Commit Graph

1178 Commits

Author SHA1 Message Date
Wiktor Garbacz
cd945565f5 Run more tests with coverage and sanitizers
Running with a permissive test policy should not interfere with sanitizers
or coverage.
Most tests should run with such a permissive policy.
The exception are tests which actually tests policy enforcement.

PiperOrigin-RevId: 513548936
Change-Id: I9a4c2cc8074997cff08cc22d15f4736219ce4d63
2023-03-02 08:46:07 -08:00
Wiktor Garbacz
a613dda7f2 Test stack unwinding more thoroughly
Check unwinding recursive calls.
Verify we can unwind in absence of unwind tables.

PiperOrigin-RevId: 513506498
Change-Id: Ib87240b7481dae3a4513c944e17a7924a54926e9
2023-03-02 05:09:49 -08:00
Wiktor Garbacz
0033c4563f Remove unused UnwindResult.ip, reuse RunLibUnwindAndSymbolizer
PiperOrigin-RevId: 513482530
Change-Id: I50b24619af77a245088d489052f41f370a4d720b
2023-03-02 02:40:15 -08:00
Wiktor Garbacz
d74dac096a Rework stack_trace_test
PiperOrigin-RevId: 513467290
Change-Id: Iab630412052fa5e7333514f3864ebdfb7f10e1ef
2023-03-02 01:25:38 -08:00
Wiktor Garbacz
dfe0b9aa6d Remove leftover DangerDefaultAllowAll
PiperOrigin-RevId: 513466766
Change-Id: I02b237c6900962c04ec41be9cbba9b9e6a8242a6
2023-03-02 01:22:36 -08:00
Wiktor Garbacz
5a8a25e9ac Change the default action instead of appending ALLOW
Also create a visibility restricted version of the function.

PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c
2023-03-01 05:36:24 -08:00
Wiktor Garbacz
fbfbd13adf Add frame pointer unwinding fallback
PiperOrigin-RevId: 513193320
Change-Id: I0ade55e0d1fae6d33794ccd064766a18f0c86cd6
2023-03-01 03:55:15 -08:00
Juan Vazquez
e11109c9ee Internal change
PiperOrigin-RevId: 512922245
Change-Id: Ibc6d769f2f6b15971b95878c8fdb8d4664fbf2df
2023-02-28 07:01:07 -08:00
Juan Vazquez
6aa97f5394 Internal changes
PiperOrigin-RevId: 512905076
Change-Id: I780e8d6bfcfc94da5e8744146e6c1de153c329f9
2023-02-28 05:34:07 -08:00
Juan Vazquez
bd14f6818d Add field to track policy source location
PiperOrigin-RevId: 512070278
Change-Id: I959a57e296d9b999c4ee3086bc814d7d55484722
2023-02-24 07:55:23 -08:00
Wiktor Garbacz
e1246332d1 Rename and move CreateDirRecursive
PiperOrigin-RevId: 510186053
Change-Id: I0e68cc8fff44780ab98f1d57f829ff900790eed5
2023-02-16 10:44:01 -08:00
Wiktor Garbacz
6db17e7ab3 Use namespaced policy in most tests
Drive-by some test cleanups.

PiperOrigin-RevId: 510134967
Change-Id: I40328a644690865c5cc0a0eb265222ebf7ff83e0
2023-02-16 07:12:46 -08:00
Wiktor Garbacz
71692bb50b Decouple sandboxed stack tracing
This allows to split monitor & stack_trace related targets.
Also move stack traces related functionality into MonitorBase.

