Commit Graph

205 Commits

Author SHA1 Message Date
Christian Blichmann
254abe04fe Use unified diff for zlib patch
PiperOrigin-RevId: 276075544
Change-Id: Icf06e360a400834e7304c2bde34954dbc71f135f
2019-10-22 09:04:29 -07:00
Wiktor Garbacz
a7cfbb92a6 Remove uneeded read-only remount
Caused failures if root is mounted as nodev, nosuid etc.
Root is pivoted and unmounted right after this anyhow.

PiperOrigin-RevId: 273707731
Change-Id: I75f1edaf2877c096e4f5bb7dc1b2bb8eb5c437a3
2019-10-09 02:47:38 -07:00
Kristj?n J?nsson
78824353d1 Make PolicyBuilder a value class.
This makes the class more ergonomic because
* You don't have to heap allocate the builder.
* You can create a policy builder "template" and re-use it across sandboxes to avoid repetitive work.

PiperOrigin-RevId: 273555679
Change-Id: I4084ee9c74f95ebfde873eb0dc021b3b3cdc5ea2
2019-10-08 10:45:45 -07:00
Sandboxed API Team
9931593fdc Corrects typo in link
PiperOrigin-RevId: 273248066
Change-Id: I37682d1b82fbe0b0e06d43dfe511da0d6aaa8c5a
2019-10-07 02:36:35 -07:00
Christian Blichmann
c6b8e301e4 This fixes broken _proto_cc_cc_proto build target suffixes.
These where inadvertently introduced in an internal cleanup change.

This change also removes a C++17-ism in var_proto.h. To make things easier for
downstream projects, we should stick to C++11 for the time being.

PiperOrigin-RevId: 271117700
Change-Id: I4eaacec88be16e1a561d3f77a61acce0a1af0b9d
2019-09-25 07:13:58 -07:00
Sandboxed API Team
ce46cb3fef internal BUILD file cleanup.
PiperOrigin-RevId: 270906748
Change-Id: I6a79c2f84a1d8a9fcb91061caa5f9e538fa83cba
2019-09-24 08:12:21 -07:00
Kevin Hamacher
1cf9bf8ab6 Internal change
PiperOrigin-RevId: 270878802
Change-Id: I4c946fdb5f566909eaead35a3050a99ab9047553
2019-09-24 04:50:18 -07:00
Kevin Hamacher
c337ea117e Return descriptive string if stack-traces are disabled
PiperOrigin-RevId: 270876245
Change-Id: I899a4628541712a212aa24d3a01d48d9b070c734
2019-09-24 04:27:09 -07:00
Kevin Hamacher
51d1a0e8ba Rollback of an internal change
PiperOrigin-RevId: 270874732
Change-Id: I69538a0a37ba008a41220fe9d77b3e59f8d06610
2019-09-24 04:11:52 -07:00
Sandboxed API Team
6131774256 internal BUILD file cleanup
PiperOrigin-RevId: 270833113
Change-Id: Ie8b2ab2486b7ca224f37d5fc3a07674d15e1b458
2019-09-23 22:24:27 -07:00
Sandboxed API Team
b390354794 internal BUILD file cleanup
PiperOrigin-RevId: 270833110
Change-Id: Ifc075bd59cf9e25d0c4ecc165592906f05875ee8
2019-09-23 22:23:57 -07:00
Sandboxed API Team
cee4ac35ae Internal BUILD file cleanup
PiperOrigin-RevId: 270672739
Change-Id: I752113fc1fa5fa3f1585b918c89ca68c058db098
2019-09-23 07:33:08 -07:00
Sandboxed API Team
a6285716f1 Internal cleanup
PiperOrigin-RevId: 270653397
Change-Id: I495a30cffdfa932da045ebed626bf97f1cb68bb2
2019-09-23 05:14:00 -07:00
Sandboxed API Team
ad2521a1e8 Internal cleanup
PiperOrigin-RevId: 270631972
Change-Id: Ifd8db261bd5380fd14357a283fb9fd67c7d25fa0
2019-09-23 02:31:54 -07:00
Wiktor Garbacz
d43d09c746 fail soft if sandboxee exits before init is ptraced
PiperOrigin-RevId: 270254470
Change-Id: Ifa13f4fe0e7ae91b79fc689e1d7dcb2a49b09cde
2019-09-20 06:13:44 -07:00
Sandboxed API Team
0aec7a511b Don't try to parse "[vsyscall]" as an ELF image.
PiperOrigin-RevId: 269811752
Change-Id: I2118badab9b5392eae7bfd36583384a33ab8a7d5
2019-09-18 08:32:11 -07:00
Wiktor Garbacz
846717def1 Fix coverage for network and network_proxy tests
PiperOrigin-RevId: 269314101
Change-Id: I65f15261a22f8f5b6250396e41d76ef40a90ef94
2019-09-16 05:43:06 -07:00
Christian Blichmann
0aa7183502 Refactor the tests and strings example a bit
PiperOrigin-RevId: 268865491
Change-Id: Ie16e5f17e2eb22e25821c34edf0068cb81bcc2fe
2019-09-13 02:28:42 -07:00
Wiktor Garbacz
d6ca9d9564 Use proper return code for static_sandbox example
Also bump FSIZE limit to make it less likely to fail.

