Google Git
Sign in
android / platform / external / sandboxed-api / refs/heads/android15-tests-dev / . / sandboxed_api / sandbox2 / executor.h
blob: 6f0ba0e7ba778d5ce6e7df249717c1b43c93ce7a [file] [log] [blame] [edit]
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SANDBOXED_API_SANDBOX2_EXECUTOR_H_
#define SANDBOXED_API_SANDBOX2_EXECUTOR_H_
#include <unistd.h>
#include <memory>
#include <string>
#include <utility>
#include <vector>
#include "absl/base/macros.h"
#include "absl/log/check.h"
#include "absl/log/log.h"
#include "absl/status/statusor.h"
#include "absl/strings/string_view.h"
#include "absl/types/span.h"
#include "sandboxed_api/sandbox2/fork_client.h"
#include "sandboxed_api/sandbox2/forkserver.pb.h"
#include "sandboxed_api/sandbox2/ipc.h"
#include "sandboxed_api/sandbox2/limits.h"
#include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/util/fileops.h"
namespace sandbox2 {
// The sandbox2::Executor class is responsible for both creating and executing
// new processes which will be sandboxed.
class Executor final {
public:
Executor(const Executor&) = delete;
Executor& operator=(const Executor&) = delete;
// Initialized with a path to the process that the Executor class will
// execute
Executor(
absl::string_view path, absl::Span<const std::string> argv,
absl::Span<const std::string> envp = absl::MakeConstSpan(CopyEnviron()))
: path_(std::string(path)),
argv_(argv.begin(), argv.end()),
envp_(envp.begin(), envp.end()) {
CHECK(!path_.empty());
SetUpServerSideCommsFd();
}
// Executor will own this file-descriptor, so if intend to use it, pass here
// dup(fd) instead
Executor(
int exec_fd, absl::Span<const std::string> argv,
absl::Span<const std::string> envp = absl::MakeConstSpan(CopyEnviron()))
: exec_fd_(exec_fd),
argv_(argv.begin(), argv.end()),
envp_(envp.begin(), envp.end()) {
CHECK_GE(exec_fd, 0);
SetUpServerSideCommsFd();
}
// Uses a custom ForkServer (which the supplied ForkClient can communicate
// with), which knows how to fork (or even execute) new sandboxed processes
// (hence, no need to supply path/argv/envp here)
explicit Executor(ForkClient* fork_client)
: enable_sandboxing_pre_execve_(false), fork_client_(fork_client) {
CHECK(fork_client != nullptr);
SetUpServerSideCommsFd();
}
// Creates a new process which will act as a custom ForkServer. Should be used
// with custom fork servers only.
// This function returns immediately and returns a nullptr on failure.
std::unique_ptr<ForkClient> StartForkServer();
// Accessors
IPC* ipc() { return &ipc_; }
Limits* limits() { return &limits_; }
Executor& set_enable_sandbox_before_exec(bool value) {
enable_sandboxing_pre_execve_ = value;
return *this;
}
Executor& set_cwd(std::string value) {
cwd_ = std::move(value);
return *this;
}
int libunwind_recursion_depth() { return libunwind_recursion_depth_; }
private:
friend class MonitorBase;
friend class PtraceMonitor;
friend class StackTracePeer;
// Internal constructor for executing libunwind on the given pid
// enable_sandboxing_pre_execve=false as we are not going to execve.
explicit Executor(pid_t libunwind_sbox_for_pid, int libunwind_recursion_depth)
: libunwind_sbox_for_pid_(libunwind_sbox_for_pid),
libunwind_recursion_depth_(libunwind_recursion_depth),
enable_sandboxing_pre_execve_(false) {
CHECK_GE(libunwind_sbox_for_pid_, 0);
SetUpServerSideCommsFd();
}
// Creates a copy of the environment
static std::vector<std::string> CopyEnviron();
// Creates a server-side Comms end-point using a pre-connected file
// descriptor.
void SetUpServerSideCommsFd();
// Starts a new process which is connected with this Executor instance via a
// Comms channel.
// For clone_flags refer to Linux' 'man 2 clone'.
absl::StatusOr<SandboxeeProcess> StartSubProcess(
int clone_flags, const Namespace* ns = nullptr,
MonitorType type = FORKSERVER_MONITOR_PTRACE);
// Whether the Executor has been started yet
bool started_ = false;
// If this executor is running the libunwind sandbox for a process,
// this variable will hold the PID of the process. Otherwise it is zero.
pid_t libunwind_sbox_for_pid_ = 0;
int libunwind_recursion_depth_ = 0;
// Should the sandboxing be enabled before execve() occurs, or the binary will
// do it by itself, using the Client object's methods
bool enable_sandboxing_pre_execve_ = true;
// Alternate (path/fd)/argv/envp to be used the in the __NR_execve call.
sapi::file_util::fileops::FDCloser exec_fd_;
std::string path_;
std::vector<std::string> argv_;
std::vector<std::string> envp_;
// chdir to cwd_, if set. Defaults to current working directory.
std::string cwd_ = []() {
std::string cwd = sapi::file_util::fileops::GetCWD();
if (cwd.empty()) {
PLOG(WARNING) << "Getting current working directory";
}
return cwd;
}();
// Client (sandboxee) end-point of a socket-pair used to create Comms channel
sapi::file_util::fileops::FDCloser client_comms_fd_;
// ForkClient connecting to the ForkServer - not owned by the object
ForkClient* fork_client_ = nullptr;
IPC ipc_; // Used for communication with the sandboxee
Limits limits_; // Defines server- and client-side limits
};
} // namespace sandbox2
#endif // SANDBOXED_API_SANDBOX2_EXECUTOR_H_