diff options
author | Oliver Kunz <okunz@google.com> | 2023-12-14 00:47:34 -0800 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-12-14 00:48:21 -0800 |
commit | 1255f5710803670efd14ca2f5c260d3485a3e924 (patch) | |
tree | 2ff00e5a309c3e330e99123cc8c4faf86491a722 | |
parent | 0a992b683f107813455e029695baa9b6d7063e36 (diff) | |
download | sandboxed-api-1255f5710803670efd14ca2f5c260d3485a3e924.tar.gz |
Provide an option to use the unotify monitor instead of the ptrace monitor.
PiperOrigin-RevId: 590847415
Change-Id: I45b1c392e108694f990a9762a2077e19d72f7b05
-rw-r--r-- | sandboxed_api/sandbox.cc | 8 | ||||
-rw-r--r-- | sandboxed_api/sandbox.h | 2 | ||||
-rw-r--r-- | sandboxed_api/sapi_test.cc | 19 |
3 files changed, 27 insertions, 2 deletions
diff --git a/sandboxed_api/sandbox.cc b/sandboxed_api/sandbox.cc index 5f0f9e6..5541b75 100644 --- a/sandboxed_api/sandbox.cc +++ b/sandboxed_api/sandbox.cc @@ -139,7 +139,7 @@ static std::string PathToSAPILib(const std::string& lib_path) { : GetDataDependencyFilePath(lib_path); } -absl::Status Sandbox::Init() { +absl::Status Sandbox::Init(bool use_unotify_monitor) { // It's already initialized if (is_active()) { return absl::OkStatus(); @@ -188,6 +188,9 @@ absl::Status Sandbox::Init() { sandbox2::PolicyBuilder policy_builder; InitDefaultPolicyBuilder(&policy_builder); + if (use_unotify_monitor) { + policy_builder.CollectStacktracesOnSignal(false); + } auto s2p = ModifyPolicy(&policy_builder); // Spawn new process from the forkserver. @@ -208,6 +211,9 @@ absl::Status Sandbox::Init() { s2_ = std::make_unique<sandbox2::Sandbox2>(std::move(executor), std::move(s2p), CreateNotifier()); + if (use_unotify_monitor) { + SAPI_RETURN_IF_ERROR(s2_->EnableUnotifyMonitor()); + } s2_awaited_ = false; auto res = s2_->RunAsync(); diff --git a/sandboxed_api/sandbox.h b/sandboxed_api/sandbox.h index 577144e..b691e08 100644 --- a/sandboxed_api/sandbox.h +++ b/sandboxed_api/sandbox.h @@ -52,7 +52,7 @@ class Sandbox { virtual ~Sandbox(); // Initializes a new sandboxing session. - absl::Status Init(); + absl::Status Init(bool use_unotify_monitor = false); // Returns whether the current sandboxing session is active. bool is_active() const; diff --git a/sandboxed_api/sapi_test.cc b/sandboxed_api/sapi_test.cc index 5f66f2c..6aa25ab 100644 --- a/sandboxed_api/sapi_test.cc +++ b/sandboxed_api/sapi_test.cc @@ -284,5 +284,24 @@ TEST(SandboxTest, NoRaceInConcurrentTerminate) { EXPECT_THAT(result.final_status(), Eq(sandbox2::Result::EXTERNAL_KILL)); } +TEST(SandboxTest, UseUnotifyMonitor) { + SumSandbox sandbox; + ASSERT_THAT(sandbox.Init(/*use_unotify_monitor=*/true), IsOk()); + SumApi api(&sandbox); + + // Violate the sandbox policy. + EXPECT_THAT(api.violate(), StatusIs(absl::StatusCode::kUnavailable)); + EXPECT_THAT(api.sum(1, 2).status(), StatusIs(absl::StatusCode::kUnavailable)); + EXPECT_THAT(sandbox.AwaitResult().final_status(), + Eq(sandbox2::Result::VIOLATION)); + + // Restart the sandbox. + ASSERT_THAT(sandbox.Restart(false), IsOk()); + + // The sandbox should now be responsive again. + SAPI_ASSERT_OK_AND_ASSIGN(int result, api.sum(1, 2)); + EXPECT_THAT(result, Eq(3)); +} + } // namespace } // namespace sapi |