PiperOrigin-RevId: 268857718
Change-Id: I955ed4a10d8a49585ae330ab668a0bd891bb6ed6
2019-09-13 01:22:36 -07:00
Wiktor Garbacz
2e22b13b39 Enable namespaces by default
PiperOrigin-RevId: 268417712
Change-Id: I496d76e8a90665627b9be2bb5f9872a5df1c84e4
2019-09-11 02:39:49 -07:00
Christian Blichmann
4034f1235e Revert accidental deletion of the sandbox image
PiperOrigin-RevId: 267141212
Change-Id: I1aa0edf6f3ebeb19975fdead241e91927e7679f7
2019-09-04 06:33:29 -07:00
Christian Blichmann
ea1a934d51 Migrate Sandboxed API docs to developer.google.com/sandboxed-api
This change removes the in-tree documentation in favor of the one hosted on
the Google's Developer site. This makes it easier to maintain for the
sandbox team, as there is now only a single source of truth for both internal
and external documentation.

If you find errors/bugs in the documentation, please file regular GitHub
issues.

PiperOrigin-RevId: 267132623
Change-Id: I4c950fcef77da0b361cb35b99aa2f187efe6f320
2019-09-04 05:22:03 -07:00
Wiktor Garbacz
daa3defac0 Internal change
PiperOrigin-RevId: 266889781
Change-Id: Ibea87a7bb5fafb50ae3d09f7b0df876beecaf087
2019-09-04 05:21:47 -07:00
Wiktor Garbacz
da3c6c138e Fail in monitor if init process pid not received
PiperOrigin-RevId: 266886637
Change-Id: I4e896ebda8d9e15d0aefcb4139c8dc07ab938502
2019-09-03 02:37:09 -07:00
Sandboxed API Team
84702e6c97 No public change.
PiperOrigin-RevId: 265663675
Change-Id: I6ffcf796a13cddaea4f8b8a0ca20b92cc8e316a7
2019-08-27 05:36:35 -07:00
Christian Blichmann
2dd7d27952 Fix unused variable warning in monitor
PiperOrigin-RevId: 265439933
Change-Id: Idc62e0e1640bd2b866bd1a6f3c60370ae1b70592
2019-08-26 06:03:03 -07:00
Christian Blichmann
276b7efc92 Internal change.
PiperOrigin-RevId: 265057217
Change-Id: Id00c867b373dbe8c9112c23ef4b0300ed3ca9e5b
2019-08-23 08:08:51 -07:00
Christian Blichmann
d91879f752 Ensure compatibility with CMake 3.10
This fixes some CMake-3.12+-isms, like `list(JOIN ...)` and setting link
properties on OBJECT libraries.

