// Copyright 2019 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // https://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. #ifndef SANDBOXED_API_SANDBOX2_EXECUTOR_H_ #define SANDBOXED_API_SANDBOX2_EXECUTOR_H_ #include #include #include #include #include #include "absl/base/macros.h" #include "absl/log/check.h" #include "absl/log/log.h" #include "absl/status/statusor.h" #include "absl/strings/string_view.h" #include "absl/types/span.h" #include "sandboxed_api/sandbox2/fork_client.h" #include "sandboxed_api/sandbox2/forkserver.pb.h" #include "sandboxed_api/sandbox2/ipc.h" #include "sandboxed_api/sandbox2/limits.h" #include "sandboxed_api/sandbox2/namespace.h" #include "sandboxed_api/util/fileops.h" namespace sandbox2 { // The sandbox2::Executor class is responsible for both creating and executing // new processes which will be sandboxed. class Executor final { public: Executor(const Executor&) = delete; Executor& operator=(const Executor&) = delete; // Initialized with a path to the process that the Executor class will // execute Executor( absl::string_view path, absl::Span argv, absl::Span envp = absl::MakeConstSpan(CopyEnviron())) : path_(std::string(path)), argv_(argv.begin(), argv.end()), envp_(envp.begin(), envp.end()) { CHECK(!path_.empty()); SetUpServerSideCommsFd(); } // Executor will own this file-descriptor, so if intend to use it, pass here // dup(fd) instead Executor( int exec_fd, absl::Span argv, absl::Span envp = absl::MakeConstSpan(CopyEnviron())) : exec_fd_(exec_fd), argv_(argv.begin(), argv.end()), envp_(envp.begin(), envp.end()) { CHECK_GE(exec_fd, 0); SetUpServerSideCommsFd(); } // Uses a custom ForkServer (which the supplied ForkClient can communicate // with), which knows how to fork (or even execute) new sandboxed processes // (hence, no need to supply path/argv/envp here) explicit Executor(ForkClient* fork_client) : enable_sandboxing_pre_execve_(false), fork_client_(fork_client) { CHECK(fork_client != nullptr); SetUpServerSideCommsFd(); } // Creates a new process which will act as a custom ForkServer. Should be used // with custom fork servers only. // This function returns immediately and returns a nullptr on failure. std::unique_ptr StartForkServer(); // Accessors IPC* ipc() { return &ipc_; } Limits* limits() { return &limits_; } Executor& set_enable_sandbox_before_exec(bool value) { enable_sandboxing_pre_execve_ = value; return *this; } Executor& set_cwd(std::string value) { cwd_ = std::move(value); return *this; } int libunwind_recursion_depth() { return libunwind_recursion_depth_; } private: friend class MonitorBase; friend class PtraceMonitor; friend class StackTracePeer; // Internal constructor for executing libunwind on the given pid // enable_sandboxing_pre_execve=false as we are not going to execve. explicit Executor(pid_t libunwind_sbox_for_pid, int libunwind_recursion_depth) : libunwind_sbox_for_pid_(libunwind_sbox_for_pid), libunwind_recursion_depth_(libunwind_recursion_depth), enable_sandboxing_pre_execve_(false) { CHECK_GE(libunwind_sbox_for_pid_, 0); SetUpServerSideCommsFd(); } // Creates a copy of the environment static std::vector CopyEnviron(); // Creates a server-side Comms end-point using a pre-connected file // descriptor. void SetUpServerSideCommsFd(); // Starts a new process which is connected with this Executor instance via a // Comms channel. // For clone_flags refer to Linux' 'man 2 clone'. absl::StatusOr StartSubProcess( int clone_flags, const Namespace* ns = nullptr, MonitorType type = FORKSERVER_MONITOR_PTRACE); // Whether the Executor has been started yet bool started_ = false; // If this executor is running the libunwind sandbox for a process, // this variable will hold the PID of the process. Otherwise it is zero. pid_t libunwind_sbox_for_pid_ = 0; int libunwind_recursion_depth_ = 0; // Should the sandboxing be enabled before execve() occurs, or the binary will // do it by itself, using the Client object's methods bool enable_sandboxing_pre_execve_ = true; // Alternate (path/fd)/argv/envp to be used the in the __NR_execve call. sapi::file_util::fileops::FDCloser exec_fd_; std::string path_; std::vector argv_; std::vector envp_; // chdir to cwd_, if set. Defaults to current working directory. std::string cwd_ = []() { std::string cwd = sapi::file_util::fileops::GetCWD(); if (cwd.empty()) { PLOG(WARNING) << "Getting current working directory"; } return cwd; }(); // Client (sandboxee) end-point of a socket-pair used to create Comms channel sapi::file_util::fileops::FDCloser client_comms_fd_; // ForkClient connecting to the ForkServer - not owned by the object ForkClient* fork_client_ = nullptr; IPC ipc_; // Used for communication with the sandboxee Limits limits_; // Defines server- and client-side limits }; } // namespace sandbox2 #endif // SANDBOXED_API_SANDBOX2_EXECUTOR_H_