StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity
5fb18d3c9d
sandboxed-api/sandboxed_api/sandbox2/global_forkclient.cc
Wiktor Garbacz f8a2729c32 Start global fork-server on demand 
Allow disabling global fork-server with a flag.

PiperOrigin-RevId: 340860588
Change-Id: I184603dc3a81eb90f715053e14fb3b8d66a6f104
2020-11-05 08:48:03 -08:00

124 lines
4.0 KiB
C++
Raw Blame History

// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Implementation of the sandbox2::ForkServer class.
#include "sandboxed_api/sandbox2/global_forkclient.h"
#include <fcntl.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <syscall.h>
#include <unistd.h>
#include <csignal>
#include <cstdlib>
#include <glog/logging.h>
#include "sandboxed_api/util/flag.h"
#include "absl/memory/memory.h"
#include "sandboxed_api/embed_file.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/forkserver_bin_embed.h"
#include "sandboxed_api/sandbox2/util.h"
#include "sandboxed_api/sandbox2/util/fileops.h"
#include "sandboxed_api/sandbox2/util/strerror.h"
#include "sandboxed_api/util/raw_logging.h"
ABSL_FLAG(bool, sandbox2_start_forkserver, true,
"Start Sandbox2 Forkserver process");
namespace sandbox2 {
namespace {
std::unique_ptr<GlobalForkClient> StartGlobalForkServer() {
if (getenv(kForkServerDisableEnv)) {
SAPI_RAW_VLOG(1,
"Start of the Global Fork-Server prevented by the '%s' "
"environment variable present",
kForkServerDisableEnv);
return {};
}
if (!absl::GetFlag(FLAGS_sandbox2_start_forkserver)) {
SAPI_RAW_VLOG(
1, "Start of the Global Fork-Server prevented by commandline flag");
return {};
}
file_util::fileops::FDCloser exec_fd(
sapi::EmbedFile::GetEmbedFileSingleton()->GetFdForFileToc(
forkserver_bin_embed_create()));
SAPI_RAW_CHECK(exec_fd.get() >= 0, "Getting FD for init binary failed");
std::string proc_name = "S2-FORK-SERV";
int sv[2];
SAPI_RAW_CHECK(socketpair(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, sv) != -1,
"creating socket pair");
// Fork the fork-server, and clean-up the resources (close remote sockets).
pid_t pid = util::ForkWithFlags(SIGCHLD);
SAPI_RAW_PCHECK(pid != -1, "during fork");
// Child.
if (pid == 0) {
// Move the comms FD to the proper, expected FD number.
// The new FD will not be CLOEXEC, which is what we want.
dup2(sv[0], Comms::kSandbox2ClientCommsFD);
char* const args[] = {proc_name.data(), nullptr};
char* const envp[] = {nullptr};
syscall(__NR_execveat, exec_fd.get(), "", args, envp, AT_EMPTY_PATH);
SAPI_RAW_PLOG(FATAL, "Could not launch forkserver binary");
abort();
}
close(sv[0]);
return absl::make_unique<GlobalForkClient>(sv[1], pid);
}
GlobalForkClient* GetGlobalForkClient() {
static GlobalForkClient* global_fork_client =
StartGlobalForkServer().release();
return global_fork_client;
}
} // namespace
void GlobalForkClient::EnsureStarted() { GetGlobalForkClient(); }
pid_t GlobalForkClient::SendRequest(const ForkRequest& request, int exec_fd,
int comms_fd, int user_ns_fd,
pid_t* init_pid) {
GlobalForkClient* global_fork_client = GetGlobalForkClient();
SAPI_RAW_CHECK(global_fork_client != nullptr,
"global fork client not initialized");
pid_t pid = global_fork_client->fork_client_.SendRequest(
request, exec_fd, comms_fd, user_ns_fd, init_pid);
if (global_fork_client->comms_.IsTerminated()) {
LOG(ERROR) << "Global forkserver connection terminated";
}
return pid;
}
pid_t GlobalForkClient::GetPid() {
GlobalForkClient* global_fork_client = GetGlobalForkClient();
SAPI_RAW_CHECK(global_fork_client != nullptr,
"global fork client not initialized");
return global_fork_client->fork_client_.pid();
}
} // namespace sandbox2
Reference in New Issue View Git Blame Copy Permalink