PiperOrigin-RevId: 265033725
Change-Id: I0ee1ec0e1b1097ea8226ad6fdeff794a97c2881b
2019-08-23 05:08:55 -07:00
Christian Blichmann
df83f19d49 Fix broken include in client.cc
PiperOrigin-RevId: 261864188
Change-Id: I247455085764373d9a004d85fbfe37cadf7ed6eb
2019-08-06 01:36:12 -07:00
Sandboxed API Team
35d9d0c60a Internal change.
PiperOrigin-RevId: 261197411
Change-Id: Ic3c388af3f807bc039ad137267e17dc9fc666c84
2019-08-01 14:26:07 -07:00
Christian Blichmann
b7cbc36071 Follow-up to 3c51348 fixing linker issues with gflags and glog
The temporary solution for binaries/tests that fully statically linked is to
link against `gflags` using `-Wl,--whole-archive`. This will no longer be
necessary, once Abseil ships with logging. Then we can (finally) use Abseil
flags and use a logging library that does not depend on a different flags
library.

PiperOrigin-RevId: 260705702
Change-Id: I8562faaff59f9c3e0e1d331186d2806d387438fb
2019-07-30 06:48:38 -07:00
Christian Blichmann
1be24d945c Improve formatting of the generated code
PiperOrigin-RevId: 260142999
Change-Id: Id170e212012c7e10e3525d031d620a01f90fb388
2019-07-26 07:47:02 -07:00
Christian Blichmann
3c51348aaf Enable CMake projects to consume Sandboxed API via add_subdirectory()
This change moves away from a classical superbuild which downloads and builds
at build time. Instead, we now follow a "Fetch Content" workflow (available as
FetchContent in CMake 3.11+) and download dependencies at config time.

Rationale: Superbuild projects have the disadvantage that projects cannot
directly access their individual declared targets. This is not a problem with
regular libraries, as those are usually/supposed to be installed. With
Sandboxed API, this is not desirable, as it has dependencies like Abseil and
glog, which are almost always consumed by including their source tree using
add_subdirectory().

Fixes #10 and makes external embedding easier.

PiperOrigin-RevId: 260129870
Change-Id: I70f295f29a6e4fc8c330512c94b01ef10c017166
2019-07-26 05:51:08 -07:00
Christian Blichmann
db0ebe3650 Support empty package names in filewrapper tool
PiperOrigin-RevId: 259943587
Change-Id: I14d95dcd7d839903ebd12f4032e05e29bca17204
2019-07-25 07:36:57 -07:00
Christian Blichmann
1b93745d00 Honor SAPI_ENABLE_TESTS in examples
PiperOrigin-RevId: 259927061
Change-Id: I7ae2156630c60e54ba0d9933d03816d750db31f3
2019-07-25 05:11:58 -07:00
bielec
ef7592cfdd Now the network proxy client can automatically redirect connect syscalls to a handler that will send the data (syscall arguments) to the proxy server automatically and will return the obtained socket from the proxy server, in the future rules like allowed IP, protocols, etc. will be added
PiperOrigin-RevId: 259512665
Change-Id: I2747c7548ab24c7d2c90abb303fd783c11fed6f4
2019-07-23 04:41:08 -07:00
Sandboxed API Team
ae9836e6bf Add dependencies on @com_google_absl//absl/base:log_severity
to targets including "absl/base/log_severity.h"

PiperOrigin-RevId: 259483071
Change-Id: Ide51ea54ca18ce466be863c1e7755098618801c0
2019-07-23 00:31:55 -07:00
Wiktor Garbacz
2300141bdb Require namespaces to be disabled explicitly
PiperOrigin-RevId: 258730797
Change-Id: I5a1df23c5176a3cecd5a343483500550f27adf44
2019-07-18 02:18:26 -07:00
Wiktor Garbacz
691104c851 Extract RunInitProcess and SendPid/RecvPid
Also properly check status of send and use one-byte messages
to avoid issues with partial send, receive.