PiperOrigin-RevId: 510112916
Change-Id: I60eabf9c9b3204dc369713edd8ae05fded306875
2023-02-16 06:07:15 -08:00
Wiktor Garbacz
d2dbbbae76 Remove redundant tests
UID/GID is checked in namespace test and open fds in santizier test

PiperOrigin-RevId: 510084559
Change-Id: I1aac4d30d44aa2390447f24d228afbb1c3b04e2b
2023-02-16 02:28:52 -08:00
Wiktor Garbacz
3f53e81d0b Remove unused dependency
PiperOrigin-RevId: 509890467
Change-Id: I0189fca5efa93a9e67f6f07eac44793cd17dcfc3
2023-02-15 11:35:14 -08:00
Wiktor Garbacz
e4c0d91e69 Remove leftover debug log
PiperOrigin-RevId: 509473001
Change-Id: I37e1ca609489ed9e2f3303efda3d955ad8408237
2023-02-14 02:51:21 -08:00
Wiktor Garbacz
a5d12903dd Extract SandboxeeProcess and move it down the call chain
PiperOrigin-RevId: 507718207
Change-Id: Ia1f6fc2f09abbde5311f8dc0f596aa605989140d
2023-02-07 02:22:45 -08:00
Wiktor Garbacz
f289855867 Update IfThenChange after monitor split
PiperOrigin-RevId: 506591092
Change-Id: Idf3c0d00e88c622a565fe056b2b12fca27c4b819
2023-02-02 05:17:03 -08:00
Wiktor Garbacz
34b2f6bc90 Remove AllowUnsafeKeepCapabilities()
PiperOrigin-RevId: 506586347
Change-Id: I859a1f695ffbcf3b982a26df425c6b4e03c62da1
2023-02-02 04:47:02 -08:00
Wiktor Garbacz
8f24f2a4f0 Split PtraceMonitor into separate file
PiperOrigin-RevId: 505660957
Change-Id: I6b8fcbb86c9fef294b6d19e2d1ec7120415f843b
2023-01-30 05:09:20 -08:00
Wiktor Garbacz
97d67019d2 Split out policybuilder target
PiperOrigin-RevId: 505053801
Change-Id: Ic0ea4aa2334394e310af6d3a11f961bd4866f9dc
2023-01-27 01:24:51 -08:00
Wiktor Garbacz
4450c5513f Bazel: Do not expose regs.h
PiperOrigin-RevId: 505047592
Change-Id: I207cf46c3f75d0a24cf753888e0cdba53d4193b0
2023-01-27 00:43:38 -08:00
Wiktor Garbacz
f636cd86d6 Split PtraceMonitor out of Monitor
This is a preparatory step to introduce a Sandbox2 mode that does not use ptrace.

PiperOrigin-RevId: 503919613
Change-Id: I446adecc66e697c592ad938627fbfdbea12516e1
2023-01-23 01:42:28 -08:00
Sandboxed API Team
93ef7eb380 Explicitly close the output stream.
PiperOrigin-RevId: 503904221
Change-Id: Iee1899d80190a314c9c83f0a69e5fac76494cd92
2023-01-23 00:06:57 -08:00
Sandboxed API Team
8c107936da Internal BUILD changes
PiperOrigin-RevId: 503417314
Change-Id: Ib368f5600ef39d2ee37fc8c71108d6d11f109328
2023-01-20 05:14:47 -08:00
Sandboxed API Team
adb90a14a0 Internal BUILD changes
PiperOrigin-RevId: 503412719
Change-Id: Idecf094c8c7c8956a9f000204c90ed83d6df599d
2023-01-20 04:43:10 -08:00
Wiktor Garbacz
8bf9868ec3 Protobuf doesn't directly support heterogeneous lookup with absl::string_view
If the platform does not have `std::string_view` (i.e. `absl::string_view` is not an alias of `std::string_view`) the lookup will cause build failure.

PiperOrigin-RevId: 503159858
Change-Id: Ide8229ae0219d1cb6f3b36aba26da8d53183bc4b
2023-01-19 07:32:03 -08:00
Wiktor Garbacz
2f64d3d925 stack_trace: pass fd to sandboxee's memory instead of using process_vm_readv
Libunwind sandbox no longer needs to join sandboxee's userns.
This cleans up a lot of special handling for the libunwind sandbox.

