Generate syscall jump table without using bpf_helper.
Check that any jump in the user provided policy is within the provided policy.
PiperOrigin-RevId: 409362089
Change-Id: I31493e52cf868e4b184ff79fcb26beeb75f49773
Note: This change allows `MAP_NORESERVE` generally, not just for MSAN. This follows
what we do for `AllowTcMalloc()/AllowSystemMalloc()`
PiperOrigin-RevId: 402231980
Change-Id: Ifa1c6b9f61f636dd6db231dde3765c3b4a40911b
These were previously dependent on an internal-only testing target.
For now, this only works with Bazel, but should enable us to have better test coverage in GitHub actions.
Eventually, all of these shell-based tests should be converted to `cc_test`s.
PiperOrigin-RevId: 400713615
Change-Id: I1cabb5b72977987ef4a1803480f699b58c4d56e9
For OSS, this change should be mostly a no-op. Visible edits are due to
changed order of code and/or includes.
PiperOrigin-RevId: 394177395
Change-Id: I1d32f9fd175579e8f05c051b1307953b249d139d
This mainly a debugging facility.
It makes diagnosing problems where sandboxed process just randomly exits whereas unsandboxed one runs to completion due to differences in the setup/environment much easier.
PiperOrigin-RevId: 391005548
Change-Id: Ia19fe6632748da93c1f4291bb55e895f50a4e2b0
Otherwise starting forkserver multiple times will result in zombie processes lingering around.
PiperOrigin-RevId: 388926497
Change-Id: Ia9947cce3d9e909edd709b0d3525e1ae8b8bbc51
Also really own `exec_fd_` as previously if the executor is destructed without calling `StartSubProcess` the file descriptor would leak.
PiperOrigin-RevId: 388901766
Change-Id: I6bbb15ced37a0a832ec5a5228452a3d54ef46ee9
Calling `Terminate()` issues additional syscalls that may clobber the `errno`
value. Reordering the log statements ensures we actually log the initial error
in `read()`/`write()`.
PiperOrigin-RevId: 387576942
Change-Id: I0f9c8c6001e6dc4ca098abe02cd251029f92a737
1. In many cases, sandboxes need to allow /proc/stat and /proc/cpuinfo so that
get_nprocs(3) will work; otherwise, per-CPU logic can't determine how many CPUs
there are. Unfortunately, some of those sandboxes also disable namespaces. The
solution is to provide two functions: AllowRestartableSequencesWithProcFiles(),
which allows syscalls and files; and AllowRestartableSequences(), which allows
syscalls only. Sandboxes should usually call the former; sandboxes that disable
namespaces should instead call the latter and are responsible for allowing the
files via the deprecated Fs mechanism.
2. Make the mmap(2) policy evaluate prot AND flags, not prot OR flags.
3. Order the code and the comments identically for better readability.
PiperOrigin-RevId: 386414028
Change-Id: I016b1854ed1da9c9bcff7b351c5e0041093b8193
The existing function signature took a `unique_ptr<>` owning a vector, and
took `nullptr` to mean an empty set of capabilities. This is more naturally
modeled by taking the vector directly and `std::move`-ing it.
PiperOrigin-RevId: 384214849
Change-Id: I177f04a06803ae00429b19a1f3f12e7be04d2908
- Assign to `*mutable_XXX()` instead of looping
- Use a const ref for capabilities
PiperOrigin-RevId: 384192675
Change-Id: I4db3d0c8ce0d7f6acc9fd486a2409962516b5fe7
This bug only manifests if a lot of fds are open when global forkserver is started.
If the allocated exec_fd number was equal Comms::kSandbox2ClientCommsFD then it would be replaced by the comms fd and result in EACCESS at execveat.
PiperOrigin-RevId: 380805414
Change-Id: I31427fa929abfc60890477b55790cc14c749f7f5