# Copyright 2019 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Description: sandbox2 is a C++ sandbox technology for Linux. load("//sandboxed_api/bazel:build_defs.bzl", "sapi_platform_copts") load("//sandboxed_api/bazel:embed_data.bzl", "sapi_cc_embed_data") load("//sandboxed_api/bazel:proto.bzl", "sapi_proto_library") package(default_visibility = ["//sandboxed_api:__subpackages__"]) licenses(["notice"]) cc_library( name = "bpfdisassembler", srcs = ["bpfdisassembler.cc"], hdrs = ["bpfdisassembler.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ "@com_google_absl//absl/strings", "@com_google_absl//absl/types:span", ], ) cc_library( name = "regs", srcs = ["regs.cc"], hdrs = ["regs.h"], copts = sapi_platform_copts(), deps = [ ":syscall", ":violation_cc_proto", "//sandboxed_api:config", "//sandboxed_api/util:status", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/status", "@com_google_absl//absl/strings", ], ) cc_test( name = "regs_test", srcs = ["regs_test.cc"], copts = sapi_platform_copts(), tags = ["no_qemu_user_mode"], deps = [ ":regs", ":sanitizer", ":util", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:status_matchers", "@com_google_glog//:glog", "@com_google_googletest//:gtest_main", ], ) cc_library( name = "syscall", srcs = [ "syscall.cc", "syscall_defs.cc", "syscall_defs.h", ], hdrs = ["syscall.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":util", "//sandboxed_api:config", "@com_google_absl//absl/algorithm:container", "@com_google_absl//absl/strings", "@com_google_absl//absl/strings:str_format", "@com_google_absl//absl/types:span", "@com_google_glog//:glog", ], ) cc_test( name = "syscall_test", srcs = ["syscall_test.cc"], copts = sapi_platform_copts(), tags = ["no_qemu_user_mode"], deps = [ ":syscall", "//sandboxed_api:config", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", ], ) cc_library( name = "result", srcs = ["result.cc"], hdrs = ["result.h"], copts = sapi_platform_copts(), deps = [ ":regs", ":syscall", ":util", "//sandboxed_api:config", "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", ], ) sapi_proto_library( name = "logserver_proto", srcs = ["logserver.proto"], ) cc_library( name = "logserver", srcs = ["logserver.cc"], hdrs = ["logserver.h"], copts = sapi_platform_copts(), deps = [ ":comms", ":logserver_cc_proto", "@com_google_glog//:glog", ], ) cc_library( name = "logsink", srcs = ["logsink.cc"], hdrs = ["logsink.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":comms", ":logserver_cc_proto", "@com_google_absl//absl/strings", "@com_google_absl//absl/synchronization", "@com_google_glog//:glog", ], ) cc_library( name = "ipc", srcs = ["ipc.cc"], hdrs = ["ipc.h"], copts = sapi_platform_copts(), deps = [ ":comms", ":logserver", ":logsink", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", ], ) cc_library( name = "policy", srcs = ["policy.cc"], hdrs = ["policy.h"], copts = sapi_platform_copts(), deps = [ ":bpfdisassembler", ":comms", ":namespace", ":regs", ":syscall", ":violation_cc_proto", "//sandboxed_api:config", "//sandboxed_api/sandbox2/network_proxy:filtering", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:flags", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/types:optional", ], ) cc_library( name = "notify", srcs = [], hdrs = ["notify.h"], copts = sapi_platform_copts(), deps = [ ":comms", ":result", ":syscall", ":util", "//sandboxed_api:config", "@com_google_absl//absl/base:core_headers", "@com_google_glog//:glog", ], ) cc_library( name = "limits", hdrs = ["limits.h"], copts = sapi_platform_copts(), deps = [ "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/time", ], ) cc_binary( name = "forkserver_bin", srcs = ["forkserver_bin.cc"], copts = sapi_platform_copts(), deps = [ ":comms", ":forkserver", ":sanitizer", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:strerror", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/strings", ], ) sapi_cc_embed_data( name = "forkserver_bin_embed", srcs = [":forkserver_bin.stripped"], ) cc_library( name = "global_forkserver", srcs = ["global_forkclient.cc"], hdrs = ["global_forkclient.