PiperOrigin-RevId: 258362495
Change-Id: I889b4699c100c80d15b129bf3a254f5442405bc2
2019-07-16 07:23:17 -07:00
Wiktor Garbacz
2349325e2b Move root chdir to namespace setup
PiperOrigin-RevId: 258361265
Change-Id: Ifa065559e36606afa7111ef6d8e2d5d621b57426
2019-07-16 07:13:17 -07:00
Sandboxed API Team
418ad07086 Initialize std::atomic_flag members
PiperOrigin-RevId: 258309720
Change-Id: Id9cb6ee627c0aea11bbbabfcab10731e2235e534
2019-07-15 23:59:24 -07:00
Wiktor Garbacz
8a4e665cba Remove redundant process setup
PR_SET_PDEATHSIG is already issued for init process in SanitizeCurrentProcess
Same for setsid

PiperOrigin-RevId: 258142844
Change-Id: Iad9e94bd402d576c1b24caab0b03efc50e2df07e
2019-07-15 05:36:27 -07:00
Wiktor Garbacz
9f36bd80d2 Fix double EnableNamespaces
PiperOrigin-RevId: 258142629
Change-Id: Ied76490e51278371fd51e117053599cce52991f1
2019-07-15 05:34:31 -07:00
Christian Blichmann
6d33c1f908 Add CMake options to exclude examples and tests from build
PiperOrigin-RevId: 258136393
Change-Id: Ifb2d7a24f93cd1d2782b4e4d6ac2c34a0d1c2bff
2019-07-15 04:42:58 -07:00
Christian Blichmann
99ac7fa60d Refactor CMake files
* Move add_sapi_library() into a build defs file
* Override protobuf_generate_cpp() instead of naming it sapi_protobuf_generate_cpp()
* Factor out inclusion/find_package() calls of external dependencies

PiperOrigin-RevId: 258133422
Change-Id: Ibdbab0c735157eac0ed6122ab78f9d583c6905cc
2019-07-15 04:13:15 -07:00
Christian Blichmann
b219661be0 Add basic CMake support for SAPI, build examples
* Implement add_sapi_library() similar to the Bazel rule
* Fix SuperBuild so that glog properly depends on gflags (needed for --logtostderr)
* Raise minimum required version of CMake to 3.10 (Ubuntu 18.04 LTS)
* Update sum sandbox policy to allow to get IDs and PIDs

PiperOrigin-RevId: 258124160
Change-Id: I64c2f8b27a3e842874adca9100bfce20a2b74f17
2019-07-15 02:53:43 -07:00
Christian Blichmann
686c6d254f Fix documentation link to zlib example
PiperOrigin-RevId: 257793227
Change-Id: I9c43c3814d75c5b79affd4854212eec07dc14f77
2019-07-12 06:38:49 -07:00
Christian Blichmann
ab35eb49af Make embedding the sandbox code the default
PiperOrigin-RevId: 257778382
Change-Id: Ib6dc472355092c08b905e42978efe7f47703c128
2019-07-12 04:07:11 -07:00
Christian Blichmann
6b24025860 CMake targets for SAPI, add find_package() support for libffi
This change adds CMake targets for the actual Sandboxed API library. On its
own, this is not very useful, as there is no CMake equivalent to the
sapi_library() rule, yet. This will be worked on next.

PiperOrigin-RevId: 257177362
Change-Id: Ic06c945ab534b27306021d970a83691aae2e7e60
2019-07-09 06:13:08 -07:00
Wiktor Garbacz
d170bc3c80 Deflake namespace_test
When fetching exit status only lower 8-bits will be read.
Thus if getpid()&0xff == 0 the test can fail.

