sandboxed-api/sandboxed_api/sandbox2/BUILD.bazel
Kevin Hamacher aea8bb2ed0 Automated rollback of commit 2036f5b2f0.
PiperOrigin-RevId: 395893427
Change-Id: Iabd32de9cd83de5cc8567834e1f91e48c521ac60
2021-09-10 03:34:44 -07:00

874 lines
24 KiB
Python

# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Description: sandbox2 is a C++ sandbox technology for Linux.
load("//sandboxed_api/bazel:build_defs.bzl", "sapi_platform_copts")
load("//sandboxed_api/bazel:embed_data.bzl", "sapi_cc_embed_data")
load("//sandboxed_api/bazel:proto.bzl", "sapi_proto_library")
package(default_visibility = ["//sandboxed_api:__subpackages__"])
licenses(["notice"]) # Apache 2.0
exports_files(["testdata/hostname"])
cc_library(
name = "bpfdisassembler",
srcs = ["bpfdisassembler.cc"],
hdrs = ["bpfdisassembler.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/types:span",
],
)
cc_library(
name = "regs",
srcs = ["regs.cc"],
hdrs = ["regs.h"],
copts = sapi_platform_copts(),
deps = [
":syscall",
":violation_cc_proto",
"//sandboxed_api:config",
"//sandboxed_api/util:status",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/status",
"@com_google_absl//absl/strings",
],
)
cc_library(
name = "syscall",
srcs = [
"syscall.cc",
"syscall_defs.cc",
"syscall_defs.h",
],
hdrs = ["syscall.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":util",
"//sandboxed_api:config",
"@com_google_absl//absl/algorithm:container",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/types:span",
"@com_google_glog//:glog",
],
)
cc_test(
name = "syscall_test",
srcs = ["syscall_test.cc"],
copts = sapi_platform_copts(),
deps = [
":syscall",
"//sandboxed_api:config",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
)
cc_library(
name = "result",
srcs = ["result.cc"],
hdrs = ["result.h"],
copts = sapi_platform_copts(),
deps = [
":regs",
":syscall",
":util",
"//sandboxed_api:config",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
],
)
sapi_proto_library(
name = "logserver_proto",
srcs = ["logserver.proto"],
)
cc_library(
name = "logserver",
srcs = ["logserver.cc"],
hdrs = ["logserver.h"],
copts = sapi_platform_copts(),
deps = [
":comms",
":logserver_cc_proto",
"@com_google_glog//:glog",
],
)
cc_library(
name = "logsink",
srcs = ["logsink.cc"],
hdrs = ["logsink.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":comms",
":logserver_cc_proto",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/synchronization",
"@com_google_glog//:glog",
],
)
cc_library(
name = "ipc",
srcs = ["ipc.cc"],
hdrs = ["ipc.h"],
copts = sapi_platform_copts(),
deps = [
":comms",
":logserver",
":logsink",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
],
)
cc_library(
name = "policy",
srcs = ["policy.cc"],
hdrs = ["policy.h"],
copts = sapi_platform_copts(),
deps = [
":bpfdisassembler",
":comms",
":namespace",
":regs",
":syscall",
":violation_cc_proto",
"//sandboxed_api:config",
"//sandboxed_api/sandbox2/network_proxy:filtering",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:flags",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/types:optional",
],
)
cc_library(
name = "notify",
srcs = [],
hdrs = ["notify.h"],
copts = sapi_platform_copts(),
deps = [
":comms",
":result",
":syscall",
],
)
cc_library(
name = "limits",
hdrs = ["limits.h"],
copts = sapi_platform_copts(),
deps = [
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/time",
],
)
cc_binary(
name = "forkserver_bin",
srcs = ["forkserver_bin.cc"],
copts = sapi_platform_copts(),
deps = [
":comms",
":forkserver",
":sanitizer",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/strings",
],
)
sapi_cc_embed_data(
name = "forkserver_bin_embed",
srcs = [":forkserver_bin.stripped"],
)
cc_library(
name = "global_forkserver",
srcs = ["global_forkclient.cc"],
hdrs = ["global_forkclient.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":comms",
":fork_client",
":forkserver_bin_embed",
":forkserver_cc_proto",
":util",
"//sandboxed_api:embed_file",
"//sandboxed_api/util:flags",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:status",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/synchronization",
"@com_google_glog//:glog",
],
)