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":comms", ":fork_client", ":forkserver_bin_embed", ":forkserver_cc_proto", ":util", "//sandboxed_api:config", "//sandboxed_api:embed_file", "//sandboxed_api/util:fileops", "//sandboxed_api/util:flags", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:status", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", "@com_google_absl//absl/synchronization", "@com_google_glog//:glog", ], ) # Use only if Sandbox2 global forkserver has to be started very early on. # By default the forkserver is started on demand. cc_library( name = "start_global_forkserver_lib_constructor", srcs = ["global_forkclient_lib_ctor.cc"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":fork_client", ":global_forkserver", "@com_google_absl//absl/base:core_headers", ], ) cc_library( name = "executor", srcs = ["executor.cc"], hdrs = ["executor.h"], copts = sapi_platform_copts(), deps = [ ":fork_client", ":forkserver_cc_proto", ":global_forkserver", ":ipc", ":limits", ":namespace", ":util", "//sandboxed_api:config", "//sandboxed_api/util:fileops", "//sandboxed_api/util:status", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/strings", "@com_google_absl//absl/types:span", ], ) # Should not be used in sandboxee code if it only uses sandbox2::Comms and # sandbox2::Client objects cc_library( name = "sandbox2", srcs = [ "monitor.cc", "monitor.h", "policybuilder.cc", "sandbox2.cc", "stack_trace.cc", "stack_trace.h", ], hdrs = [ "client.h", "executor.h", "ipc.h", "limits.h", "notify.h", "policy.h", "policybuilder.h", "regs.h", "result.h", "sandbox2.h", "syscall.h", ], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":client", ":comms", ":executor", ":fork_client", ":forkserver_cc_proto", ":global_forkserver", ":ipc", ":limits", ":logsink", ":mounts", ":namespace", ":notify", ":policy", ":regs", ":result", ":sanitizer", ":syscall", ":util", ":violation_cc_proto", "//sandboxed_api:config", "//sandboxed_api/sandbox2/network_proxy:client", "//sandboxed_api/sandbox2/network_proxy:filtering", "//sandboxed_api/sandbox2/network_proxy:server", "//sandboxed_api/sandbox2/unwind", "//sandboxed_api/sandbox2/unwind:unwind_cc_proto", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:file_base", "//sandboxed_api/util:file_helpers", "//sandboxed_api/util:fileops", "//sandboxed_api/util:flags", "//sandboxed_api/util:status", "//sandboxed_api/util:strerror", "//sandboxed_api/util:temp_file", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/cleanup", "@com_google_absl//absl/container:flat_hash_map", "@com_google_absl//absl/container:flat_hash_set", "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", "@com_google_absl//absl/strings:str_format", "@com_google_absl//absl/synchronization", "@com_google_absl//absl/time", "@com_google_absl//absl/types:optional", "@com_google_absl//absl/types:span", "@org_kernel_libcap//:libcap", ], ) # Should be used in sandboxee code instead of :sandbox2 if it uses just # sandbox2::Client::SandboxMeHere() and sandbox2::Comms cc_library( name = "client", srcs = ["client.cc"], hdrs = ["client.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":comms", ":logsink", ":sanitizer", "//sandboxed_api/sandbox2/network_proxy:client", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:strerror", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/container:flat_hash_map", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", ], ) cc_library( name = "sanitizer", srcs = ["sanitizer.cc"], hdrs = ["sanitizer.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":util", "//sandboxed_api/util:file_helpers", "//sandboxed_api/util:fileops", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:status", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/container:flat_hash_set", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", ], ) cc_library( name = "forkserver", srcs = ["forkserver.cc"], hdrs = ["forkserver.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":client", ":comms", ":fork_client", ":forkserver_cc_proto", ":namespace", ":policy", ":sanitizer", ":syscall", ":util", "//sandboxed_api/sandbox2/unwind", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:file_helpers", "//sandboxed_api/util:fileops", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:status", "//sandboxed_api/util:strerror", "@com_google_absl//absl/container:flat_hash_map", "@com_google_absl//absl/container:flat_hash_set", "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", "@com_google_absl//absl/strings:str_format", "@org_kernel_libcap//:libcap", ], ) cc_library( name = "fork_client", srcs = ["fork_client.cc"], hdrs = ["fork_client.