Add hooks to run code in the child process before and after setting up the sandbox #37
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Parallelizing the forbidden_syscalls test exposes the bug and also reduces test time on my 4-core Skylake laptop: Before: [roc@glory gaol]$ time target/debug/deps/forbidden_syscalls-6fdc4dd40a646c6f real 0m41.322s user 0m0.590s sys 0m1.452s After: [roc@glory gaol]$ time target/debug/deps/forbidden_syscalls-6fdc4dd40a646c6f real 0m14.915s user 0m0.248s sys 0m0.980s
Author
|
Github isn't showing the commits in the correct order for some reason. My branch has them in the correct order. |
9770d61 to
00a0adf
Compare
glibc uses this during process startup.
glibc uses this during startup
Sandboxed processes should be able to use these to reduce their limits. In a future commit we will turn all soft limits into hard limits so it's impossible for a sandboxed child to increase any of its limits. glibc uses prlimit64 during startup.
time/gettimeofday are generally called through the vDSO without entering the kernel so blocking them with seccomp doesn't really work anyway. Having sandboxed children fail only when the vDSO is disabled (e.g. when running under rr) is a problem.
…ironment This commit is a bit oversized... adding support for these callbacks required creating a way to pass errors back to the parent process, which inspired fixing the error handling in start(), which uncovered some bugs in start(): * Immediate child process leaked as a zombie * pipe_fds[0] leaked in parent * pipe_fds[1] leaked into grandchild
00a0adf to
07761bc
Compare
Author
|
BTW the current patches don't support |
|
☔ The latest upstream changes (presumably #51) made this pull request unmergeable. Please resolve the merge conflicts. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have two needs not currently supported by
gaol:prctl(PR_SET_PDEATHSIG)and to set up stdio redirection.I think these should be supported by providing hooks similar to
std::os::unix::process::CommandExt::before_exec. I've named thembefore_sandboxandbefore_exec. On Linux abefore_exechook can callChildSandbox::activateand do extra setup work after entering the sandbox, if desired (e.g. configuring the new namespaces).To get this to work I had to fix a number of bugs and other issues. In particular, to test that
ChildSandbox::activateworks inbefore_execI had to make it possible to start a glibc-based process in the Linux sandbox, which meant addingOperation::CreateNewProcessesand whitelisting some more system calls. I also had to make substantial fixes the error handling in Linux'sstart().The Mac support doesn't propagate errors from
before_sandbox/before_execbecause I didn't want to try to write that code without being able to test it.