PiperOrigin-RevId: 257163766
Change-Id: I690c645fde33d1205578fd8873c5fc2974352ada
2019-07-09 04:11:07 -07:00
Christian Blichmann
6d06df1b86 Break out executor into its own build target
PiperOrigin-RevId: 257147090
Change-Id: I34c5e86ca68f865fdae42e4077c52c6168672c06
2019-07-09 01:53:56 -07:00
Christian Blichmann
747ccb57e8 Rename stack-trace{.h,.cc,._test.cc} to use underscores
PiperOrigin-RevId: 257144753
Change-Id: I4ce0dffad552c25b61102adfb1c03b8aea427dd9
2019-07-09 01:32:25 -07:00
Christian Blichmann
2da6dad120 Internal change
PiperOrigin-RevId: 257141595
Change-Id: Ic34799290fa88be62ecba38f8f60200a1e55f065
2019-07-09 01:32:09 -07:00
Christian Blichmann
c7f7666d9d Do not leak macro definitions in stack-trace.h
Since we use glog, we need to still rely on gFlags for as long as Abseil
logging is not yet released. To do this, we have the util/flag.h header in
SAPI, faking the newer style API of Abseil's flags library.
The rationale behind this is that glog includes/builds with gflags for
command line flag parsing and having more than one flag parsing library
active at the same time is asking for trouble.

PiperOrigin-RevId: 256982667
Change-Id: I9c5406cb9ef4458daebfec0b0713f9bddbf5c3ad
2019-07-08 08:25:17 -07:00
Christian Blichmann
2301e05097 Follow-up to rev. 6edcf5f which introduced a build failure
PiperOrigin-RevId: 256961234
Change-Id: I312d054c5d35413b2e6b061ddfa30c80397b19eb
2019-07-08 05:56:36 -07:00
Sandboxed API Team
6edcf5f823 Internal change.
PiperOrigin-RevId: 256378370
Change-Id: I1b00662a4c4c743ab79ecf35e857e4f7bc9f5e1c
2019-07-03 09:03:38 -07:00
Christian Blichmann
d48a372aab Use absolute namespace names in generator to avoid collisions
PiperOrigin-RevId: 256349023
Change-Id: Ic6e178a158fd9af0343c747b0525e703aad7ef99
2019-07-03 05:32:46 -07:00
Kevin Hamacher
6d782dd774 Deflake custom_fork_server test
PiperOrigin-RevId: 256149331
Change-Id: I68cfd64ee602757235e6c6d602819a79ae4826fb
2019-07-02 05:59:25 -07:00
Christian Blichmann
732252922a Make sapi::Status and sapi::StatusOr<> public in Bazel build file.
This makes it easier to work with the generated classes from client code.

PiperOrigin-RevId: 256132914
Change-Id: If7fb24a2cac998d2cdb04e8b627272064bf9793d
2019-07-02 03:20:23 -07:00
Maciej Szaw?owski
9435f97538 macro fixes:
- made sure that define order is correct
- made sure to emit all defines related to target define
- fixed a bug where '(' was separated with macro name with space, this breaking the macro

PiperOrigin-RevId: 256129616
Change-Id: I636b13a72c6198fb59e8e387f42567c442b24352
2019-07-02 02:58:17 -07:00
Christian Blichmann
4e20e0702a Use full workspace name to access Bazel packages in generator
Since the interface generator is invoked via a Bazel macro, it will be
expanded in the embedding context of the project using SAPI, so package access
needs to go through the full workspace root @com_google_sandboxed_api.

This change also modifies the CMakeLists.txt accordingly, as the "external"
subdirectory is no longer needed/wanted.

PiperOrigin-RevId: 255918784
Change-Id: I052c687509f65fef7f011a9d1a074a171595330f
2019-07-01 02:53:41 -07:00
Christian Blichmann
0d16c136ae Make external usage easier by providing a sapi_deps() workspace rule
If using Sandboxed API from an external Bazel WORKSPACE, dependencies can be
imported by declaring the repository and calling `sapi_deps()`:

```python
git_repository(
    name = "com_google_sandboxed_api",
    commit = "master",
    remote = "https://github.com/google/sandboxed-api.git",
)

load(
    "@com_google_sandboxed_api//sandboxed_api/bazel:sapi_deps.bzl",
    "sapi_deps",
)

sapi_deps()
```

PiperOrigin-RevId: 255373664
Change-Id: I4c41ffc75e1ca95eb126702cb2d5cedb255191d5
2019-06-27 04:27:53 -07:00
Christian Blichmann
301a265c95 Make bpf_helper visible to projects using SAPI
PiperOrigin-RevId: 255368910
Change-Id: I4f12e8d47fd747619a12d21a5be1c34d7f876b61
2019-06-27 03:43:31 -07:00
Christian Blichmann
0c4a803527 Workaround for Bazel issue #8672 (broken fully_static_link)
This is tracked at
https://github.com/bazelbuild/bazel/issues/8672

and should only affect the tests for now.