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":comms", ":forkserver_cc_proto", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/synchronization", "@com_google_glog//:glog", ], ) cc_library( name = "mounts", srcs = ["mounts.cc"], hdrs = ["mounts.h"], copts = sapi_platform_copts(), deps = [ ":mount_tree_cc_proto", "//sandboxed_api:config", "//sandboxed_api/sandbox2/util:minielf", "//sandboxed_api/util:file_base", "//sandboxed_api/util:fileops", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:status", "//sandboxed_api/util:strerror", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/container:flat_hash_set", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", "@com_google_protobuf//:protobuf", ], ) cc_test( name = "mounts_test", srcs = ["mounts_test.cc"], copts = sapi_platform_copts(), data = ["//sandboxed_api/sandbox2/testcases:minimal_dynamic"], deps = [ ":mount_tree_cc_proto", ":mounts", "//sandboxed_api:testing", "//sandboxed_api/util:file_base", "//sandboxed_api/util:file_helpers", "//sandboxed_api/util:status_matchers", "//sandboxed_api/util:temp_file", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", ], ) cc_library( name = "namespace", srcs = ["namespace.cc"], hdrs = ["namespace.h"], copts = sapi_platform_copts(), deps = [ ":mount_tree_cc_proto", ":mounts", ":util", ":violation_cc_proto", "//sandboxed_api/util:file_base", "//sandboxed_api/util:fileops", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:strerror", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", "@com_google_absl//absl/strings:str_format", ], ) cc_test( name = "namespace_test", srcs = ["namespace_test.cc"], copts = sapi_platform_copts(), data = [ "//sandboxed_api/sandbox2/testcases:hostname", "//sandboxed_api/sandbox2/testcases:namespace", ], deps = [ ":comms", ":namespace", ":sandbox2", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/util:fileops", "//sandboxed_api/util:status_matchers", "//sandboxed_api/util:temp_file", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", ], ) cc_library( name = "forkingclient", srcs = ["forkingclient.cc"], hdrs = ["forkingclient.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":client", ":comms", ":forkserver", ":sanitizer", "@com_google_absl//absl/memory", ], ) cc_library( name = "util", srcs = ["util.cc"], hdrs = ["util.h"], # The default is 16384, however we need to do a clone with a # stack-allocated buffer -- and PTHREAD_STACK_MIN also happens to be 16384. # Thus the slight increase. copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ "//sandboxed_api:config", "//sandboxed_api/util:file_base", "//sandboxed_api/util:file_helpers", "//sandboxed_api/util:fileops", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:status", "@com_google_absl//absl/algorithm:container", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", "@com_google_absl//absl/strings:str_format", ], ) cc_library( name = "buffer", srcs = ["buffer.cc"], hdrs = ["buffer.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":util", "//sandboxed_api/util:status", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", ], ) cc_test( name = "buffer_test", srcs = ["buffer_test.cc"], copts = sapi_platform_copts(), data = ["//sandboxed_api/sandbox2/testcases:buffer"], tags = ["no_qemu_user_mode"], deps = [ ":buffer", ":comms", ":sandbox2", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/util:status_matchers", "@com_google_absl//absl/memory", "@com_google_googletest//:gtest_main", ], ) sapi_proto_library( name = "forkserver_proto", srcs = ["forkserver.proto"], copts = sapi_platform_copts(), deps = [":mount_tree_proto"], ) sapi_proto_library( name = "mount_tree_proto", srcs = ["mount_tree.proto"], ) cc_library( name = "comms", srcs = ["comms.cc"], hdrs = ["comms.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = [ ":util", "//sandboxed_api/util:raw_logging", "//sandboxed_api/util:status", "//sandboxed_api/util:status_cc_proto", "//sandboxed_api/util:strerror", "@com_google_absl//absl/base:config", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/base:dynamic_annotations", "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", "@com_google_absl//absl/strings:str_format", "@com_google_absl//absl/synchronization", "@com_google_protobuf//:protobuf", ], ) sapi_proto_library( name = "comms_test_proto", srcs = ["comms_test.proto"], ) cc_test( name = "comms_test", srcs = ["comms_test.cc"], copts = sapi_platform_copts(), deps = [ ":comms", ":comms_test_cc_proto", "//sandboxed_api/util:status_matchers", "@com_google_absl//absl/container:fixed_array", "@com_google_absl//absl/strings", "@com_google_glog//:glog", "@com_google_googletest//:gtest_main", "@com_google_protobuf//:protobuf", ], ) cc_test( name = "forkserver_test", srcs = ["forkserver_test.cc"], copts = sapi_platform_copts(), data = ["//sandboxed_api/sandbox2/testcases:minimal"], tags = ["no_qemu_user_mode"], deps = [ ":comms", ":forkserver", ":forkserver_cc_proto", ":global_forkserver", ":sandbox2", "//sandboxed_api:testing", "@com_google_absl//absl/strings", "@com_google_glog//:glog", "@com_google_googletest//:gtest_main", ], ) cc_test( name = "limits_test", srcs = ["limits_test.cc"], copts = sapi_platform_copts(), data = ["//sandboxed_api/sandbox2/testcases:limits"], deps = [ ":limits", ":sandbox2", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:status_matchers", "@com_google_absl//absl/memory", "@com_google_googletest//:gtest_main", ], ) cc_test( name = "notify_test", srcs = ["notify_test.cc"], copts = sapi_platform_copts(), data = [ "//sandboxed_api/sandbox2/testcases:personality", "//sandboxed_api/sandbox2/testcases:pidcomms", ], tags = ["no_qemu_user_mode"], deps = [ ":comms", ":regs", ":sandbox2", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", ], ) cc_test( name = "policy_test", srcs = ["policy_test.cc"], copts = sapi_platform_copts(), data = [ "//sandboxed_api/sandbox2/testcases:add_policy_on_syscalls", "//sandboxed_api/sandbox2/testcases:malloc_system", "//sandboxed_api/sandbox2/testcases:minimal", "//sandboxed_api/sandbox2/testcases:minimal_dynamic", "//sandboxed_api/sandbox2/testcases:policy", ], tags = ["no_qemu_user_mode"], deps = [ ":limits", ":regs", ":sandbox2", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", ], ) cc_test( name = "sandbox2_test", srcs = ["sandbox2_test.cc"], copts = sapi_platform_copts(), data = [ "//sandboxed_api/sandbox2/testcases:abort", "//sandboxed_api/sandbox2/testcases:minimal", "//sandboxed_api/sandbox2/testcases:sleep", "//sandboxed_api/sandbox2/testcases:starve", "//sandboxed_api/sandbox2/testcases:tsync", ], tags = [ "local", "no_qemu_user_mode", ], deps = [ ":sandbox2", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:status_matchers", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", ], ) cc_test( name = "sanitizer_test", srcs = ["sanitizer_test.cc"], copts = sapi_platform_copts(), data = [ "//sandboxed_api/sandbox2/testcases:close_fds", "//sandboxed_api/sandbox2/testcases:sanitizer", ], tags = ["no_qemu_user_mode"], deps = [ ":comms", ":sandbox2", ":sanitizer", ":util", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:status_matchers", "@com_google_absl//absl/container:flat_hash_set", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", ], ) cc_test( name = "util_test", srcs = ["util_test.cc"], copts = sapi_platform_copts(), deps = [ ":util", "//sandboxed_api:testing", "//sandboxed_api/util:file_base", "@com_google_googletest//:gtest_main", ], ) cc_test( name = "stack_trace_test", srcs = [ "stack_trace.h", "stack_trace_test.cc", ], copts = sapi_platform_copts(), data = ["//sandboxed_api/sandbox2/testcases:symbolize"], tags = ["no_qemu_user_mode"], deps = [ ":global_forkserver", ":mounts", ":regs", ":sandbox2", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:fileops", "//sandboxed_api/util:flags", "//sandboxed_api/util:status_matchers", "//sandboxed_api/util:temp_file", "@com_google_absl//absl/cleanup", "@com_google_absl//absl/memory", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", "@com_google_googletest//:gtest_main", ], ) cc_test( name = "ipc_test", srcs = ["ipc_test.cc"], copts = sapi_platform_copts(), data = ["//sandboxed_api/sandbox2/testcases:ipc"], tags = ["no_qemu_user_mode"], deps = [ ":comms", ":sandbox2", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:status_matchers", "@com_google_absl//absl/memory", "@com_google_googletest//:gtest_main", ], ) cc_library( name = "testing", testonly = 1, hdrs = ["testing.h"], copts = sapi_platform_copts(), visibility = ["//visibility:public"], deps = ["//sandboxed_api:testing"], ) sapi_proto_library( name = "violation_proto", srcs = ["violation.proto"], deps = [":mount_tree_proto"], ) cc_test( name = "policybuilder_test", srcs = ["policybuilder_test.cc"], copts = sapi_platform_copts(), data = ["//sandboxed_api/sandbox2/testcases:print_fds"], tags = [ "no_qemu_user_mode", "requires-net:external", ], deps = [ ":comms", ":sandbox2", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:status_matchers", "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", "@com_google_glog//:glog", "@com_google_googletest//:gtest_main", ], )