin-RevId: 331137472
Change-Id: Ic6d6be5cbe61d83dbe13d5a0be036871754b2eb8
This allows us to remove some uses of macros.
Related changes:
- Make it clear that we support hosting sandboxed binaries from 64-bit
processes only. CPU architectures are x86-64 and POWER64 (little endian).
- Introduced CPU architecture macros, abstracting away compiler specifics
PiperOrigin-RevId: 330918134
Change-Id: Ife7ad5f14723eec9f68055127b0583b8aecd38dd
This removes our own fork of `absl::StatusOr<>`. Sandboxed API still includes
a custom matcher for Googletest, as that is not open source yet. For
compatibility, the `statusor.h` header is still retained and now aliases
`sapi::StatusOr<>` to `absl::StatusOr<>`.
PiperOrigin-RevId: 329916309
Change-Id: I0544b73a9e312dce499bc4128c28457e04ab9929
- Drop `delim` argument from the `GetStackTrace()` family of functions.
We only ever used plain spaces.
- Use an `std::vector<std::string>` for the symbolized stack frames and
adjust the unwind proto accordingly.
This change now prints each stack frame on its own line while skipping
duplicate ones:
```
I20200717 11:47:16.811381 3636246 monitor.cc:326] Stack trace: [
I20200717 11:47:16.811415 3636246 monitor.cc:337] map:/lib/x86_64-linux-gnu/libc-2.30.so+0xceee7(0x7fb871602ee7)
I20200717 11:47:16.811420 3636246 monitor.cc:337] Rot13File+0x130(0x55ed24615995)
I20200717 11:47:16.811424 3636246 monitor.cc:337] ffi_call_unix64+0x55(0x55ed2461f2dd)
I20200717 11:47:16.811429 3636246 monitor.cc:337] map:[stack]+0x1ec80(0x7ffee4257c80)
I20200717 11:47:16.811455 3636246 monitor.cc:339] (last frame repeated 196 times)
I20200717 11:47:16.811460 3636246 monitor.cc:347] ]
```
PiperOrigin-RevId: 322089140
Change-Id: I05b0de2f4118fed90fe920c06bbd70ea0d1119e2
Initializing `absl::Span`s like by assigning them from a temporary
array leaves them pointing to invalid data. Due to the way the linker
initializes these constant tables, _most_ of them will still be valid
_most_ of the time, leading to crashes when running sandboxees with the
`--sandbox2_danger_danger_permit_all_and_log` option.
PiperOrigin-RevId: 321112099
Change-Id: I891118da08cbb6000b3e2e275618bc4edaa1d020
Otherwise ExecuteProcess is implicitly `[[noreturn]]` and this
might cause policy violations in `__asan_handle_no_return`
for ASAN builds.
PiperOrigin-RevId: 319203128
Change-Id: I5c8ba71ce88261f803aa3f16730eccea0d803dd1
- Extract dependent types directly from the Clang AST and re-serialize
back into compilable code
- Collect types and emit diagnostics
- Format generated code
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
Similar to what the Bazel build does, this change adds zlib as an additional
dependency when `SAPI_ENABLE_EXAMPLES` is set to `ON`.
PiperOrigin-RevId: 309203959
Change-Id: I201a9e6415789afb1e058bc48cebbc0fc0004fe9
BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning.
PiperOrigin-RevId: 309173849
Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234
When embedding SAPI in an external CMake project, the version of
`protobuf_generate_cpp` that we lifted from upstream protobuf produces
the wrong generated file paths.
For example, given this project structure:
```
/parent/
+-- myproject/
+-- myproject_build/ <- CMake build directory
+-- sandboxed-api/ <- Checkout from GitHub
```
And a CMake file in `myproject/CMakeLists.txt` that embeds SAPI like
this:
```
cmake_minimum_required(VERSION 3.12)
project(SandboxedTest LANGUAGES CXX)
set(CMAKE_CXX_STANDARD 17)
set(CMAKE_CXX_STANDARD_REQUIRED ON)
add_subdirectory(
${PROJECT_SOURCE_DIR}/../sandboxed-api
${PROJECT_BINARY_DIR}/sandboxed-api
)
```
Then `protobuf_generate_cpp` correctly invokes the protoc compiler to
generate
`/parent/myproject_build/sandboxed-api/sandboxed_api/proto_arg.proto.pb.cc'.
However, the path of the generated source file that is passed to the C++
compiler will be
`/parent/myproject_build/sandboxed-api/sandboxed_api/../../myproject_build/sandboxed-api/sandboxed_api/proto_arg.pb.cc`.
Note the duplicated project build directory component in the
canonicalized version:
`/parent/myproject_build/myproject_build/sandboxed-api/sandboxed_api/proto_arg.pb.cc`.
This change simple omits the computation of any relative file paths and
simply uses `_pb_PROTOC_OUT_DIR` which defauls to
`CMAKE_CURRENT_BINARY_DIR`, which should always contain the correct
path.
Signed-off-by: Christian Blichmann <mail@blichmann.eu>
Created documentation for network proxy. fixed 2 things in documentation (namespaces are enabled by default for a while).
PiperOrigin-RevId: 300321016
Change-Id: Id9c54b29551e8d3b70e814e2fdbfee594126aa90
Sending -1 as fd will fail and take forkserver down.
This should not happen normally so turned it into a check.
PiperOrigin-RevId: 285391908
Change-Id: Idbb05004c36cb0be57be1bd26df1c57cecfb0019
This addresses a latency issue - chroot_fs_refs called inside pivot_root
in the kernel can take several milliseconds on machines with many threads
running.
This might not always reduce latency for custom forkservers, as additional
fork can be more costly than pivot_root.
PiperOrigin-RevId: 281306284
Change-Id: If503ac76a70e5438e94caf708d79cb0219c66def
The previous one was not quite correct in cases where the outside binary path
did not match the inside path. This should be fixed with this.
PiperOrigin-RevId: 276075886
Change-Id: I1c7c4fa0191960437a2d2360b805c7098b1407c9
Caused failures if root is mounted as nodev, nosuid etc.
Root is pivoted and unmounted right after this anyhow.
PiperOrigin-RevId: 273707731
Change-Id: I75f1edaf2877c096e4f5bb7dc1b2bb8eb5c437a3