PiperOrigin-RevId: 254943708
Change-Id: Iee18a3b8c1b570c7d04d09d533ecff33c3de7d57
2019-06-25 04:32:17 -07:00
Christian Blichmann
97b5f0767a Find libclang so that Python3 works, remove PY2 annotations
We now require that Debian users install the `python3` and `python3-pip`
packages. This change lets the Python code search for `libclang.so`, which can
be located in different directories, depending on version, and is not found by
default otherwise.

Fixes #28

PiperOrigin-RevId: 254745872
Change-Id: Ia77680da2a3235c0a9518125676aa8a460e38e76
2019-06-24 06:30:34 -07:00
Christian Blichmann
4bcea59309 Use to_list() on Bazel depsets for iteration.
Starting with Bazel 0.27.0 --incompatible_depset_is_not_iterable became the
default.

Fixes #27

PiperOrigin-RevId: 254703981
Change-Id: I727e4b1c6a907c8794a00f61646c13ad8d4437b7
2019-06-24 00:45:55 -07:00
Christian Blichmann
6ca744b959 Fix old 'google' namespace in example
PiperOrigin-RevId: 254203473
Change-Id: I04401074585769f3692f320f5aa0dbbecb51ebcc
2019-06-20 08:37:56 -07:00
Wiktor Garbacz
4b9be4e78a Fix formating
PiperOrigin-RevId: 253196457
Change-Id: Id73a08945dedff7a116d500202355ecf266afcf3
2019-06-14 03:01:09 -07:00
Wiktor Garbacz
605d402121 Use new function naming
PiperOrigin-RevId: 253191002
Change-Id: If00c0effb925b3e294593f272447cd8386228bac
2019-06-14 02:09:07 -07:00
Christian Blichmann
4d891de31b Internal change
PiperOrigin-RevId: 252609329
Change-Id: I46a05641456144e7967e01905c60e18aef164b3f
2019-06-11 06:49:45 -07:00
Sandboxed API Team
970257d87b Allow two madvise calls for asan & tsan builds.
bbfa21f177/lib/sanitizer_common/sanitizer_posix_libcdep.cc (L71)

PiperOrigin-RevId: 252048323
Change-Id: I457e708f0b024fd9db4ad39265cb904777ca52b5
2019-06-07 07:53:10 -07:00
Christian Blichmann
dfbfb5cc43 Add CMake builds for the examples
PiperOrigin-RevId: 252045309
Change-Id: I57ffc3debbe64010b1f20b2e6df900b9916fa37f
2019-06-07 07:27:33 -07:00
Christian Blichmann
f2c7f976cf Add minimal Bazel CI config
PiperOrigin-RevId: 252043934
Change-Id: I29222d770c44522b21560bb736b1f5fd55cb0da0
2019-06-07 07:14:07 -07:00
Christian Blichmann
24c3e34344 Implement a GetDataDependencyFilepath() for CMake (non-Bazel really).
This code assumes, like Bazel's runfiles that the data dependency to access
exists in the same sub-tree as the binary:

WORKSPACE
+- sandboxed_api/sandbox2/examples/crc4
                                   +- crc4bin
                                   +- crc4sandbox

The code requires the directory structure to exist, so that in the example
above, crc4sandbox can use
  GetDataDependencyFilepath("sandboxed_api/sandbox2/examples/crc4/crc4bin")

regardless of how it was called.

