sandboxed-api/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
Christian Blichmann 51799f99ae Introduce a transitional logging utility library
Instead of calling `google::InitGoogleLogging()` directly, introduce an
indirection via a new utility library. After this change, Sandboxed API
should consistently use `sapi::InitLogging()` everywhere.

For now, `sapi::InitLogging()` simply calls its glog equivalent. However,
this enables us to migrate away from the gflags dependency and use Abseil
flags. Once a follow-up change lands, `sapi::InitLogging()` will instead
initialize the google logging library with flags defined from Aseil.

Later still, once Abseil releases logging, we can then drop the glog
dependency entirely.

PiperOrigin-RevId: 445363592
Change-Id: Ia23a7dc88b8ffe65a422ea4d5233bba7bdd1303a
2022-04-29 02:14:06 -07:00

163 lines
5.1 KiB
C++

// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// A demo sandbox for the crc4bin binary
#include <linux/filter.h>
#include <sys/resource.h>
#include <syscall.h>
#include <cstddef>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include <memory>
#include <string>
#include <utility>
#include <vector>
#include <glog/logging.h>
#include "sandboxed_api/util/flag.h"
#include "absl/memory/memory.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/limits.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h"
#include "sandboxed_api/sandbox2/result.h"
#include "sandboxed_api/sandbox2/sandbox2.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/util/logging.h"
#include "sandboxed_api/util/runfiles.h"
using std::string; // gflags <-> Abseil Flags
ABSL_FLAG(string, input, "", "Input to calculate CRC4 of.");
ABSL_FLAG(bool, call_syscall_not_allowed, false,
"Have sandboxee call clone (violation).");
namespace {
std::unique_ptr<sandbox2::Policy> GetPolicy() {
return sandbox2::PolicyBuilder()
.DisableNamespaces() // Safe, as we only allow I/O on existing FDs.
.AllowExit()
.AddPolicyOnSyscalls(
{
__NR_read,
__NR_write,
__NR_close,
},
{
ARG_32(0),
JEQ32(sandbox2::Comms::kSandbox2ClientCommsFD, ALLOW),
})
.AllowLlvmSanitizers() // Will be a no-op when not using sanitizers.
.BuildOrDie();
}
bool SandboxedCRC4(sandbox2::Comms* comms, uint32_t* crc4) {
const std::string input = absl::GetFlag(FLAGS_input);
auto* buf = reinterpret_cast<const uint8_t*>(input.data());
size_t buf_size = input.size();
if (!comms->SendBytes(buf, buf_size)) {
LOG(ERROR) << "sandboxee_comms->SendBytes() failed";
return false;
}
if (!comms->RecvUint32(crc4)) {
LOG(ERROR) << "sandboxee_comms->RecvUint32(&crc4) failed";
return false;
}
return true;
}
} // namespace
int main(int argc, char* argv[]) {
gflags::ParseCommandLineFlags(&argc, &argv, true);
sapi::InitLogging(argv[0]);
if (absl::GetFlag(FLAGS_input).empty()) {
LOG(ERROR) << "Parameter --input required.";
return 1;
}
// Note: In your own code, use sapi::GetDataDependencyFilePath() instead.
const std::string path = sapi::internal::GetSapiDataDependencyFilePath(
"sandbox2/examples/crc4/crc4bin");
std::vector<std::string> args = {path};
if (absl::GetFlag(FLAGS_call_syscall_not_allowed)) {
args.push_back("-call_syscall_not_allowed");
}
std::vector<std::string> envs = {};
auto executor = absl::make_unique<sandbox2::Executor>(path, args, envs);
executor
// Sandboxing is enabled by the binary itself (i.e. the crc4bin is capable
// of enabling sandboxing on its own).
->set_enable_sandbox_before_exec(false)
.limits()
// Remove restrictions on the size of address-space of sandboxed
// processes.
->set_rlimit_as(RLIM64_INFINITY)
// Kill sandboxed processes with a signal (SIGXFSZ) if it writes more than
// these many bytes to the file-system.
.set_rlimit_fsize(1024)
.set_rlimit_cpu(60) // The CPU time limit in seconds.
.set_walltime_limit(absl::Seconds(5));
sandbox2::Sandbox2 s2(std::move(executor), GetPolicy());
// Let the sandboxee run.
if (!s2.RunAsync()) {
sandbox2::Result result = s2.AwaitResult();
LOG(ERROR) << "RunAsync failed: " << result.ToString();
return 2;
}
sandbox2::Comms* comms = s2.comms();
uint32_t crc4;
if (!SandboxedCRC4(comms, &crc4)) {
LOG(ERROR) << "GetCRC4 failed";
if (!s2.IsTerminated()) {
// Kill the sandboxee, because failure to receive the data over the Comms
// channel doesn't automatically mean that the sandboxee itself had
// already finished. The final reason will not be overwritten, so if
// sandboxee finished because of e.g. timeout, the TIMEOUT reason will be
// reported.
LOG(INFO) << "Killing sandboxee";
s2.Kill();
}
}
sandbox2::Result result = s2.AwaitResult();
if (result.final_status() != sandbox2::Result::OK) {
LOG(ERROR) << "Sandbox error: " << result.ToString();
return 3; // e.g. sandbox violation, signal (sigsegv)
}
auto code = result.reason_code();
if (code) {
LOG(ERROR) << "Sandboxee exited with non-zero: " << code;
return 4; // e.g. normal child error
}
LOG(INFO) << "Sandboxee finished: " << result.ToString();
printf("0x%08x\n", crc4);
return EXIT_SUCCESS;
}