# Use only if Sandbox2 global forkserver has to be started very early on.
# By default the forkserver is started on demand.
cc_library(
name = "start_global_forkserver_lib_constructor",
srcs = ["global_forkclient_lib_ctor.cc"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":fork_client",
":global_forkserver",
"@com_google_absl//absl/base:core_headers",
],
)
cc_library(
name = "executor",
srcs = ["executor.cc"],
hdrs = ["executor.h"],
copts = sapi_platform_copts(),
deps = [
":fork_client",
":forkserver_cc_proto",
":global_forkserver",
":ipc",
":limits",
":namespace",
":util",
"//sandboxed_api/util:fileops",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/types:span",
],
)
# Should not be used in sandboxee code if it only uses sandbox2::Comms and
# sandbox2::Client objects
cc_library(
name = "sandbox2",
srcs = [
"monitor.cc",
"monitor.h",
"policybuilder.cc",
"sandbox2.cc",
"stack_trace.cc",
"stack_trace.h",
],
hdrs = [
"client.h",
"executor.h",
"ipc.h",
"limits.h",
"notify.h",
"policy.h",
"policybuilder.h",
"regs.h",
"result.h",
"sandbox2.h",
"syscall.h",
],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":client",
":comms",
":executor",
":fork_client",
":forkserver_cc_proto",
":global_forkserver",
":ipc",
":limits",
":logsink",
":mounts",
":namespace",
":notify",
":policy",
":regs",
":result",
":sanitizer",
":syscall",
":util",
":violation_cc_proto",
"//sandboxed_api:config",
"//sandboxed_api/sandbox2/network_proxy:client",
"//sandboxed_api/sandbox2/network_proxy:filtering",
"//sandboxed_api/sandbox2/network_proxy:server",
"//sandboxed_api/sandbox2/unwind",
"//sandboxed_api/sandbox2/unwind:unwind_cc_proto",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:file_base",
"//sandboxed_api/util:file_helpers",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:flags",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:status",
"//sandboxed_api/util:strerror",
"//sandboxed_api/util:temp_file",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/cleanup",
"@com_google_absl//absl/container:flat_hash_map",
"@com_google_absl//absl/container:flat_hash_set",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/synchronization",
"@com_google_absl//absl/time",
"@com_google_absl//absl/types:optional",
"@com_google_absl//absl/types:span",
"@org_kernel_libcap//:libcap",
],
)
# Should be used in sandboxee code instead of :sandbox2 if it uses just
# sandbox2::Client::SandboxMeHere() and sandbox2::Comms
cc_library(
name = "client",
srcs = ["client.cc"],
hdrs = ["client.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":comms",
":logsink",
":sanitizer",
"//sandboxed_api/sandbox2/network_proxy:client",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/container:flat_hash_map",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
],
)
cc_library(
name = "sanitizer",
srcs = ["sanitizer.cc"],
hdrs = ["sanitizer.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":util",
"//sandboxed_api/util:file_helpers",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:status",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/container:flat_hash_set",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
"@com_google_glog//:glog",
],
)
cc_library(
name = "forkserver",
srcs = ["forkserver.cc"],
hdrs = ["forkserver.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":client",
":comms",
":fork_client",
":forkserver_cc_proto",
":namespace",
":policy",
":sanitizer",
":syscall",
":util",
"//sandboxed_api/sandbox2/unwind",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:file_helpers",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:status",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/container:flat_hash_map",
"@com_google_absl//absl/container:flat_hash_set",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@org_kernel_libcap//:libcap",
],
)
cc_library(
name = "fork_client",
srcs = ["fork_client.cc"],
hdrs = ["fork_client.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":comms",