PiperOrigin-RevId: 251834480
Change-Id: I6470b62ce9b403297116481a0c17c070992f2e81
2019-06-06 05:44:32 -07:00
Christian Blichmann
9b78e331fa Use newer gflags namespace for command-line flags
PiperOrigin-RevId: 251639941
Change-Id: I3037ce9510a3bc62cf5c899c64f2e7d344a8b4ee
2019-06-05 07:39:38 -07:00
Sandboxed API Team
1b2b83676b Internal Change
PiperOrigin-RevId: 251637952
Change-Id: I532201ec1ba16a4cae71c671ffe2bd34e13a5391
2019-06-05 07:24:16 -07:00
Christian Blichmann
ffd4e1270a Internal change
PiperOrigin-RevId: 251590551
Change-Id: Ic69f8f5f798006c0d096357b7a746cdc4ce530a3
2019-06-05 00:26:14 -07:00
Christian Blichmann
a3b0949949 Internal change
PiperOrigin-RevId: 251411359
Change-Id: Ifbed8afa72d130ae803ed71a6a43ac3c9d8755f9
2019-06-04 04:07:21 -07:00
Christian Blichmann
719cd24933 Fix sandbox2 tests when run with CTest
This test runs, but fails due to a different problem:
  StackTraceTest.ForkEnterNsLibunwindDoesNotLeakFDs

PiperOrigin-RevId: 251218516
Change-Id: If06cdbcb71fad84ebd9d934ff173d7ef1a1eebc0
2019-06-03 06:27:59 -07:00
Sandboxed API Team
dd2a84b980 Clarify behavior of Buffer::CreateFromFd
PiperOrigin-RevId: 250834142
Change-Id: I7aac739c9b590adc0599926e3246bc87e21d951a
2019-05-30 23:50:54 -07:00
Sandboxed API Team
6666f41ba2 Fix unnecessary unique_ptr in LogServer.
PiperOrigin-RevId: 250050562
Change-Id: I6840e68504c741de1e66489279237f4a4a6bc533
2019-05-26 08:47:38 -07:00
Wiktor Garbacz
08ff939ea7 Call DisableNamespaces where needed
PiperOrigin-RevId: 249637351
Change-Id: I5105d89ea0e8cfb2fca1e5ac342fa67e9caac930
2019-05-23 07:21:03 -07:00
Wiktor Garbacz
85059ef40d Add DisableNamespaces to PolicyBuilder
Currently mostly no-op, but this is the first step to turn namespaces on
by default.

PiperOrigin-RevId: 249439158
Change-Id: I5eeb1216dc868c660f62ad50c34f626afbf7db61
2019-05-22 06:54:12 -07:00
Wiktor Garbacz
71a317e65f Do not emit an error on ESRCH in PTRACE_CONT
Process might be killed between waitpid and PTRACE_CONT,
even though a PTRACE_EVENT_EXIT will be gererated, continuing
will fail with ESRCH in that case.

PiperOrigin-RevId: 249245726
Change-Id: Ib673529229a306d2266fa60caa3039b6bcd80a65
2019-05-21 07:30:56 -07:00
Wiktor Garbacz
15993a34e2 Log stack traces with INFO instead of ERROR
PiperOrigin-RevId: 249035379
Change-Id: Ie62366f45f29741ee0c8b25369d0bb169275ccfd
2019-05-20 06:16:50 -07:00
Wiktor Garbacz
207b2d9a95 Remove stale comment
PiperOrigin-RevId: 248715509
Change-Id: I7aa3f4388920e39a79ac349890de403ac3384504
2019-05-17 07:21:31 -07:00
Wiktor Garbacz
34d17b77ac Remove dead code
IPC always creates comms object from a fd.