PiperOrigin-RevId: 503140778
Change-Id: I020ea3adda05ae6ff74137b668a5fa7509c138f8
2023-01-19 05:44:50 -08:00
Wiktor Garbacz
f87b6feb18 stack_trace: do not add common libraries when not a custom fork-server
Avoids duplicate entries warnings and tightens the namespace.
Drive-by: modernize the policy.
PiperOrigin-RevId: 503108939
Change-Id: If34d23dd83ca39682799dfb36bd0b9b9ceb19fdc
2023-01-19 02:47:49 -08:00
Sandboxed API Team
bc6937ac82 Add logging of stack traces of all threads that were terminated by a signal or
when the sandboxee did not exit normally.
Disabled by default, enabled with a flag.

PiperOrigin-RevId: 502807175
Change-Id: Icb5236cbfac0168a2d855c68967f7a1e8bd13fe3
2023-01-18 01:45:01 -08:00
Wiktor Garbacz
58c3f80d57 Allow MADV_HUGEPAGE used by tcmalloc
PiperOrigin-RevId: 501815420
Change-Id: I22d6408e4e6ca375823b7b9448547cc082fe5421
2023-01-13 04:41:22 -08:00
Wiktor Garbacz
2ae5370cfb Full syscall info in Result::ToString
PiperOrigin-RevId: 501522999
Change-Id: I90c63984c053a5e7deaf4b7619e70c360cc892bb
2023-01-12 03:57:44 -08:00
Dmitri Gribenko
858c407521 Replace llvm::makeArrayRef with ArrayRef constructors.
LLVM upstream is about to deprecate and remove llvm::makeArrayRef.

PiperOrigin-RevId: 501106516
Change-Id: Ice610c7e0190dc8608339de1b88b7a05e7771871
2023-01-10 15:14:03 -08:00
Sandboxed API Team
f086c39f42 Update clients of PolicyBuilder to support architectures other than x86_64.
PiperOrigin-RevId: 500181306
Change-Id: Ibf3e5e3ac6214394f2d9ab10cf30de6d8396988d
2023-01-06 14:31:59 -08:00
Sandboxed API Team
1871b173c4 Add __NR_faccessat2 to the list of syscalls allowed by AllowAccess().
PiperOrigin-RevId: 500105471
Change-Id: Ic43c608a511617ba9ca8c2cba440cd709ae80a19
2023-01-06 00:16:46 -08:00
Sandboxed API Team
756176f206 On new process, check for the clone3 syscall.
PiperOrigin-RevId: 499918752
Change-Id: I7279e76593976c224a15be901834bf6225aebe85
2023-01-05 10:02:09 -08:00
Sandboxed API Team
90ee0a7464 Update clients of PolicyBuilder to support architectures other than x86_64.
PiperOrigin-RevId: 499424110
Change-Id: I6e7ed7436db84a65b1920f78dfc00cb2f9894b3c
2023-01-04 01:44:20 -08:00
Wiktor Garbacz
00d42577d5 Use CLONE_VM for starting the global forkserver
PiperOrigin-RevId: 499192311
Change-Id: I054385e9cab5e4987b0f34ab3b763244356405c2
2023-01-03 05:36:40 -08:00
Wiktor Garbacz
2d52191c24 Define PR_SET_VMA* if undefined
PiperOrigin-RevId: 497161397
Change-Id: I65fc11a7ccf34ffe225a03a0444275145fa43b4f
2022-12-22 07:39:44 -08:00
Wiktor Garbacz
fc721da2b9 More precise sycall_defs
PiperOrigin-RevId: 497137823
Change-Id: I374054659ce94e6b53819b999d9ed25df18b4ebd
2022-12-22 05:00:48 -08:00
Wiktor Garbacz
89a8f35f0e Use new helpers in policy_test
PiperOrigin-RevId: 496904765
Change-Id: Id2e4a901ed29c780542423608c55d01ef19eee9a
2022-12-21 06:17:07 -08:00
Wiktor Garbacz
7625c3dd24 Use AllowDup helper in AddNetworkProxyPolicy
PiperOrigin-RevId: 496898835
Change-Id: I76968c5c9b25a9e41865b3fad20463661195f581
2022-12-21 05:36:28 -08:00
Sandboxed API Team
aff27f4559 Update PolicyBuilder to include wrappers for more syscall families that differ between platforms.
New wrappers:

- `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`)
- `AllowInotifyInit` (`inotify_init`, `inotify_init1`)
- `AllowSelect` (`select`, `pselect6`)
- `AllowDup` (`dup`, `dup2`, `dup3`)
- `AllowPipe` (`pipe`, `pipe2`)
- `AllowChmod` (`chmod`, `fchmod`, `fchmodat`)
- `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`)
- `AllowReadlink` (`readlink`, `readlinkat`)
- `AllowLink` (`link`, `linkat`)
- `AllowSymlink` (`symlink`, `symlinkat`)
- `AllowMkdir` (`mkdir`, `mkdirat`)
- `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`)
- `AllowAlarm` (`alarm`, `setitimer`)
- `AllowGetPGIDs` (`getpgid`, `getpgrp`)
- `AllowPoll` (`poll`, `ppoll`)

Updated wrappers:

- `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms.
- `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident.
- `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms.

PiperOrigin-RevId: 495045432
Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
2022-12-13 09:32:17 -08:00
Wiktor Garbacz
5b3450ac8d Internal change
PiperOrigin-RevId: 494153465
Change-Id: Ice7f3e7b95f8de1348ccb281bbfa6fc7164b3353
2022-12-09 06:14:19 -08:00
Wiktor Garbacz
ee58a410d9 Handle S2 unwinding by trapping ptrace
PiperOrigin-RevId: 491893277
Change-Id: I427a2e485173c73fffead43e29511460c58c4f04
2022-11-30 06:00:29 -08:00
Wiktor Garbacz
bd5769d40a Use SyscallTrap in NetworkProxy
PiperOrigin-RevId: 491891500
Change-Id: I2e70dbc44aa264247c217ca88a4de1c0867383fd
2022-11-30 05:47:44 -08:00
Wiktor Garbacz
5bf9b1aef0 Introduce SyscallTrap helper class
PiperOrigin-RevId: 491887840
Change-Id: I5b189969da33e042a3ba38fe14025a758103f160
2022-11-30 05:21:12 -08:00
Wiktor Garbacz
77c80b7213 unwind: Skip Mapping Symbols on ARM
ARM documentation for Mapping Symbols:
https://developer.arm.com/documentation/dui0803/a/Accessing-and-managing-symbols-with-armlink/About-mapping-symbols

PiperOrigin-RevId: 491836684
Change-Id: I2e259e66f2253d80902aa763f2637f3f6fdea414
2022-11-30 00:16:37 -08:00
Wiktor Garbacz
755f29b35e Correct unwinding stop condition
On successful completion, `unw_step()` returns a positive value
  if the updated cursor refers to a valid stack frame,
  or `0` if the previous stack frame was the last frame in the
  chain. On error, the negative value of one of the error-codes
  below is returned.

PiperOrigin-RevId: 491588164
Change-Id: Ie361023ef69eed6c895856832a8208f2791f644d
2022-11-29 03:24:31 -08:00
Christian Blichmann
92a8247777 Bazel: Add full support for virtual includes
This change adds support for using the `includes`, `include_prefix` and
`strip_include_prefix` attributes of the `cc_library()` rule. Without it,
the libtooling based header generator will not be able to find all
necessary includes as it is much stricter than the current libclang based
one in that regard.

PiperOrigin-RevId: 491574088
Change-Id: Icb9f7d2719472ee1afa5df85b185c527a3c64994
2022-11-29 02:17:48 -08:00