When symbolize.cc is built with unwind tables function from the lib calling into symbolize.cc might be duplicated in stack trace (libunwind fallback to LR)
PiperOrigin-RevId: 514324815
Change-Id: I76ee4ccf5aaf388924714284d9896fa367f5f752
Check unwinding recursive calls.
Verify we can unwind in absence of unwind tables.
PiperOrigin-RevId: 513506498
Change-Id: Ib87240b7481dae3a4513c944e17a7924a54926e9
Follow-up changes might be required to fully fix up the contrib sandboxes.
PiperOrigin-RevId: 482475998
Change-Id: Iff631eb838a024b2f047a1be61bb27e35a8ff2f4
This change allows Sandbox2 to change how the default FD for comms is chosen.
PiperOrigin-RevId: 479526309
Change-Id: I69add85a244bc0385eaa164ab0ea3b036503c6d3
Linking glibc in fully static mode is mostly unsupported. While such binaries
can easily be produced, conflicting symbols will often make them crash at
runtime. This happens because glibc will always (try to) load some dynamically
linked libraries, even when statically linked. This includes things like the
resolver, unicode/locale handling and others.
Internally at Google, this is not a concern due to the way glibc is being built
there. But in order to make all of our tests run in the open-source version of
this code, we need to change strategy a bit.
As a rule of thumb, glibc can safely be linked statically if a program is
resonably simple and does not use any networking of locale dependent
facilities. Calling syscalls directly instead of the corresponding libc
wrappers works as well, of course.
This change adjusts linker flags and sandbox policies to be more compatible
with regular Linux distributions.
Tested:
- `ctest -R '[A-Z].*'` (all SAPI/Sandbox2 tests)
PiperOrigin-RevId: 429025901
Change-Id: I46b677d9eb61080a8fe868002a34a77de287bf2d
Move VecStringToCharPtrArr before fork, so that it cannot deadlock when other thread holds allocation lock.
PiperOrigin-RevId: 414661912
Change-Id: Ie8aa5c36693e6f86c69d67a1da51b7e7ff1ec30b
This change should make it less confusing where utility code comes from.
Having it in two places made sense when we were debating whether to publish
Sandbox2 separately, but not any longer.
Follow-up changes will move `sandbox2/util.h` and rename the remaining
`sandbox2/util` folder.
PiperOrigin-RevId: 351601640
Change-Id: I6256845261f610e590c25e2c59851cc51da2d778
This change enables support for 32-bit ARM, as used by embedded controllers and older phones.
Note: This does not support 32-bit sandboxees on AArch64. Both sandboxee and host code must have the same bitness.
PiperOrigin-RevId: 347835193
Change-Id: I6395882677530f9862f118d2dc10230a61049836
This allows resource-constrained environments to benefit from the
space savings of dynamic linking. This is not meant to be used in
the general case.
PiperOrigin-RevId: 347398828
Change-Id: Ia634959148a31159878f48c44255dd733424a2b8
- Bazel: Use "incompatible" flag to fix fully static linking. The flag will
become the default in Bazel 4.0.
- Bazel: Deduplicate features into `FULLY_STATIC_FEATURES` variable
- CMake: Remove the testcase properties. `sapi::base` already sets
`POSITION_INDEPENDENT_CODE`. Note that `-pie` is incompatible with `-static`
and `-static-pie` requires GCC 8 and GLIBC 2.27.
PiperOrigin-RevId: 346952478
Change-Id: I7a317c90a3bec9691b13df1a00e3fddf4481df4d
The default policy causes immediate termination of a sandboxee that
calls `bpf`(2).
This does not allow for try-call use of `bpf()` to test for optional
features.
To support such try-call use cases, sandboxes would like to say:
```
sandbox2::PolicyBuilder builder;
builder.BlockSyscallWithErrno(__NR_bpf, EPERM);
```
but this doesn't work because the default policy unconditionally treats
`bpf()` as a sandbox violation.
Remove the bpf violation check from the policy if `bpf()` is explicitly
blocked with an errno.
PiperOrigin-RevId: 345239389
Change-Id: I7fcfd3a938c610c8679edf8e1fa0238b32cc9db4
This allows us to remove some uses of macros.
Related changes:
- Make it clear that we support hosting sandboxed binaries from 64-bit
processes only. CPU architectures are x86-64 and POWER64 (little endian).
- Introduced CPU architecture macros, abstracting away compiler specifics
PiperOrigin-RevId: 330918134
Change-Id: Ife7ad5f14723eec9f68055127b0583b8aecd38dd
This removes our own fork of `absl::StatusOr<>`. Sandboxed API still includes
a custom matcher for Googletest, as that is not open source yet. For
compatibility, the `statusor.h` header is still retained and now aliases
`sapi::StatusOr<>` to `absl::StatusOr<>`.
PiperOrigin-RevId: 329916309
Change-Id: I0544b73a9e312dce499bc4128c28457e04ab9929
The temporary solution for binaries/tests that fully statically linked is to
link against `gflags` using `-Wl,--whole-archive`. This will no longer be
necessary, once Abseil ships with logging. Then we can (finally) use Abseil
flags and use a logging library that does not depend on a different flags
library.
PiperOrigin-RevId: 260705702
Change-Id: I8562faaff59f9c3e0e1d331186d2806d387438fb
When fetching exit status only lower 8-bits will be read.
Thus if getpid()&0xff == 0 the test can fail.
PiperOrigin-RevId: 257163766
Change-Id: I690c645fde33d1205578fd8873c5fc2974352ada
This is tracked at
https://github.com/bazelbuild/bazel/issues/8672
and should only affect the tests for now.
PiperOrigin-RevId: 254943708
Change-Id: Iee18a3b8c1b570c7d04d09d533ecff33c3de7d57
- Add a superbuild in cmake/SuperBuild.cmake that downloads and builds
dependencies
- Builds for sandbox2/ and a its tests
- Helper CMake function to strip proto paths
- Module to find libcap
- Custom build for libunwind that wraps its symbols
- Fix environment so that CTest executes tests similar to Bazel
- Filewrapper functionality, like Bazel's cc_embed_data()
- Build forkserver with embedded binary
- Enable ASM language so that libunwind builds correctly
- Allow glog target to propagate transitively (to propagate its include dirs)
Signed-off-by: Christian Blichmann <cblichmann@google.com>