PiperOrigin-RevId: 248683525
Change-Id: Ib4285ec0494d551257237c12f92f983b943205cb
2019-05-17 02:02:03 -07:00
Wiktor Garbacz
8678af23d0 Extract GetRlimitName into util
PiperOrigin-RevId: 248682931
Change-Id: I702533a8d36465de956a1a90a40c634434b7a671
2019-05-17 01:55:35 -07:00
Wiktor Garbacz
6e1c3c3055 Fix prlimit error message
PiperOrigin-RevId: 248491089
Change-Id: Id4116939d02b6a592c74218955675acf2e3c70fe
2019-05-16 02:24:59 -07:00
Wiktor Garbacz
7294e9976e Replace custom synchronization with absl::Notification
PiperOrigin-RevId: 248334969
Change-Id: I7614a3792babd399912c5d5a167ab5e0a0574d20
2019-05-15 08:09:56 -07:00
Wiktor Garbacz
42761c8b72 Add a resource starvation test
PiperOrigin-RevId: 248334209
Change-Id: Iff0f0b3024c67a767c429a547695cc48a2d02a30
2019-05-15 08:04:58 -07:00
Wiktor Garbacz
6588aa2a68 Reintroduce monitor changes.
Signal handling in Monitor::MainLoop was fixed.

PiperOrigin-RevId: 248331692
Change-Id: I0f85d319802258632d2074742c53597bb922555a
2019-05-15 07:46:49 -07:00
Sandboxed API Team
d8f7d861d2 Log the progress of dynamic libraries being resolved while creating a sandboxee's virtual FS chroot. This provides valuable insight while debugging problems with dynamically linked sandoxed binaries.
PiperOrigin-RevId: 247625021
Change-Id: I9bf77af7410deb8766fd49910c8564e148020601
2019-05-10 09:41:07 -07:00
Christian Blichmann
5f3c7171b7 Use Abseil's flag library released in aa468ad75539619b47979911297efbb629c52e44
PiperOrigin-RevId: 247424939
Change-Id: I22a4696f705f9dcfa7394b329c78bd126f42bd16
2019-05-09 07:57:55 -07:00
Christian Blichmann
7800fd7402 Disable compiler warnings for consistency with internal settings.
PiperOrigin-RevId: 247405215
Change-Id: I236170f7b47d9ecd32324db907ef7afc2e797d9a
2019-05-09 05:21:34 -07:00
Sandboxed API Team
63f0adbfbb Revert of monitor code update.
PiperOrigin-RevId: 247255592
Change-Id: I3656ea1628418321b1b8b02660b6a51a58c2c61f
2019-05-08 11:34:26 -07:00
Wiktor Garbacz
3f5360a7bc Simplify monitor code.
Make setting result code the condition for main loop exit.

PiperOrigin-RevId: 247218505
Change-Id: I8699012683bc301e8a9f4f41cd5ab018e3cd514c
2019-05-08 08:34:56 -07:00
Christian Blichmann
a412383d61 Fix build failure with Bazel v0.25.0+ (#25)
PiperOrigin-RevId: 247206409
Change-Id: Ic6d4d1fea42ea5746613d3ef3de67f61e72848a6
2019-05-08 07:07:29 -07:00
Sandboxed API Team
f29a5a81ed Print final FS mounts in sandboxee's chroot
After all requested filesystem mounts are fully mounted under a sandboxee's virtual chroot, print a list of the outside paths and a list of the inside chroot paths that the outside paths are mapped to. This provides a valuable insight while debugging sandboxed binaries.

PiperOrigin-RevId: 247130923
Change-Id: I42b4b3db68d826587c0fe8127aabbead38bc6f20
2019-05-07 18:30:13 -07:00
Christian Blichmann
6bfa83befe CMake support for Sandbox2
- Add a superbuild in cmake/SuperBuild.cmake that downloads and builds
  dependencies
- Builds for sandbox2/ and a its tests
- Helper CMake function to strip proto paths
- Module to find libcap
- Custom build for libunwind that wraps its symbols
- Fix environment so that CTest executes tests similar to Bazel
- Filewrapper functionality, like Bazel's cc_embed_data()
- Build forkserver with embedded binary
- Enable ASM language so that libunwind builds correctly
- Allow glog target to propagate transitively (to propagate its include dirs)

Signed-off-by: Christian Blichmann <cblichmann@google.com>
2019-05-06 14:03:29 +02:00