":forkserver_cc_proto",
"//sandboxed_api/util:raw_logging",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/synchronization",
],
)
cc_library(
name = "mounts",
srcs = ["mounts.cc"],
hdrs = ["mounts.h"],
copts = sapi_platform_copts(),
deps = [
":mounttree_cc_proto",
"//sandboxed_api:config",
"//sandboxed_api/sandbox2/util:minielf",
"//sandboxed_api/util:file_base",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:status",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/container:flat_hash_set",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
"@com_google_protobuf//:protobuf",
],
)
cc_test(
name = "mounts_test",
srcs = ["mounts_test.cc"],
copts = sapi_platform_copts(),
data = ["//sandboxed_api/sandbox2/testcases:minimal_dynamic"],
deps = [
":mounts",
"//sandboxed_api:testing",
"//sandboxed_api/util:file_base",
"//sandboxed_api/util:file_helpers",
"//sandboxed_api/util:status_matchers",
"//sandboxed_api/util:temp_file",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
)
cc_library(
name = "namespace",
srcs = ["namespace.cc"],
hdrs = ["namespace.h"],
copts = sapi_platform_copts(),
deps = [
":mounts",
":mounttree_cc_proto",
":util",
":violation_cc_proto",
"//sandboxed_api/util:file_base",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
],
)
cc_test(
name = "namespace_test",
srcs = ["namespace_test.cc"],
copts = sapi_platform_copts(),
data = [
"//sandboxed_api/sandbox2/testcases:hostname",
"//sandboxed_api/sandbox2/testcases:namespace",
],
deps = [
":comms",
":namespace",
":sandbox2",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:status_matchers",
"//sandboxed_api/util:temp_file",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
)
cc_library(
name = "forkingclient",
srcs = ["forkingclient.cc"],
hdrs = ["forkingclient.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":client",
":comms",
":forkserver",
":sanitizer",
"@com_google_absl//absl/memory",
],
)
cc_library(
name = "util",
srcs = ["util.cc"],
hdrs = ["util.h"],
# The default is 16384, however we need to do a clone with a
# stack-allocated buffer -- and PTHREAD_STACK_MIN also happens to be 16384.
# Thus the slight increase.
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
"//sandboxed_api:config",
"//sandboxed_api/util:file_base",
"//sandboxed_api/util:file_helpers",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:status",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
],
)
cc_library(
name = "buffer",
srcs = ["buffer.cc"],
hdrs = ["buffer.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":util",
"//sandboxed_api/util:status",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
],
)
cc_test(
name = "buffer_test",
srcs = ["buffer_test.cc"],
copts = sapi_platform_copts(),
data = ["//sandboxed_api/sandbox2/testcases:buffer"],
deps = [
":buffer",
":comms",
":sandbox2",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/memory",
"@com_google_googletest//:gtest_main",
],
)
sapi_proto_library(
name = "forkserver_proto",
srcs = ["forkserver.proto"],
copts = sapi_platform_copts(),
deps = [":mounttree_proto"],
)
sapi_proto_library(
name = "mounttree_proto",
srcs = ["mounttree.proto"],
)
cc_library(
name = "comms",
srcs = ["comms.cc"],
hdrs = ["comms.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":util",
"//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:status",
"//sandboxed_api/util:status_cc_proto",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/base:config",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/base:dynamic_annotations",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/synchronization",
"@com_google_protobuf//:protobuf",
],
)
sapi_proto_library(
name = "comms_test_proto",
srcs = ["comms_test.proto"],
)
cc_test(
name = "comms_test",
srcs = ["comms_test.cc"],
copts = sapi_platform_copts(),
deps = [
":comms",
":comms_test_cc_proto",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/container:fixed_array",
"@com_google_absl//absl/strings",
"@com_google_glog//:glog",
"@com_google_googletest//:gtest_main",
"@com_google_protobuf//:protobuf",
],
)
cc_test(
name = "forkserver_test",
srcs = ["forkserver_test.cc"],
copts = sapi_platform_copts(),
data = ["//sandboxed_api/sandbox2/testcases:minimal"],
deps = [
":comms",
":forkserver",
":forkserver_cc_proto",
":global_forkserver",
":sandbox2",
"//sandboxed_api:testing",
"@com_google_absl//absl/strings",
"@com_google_glog//:glog",
"@com_google_googletest//:gtest_main",
],
)
cc_test(
name = "limits_test",
srcs = ["limits_test.cc"],
copts = sapi_platform_copts(),
data = ["//sandboxed_api/sandbox2/testcases:limits"],
deps = [
":limits",
":sandbox2",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/memory",
"@com_google_googletest//:gtest_main",
],
)
cc_test(
name = "notify_test",
srcs = ["notify_test.cc"],
copts = sapi_platform_copts(),
data = [
"//sandboxed_api/sandbox2/testcases:personality",
"//sandboxed_api/sandbox2/testcases:pidcomms",
],
deps = [
":comms",
":regs",
":sandbox2",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
)
cc_test(
name = "policy_test",
srcs = ["policy_test.cc"],
copts = sapi_platform_copts(),
data = [
"//sandboxed_api/sandbox2/testcases:add_policy_on_syscalls",
"//sandboxed_api/sandbox2/testcases:malloc_system",
"//sandboxed_api/sandbox2/testcases:minimal",
"//sandboxed_api/sandbox2/testcases:minimal_dynamic",
"//sandboxed_api/sandbox2/testcases:policy",
],
deps = [
":limits",
":regs",
":sandbox2",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
)
cc_test(
name = "sandbox2_test",
srcs = ["sandbox2_test.cc"],
copts = sapi_platform_copts(),
data = [
"//sandboxed_api/sandbox2/testcases:abort",
"//sandboxed_api/sandbox2/testcases:minimal",
"//sandboxed_api/sandbox2/testcases:sleep",
"//sandboxed_api/sandbox2/testcases:starve",
"//sandboxed_api/sandbox2/testcases:tsync",
],
tags = ["local"],
deps = [
":sandbox2",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
)
cc_test(
name = "sanitizer_test",
srcs = ["sanitizer_test.cc"],
copts = sapi_platform_copts(),
data = ["//sandboxed_api/sandbox2/testcases:sanitizer"],
deps = [
":comms",
":sandbox2",
":sanitizer",
":util",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/container:flat_hash_set",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
)
cc_test(
name = "util_test",
srcs = ["util_test.cc"],
copts = sapi_platform_copts(),
deps = [
":util",
"//sandboxed_api:testing",
"//sandboxed_api/util:file_base",
"@com_google_googletest//:gtest_main",
],
)
cc_test(
name = "stack_trace_test",
srcs = [
"stack_trace.h",
"stack_trace_test.cc",
],
copts = sapi_platform_copts(),
data = ["//sandboxed_api/sandbox2/testcases:symbolize"],
deps = [
":global_forkserver",
":mounts",
":regs",
":sandbox2",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:fileops",
"//sandboxed_api/util:flags",
"//sandboxed_api/util:status_matchers",
"//sandboxed_api/util:temp_file",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
)
cc_test(
name = "ipc_test",
srcs = ["ipc_test.cc"],
copts = sapi_platform_copts(),
data = ["//sandboxed_api/sandbox2/testcases:ipc"],
deps = [
":comms",
":sandbox2",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/memory",
"@com_google_googletest//:gtest_main",
],
)
cc_library(
name = "testing",
testonly = 1,
hdrs = ["testing.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = ["//sandboxed_api:testing"],
)
sapi_proto_library(
name = "violation_proto",
srcs = ["violation.proto"],
deps = [":mounttree_proto"],
)
cc_test(
name = "policybuilder_test",
srcs = ["policybuilder_test.cc"],
copts = sapi_platform_copts(),
data = ["//sandboxed_api/sandbox2/testcases:print_fds"],
deps = [
":comms",
":sandbox2",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/status",
"@com_google_absl//absl/status:statusor",
"@com_google_absl//absl/strings",
"@com_google_glog//:glog",
"@com_google_googletest//:gtest_main",
],
)