diff options
author | Philipp Wollermann <philwo@google.com> | 2017-03-24 09:47:11 +0000 |
---|---|---|
committer | Yue Gan <yueg@google.com> | 2017-03-24 12:20:06 +0000 |
commit | 3e2329a73ffd5d60e5e2babe60ebe5bf322c07da (patch) | |
tree | b1a66c81c4e59eedc84fb28bc8a02ec68fe3ed73 /src/main/tools | |
parent | 2879971666e0cc3f1f24ae91b88c4400af77e7f3 (diff) |
sandbox: Remove the flag --sandbox_block_path.
It is in the way of optimizing the performance of the sandbox, because
it requires us to create two helper files (an unreadable file and an
unreadable directory) which are bind-mounted on top of paths specified
via this flag. These two helper files were created on a tmpfs mounted by
the sandbox until now, which ensured that they were automatically
deleted on exit. However, mounting tmpfs on /dev/shm or /tmp causes
issues like #2686 or #1882.
By removing this flag, we can get rid of the two helper files, which
means we can also remove the reliance on a "sandbox temp directory"
completely in the next change.
--
PiperOrigin-RevId: 151107496
MOS_MIGRATED_REVID=151107496
Diffstat (limited to 'src/main/tools')
-rw-r--r-- | src/main/tools/linux-sandbox-options.cc | 8 | ||||
-rw-r--r-- | src/main/tools/linux-sandbox-options.h | 2 | ||||
-rw-r--r-- | src/main/tools/linux-sandbox-pid1.cc | 47 | ||||
-rw-r--r-- | src/main/tools/linux-sandbox.cc | 2 |
4 files changed, 1 insertions, 58 deletions
diff --git a/src/main/tools/linux-sandbox-options.cc b/src/main/tools/linux-sandbox-options.cc index 7db09f0dd8..3bd9a7e243 100644 --- a/src/main/tools/linux-sandbox-options.cc +++ b/src/main/tools/linux-sandbox-options.cc @@ -66,8 +66,6 @@ static void Usage(char *program_name, const char *fmt, ...) { " -L <file> redirect stderr to a file\n" " -w <file> make a file or directory writable for the sandboxed " "process\n" - " -i <file> make a file or directory inaccessible for the " - "sandboxed process\n" " -e <dir> mount an empty tmpfs on a directory\n" " -M/-m <source/target> directory to mount inside the sandbox\n" " Multiple directories can be specified and each of them will be " @@ -126,7 +124,7 @@ static void ParseCommandLine(unique_ptr<vector<char *>> args) { bool source_specified; while ((c = getopt(args->size(), args->data(), - ":CS:W:T:t:l:L:w:i:e:M:m:HNRD")) != -1) { + ":CS:W:T:t:l:L:w:e:M:m:HNRD")) != -1) { if (c != 'M' && c != 'm') source_specified = false; switch (c) { case 'C': @@ -183,10 +181,6 @@ static void ParseCommandLine(unique_ptr<vector<char *>> args) { ValidateIsAbsolutePath(optarg, args->front(), static_cast<char>(c)); opt.writable_files.push_back(strdup(optarg)); break; - case 'i': - ValidateIsAbsolutePath(optarg, args->front(), static_cast<char>(c)); - opt.inaccessible_files.push_back(strdup(optarg)); - break; case 'e': ValidateIsAbsolutePath(optarg, args->front(), static_cast<char>(c)); opt.tmpfs_dirs.push_back(strdup(optarg)); diff --git a/src/main/tools/linux-sandbox-options.h b/src/main/tools/linux-sandbox-options.h index 342ed12c97..6f57eba3a4 100644 --- a/src/main/tools/linux-sandbox-options.h +++ b/src/main/tools/linux-sandbox-options.h @@ -36,8 +36,6 @@ struct Options { const char *stderr_path; // Files or directories to make writable for the sandboxed process (-w) std::vector<const char *> writable_files; - // Files or directories to make inaccessible for the sandboxed process (-i) - std::vector<const char *> inaccessible_files; // Directories where to mount an empty tmpfs (-e) std::vector<const char *> tmpfs_dirs; // Source of files or directories to explicitly bind mount in the sandbox (-M) diff --git a/src/main/tools/linux-sandbox-pid1.cc b/src/main/tools/linux-sandbox-pid1.cc index 2aba1273bf..0be62d9e5f 100644 --- a/src/main/tools/linux-sandbox-pid1.cc +++ b/src/main/tools/linux-sandbox-pid1.cc @@ -55,8 +55,6 @@ #include <unistd.h> static int global_child_pid; -static char global_inaccessible_directory[] = "tmp/empty.XXXXXX"; -static char global_inaccessible_file[] = "tmp/empty.XXXXXX"; static void SetupSelfDestruction(int *sync_pipe) { // We could also poll() on the pipe fd to find out when the parent goes away, @@ -147,26 +145,6 @@ static void SetupUtsNamespace() { } } -static void SetupHelperFiles() { - if (mkdtemp(global_inaccessible_directory) == NULL) { - DIE("mkdtemp(%s)", global_inaccessible_directory); - } - if (chmod(global_inaccessible_directory, 0) < 0) { - DIE("chmod(%s, 0)", global_inaccessible_directory); - } - - int handle = mkstemp(global_inaccessible_file); - if (handle < 0) { - DIE("mkstemp(%s)", global_inaccessible_file); - } - if (fchmod(handle, 0)) { - DIE("fchmod(%s, 0)", global_inaccessible_file); - } - if (close(handle) < 0) { - DIE("close(%s)", global_inaccessible_file); - } -} - // Recursively creates the file or directory specified in "path" and its parent // directories. static int CreateTarget(const char *path, bool is_directory) { @@ -265,31 +243,6 @@ static void MountFilesystems() { writable_file + 1); } } - - SetupHelperFiles(); - - for (const char *inaccessible_file : opt.inaccessible_files) { - struct stat sb; - if (stat(inaccessible_file, &sb) < 0) { - DIE("stat(%s)", inaccessible_file); - } - - if (S_ISDIR(sb.st_mode)) { - PRINT_DEBUG("inaccessible dir: %s", inaccessible_file); - if (mount(global_inaccessible_directory, inaccessible_file + 1, NULL, - MS_BIND, NULL) < 0) { - DIE("mount(%s, %s, NULL, MS_BIND, NULL)", global_inaccessible_directory, - inaccessible_file + 1); - } - } else { - PRINT_DEBUG("inaccessible file: %s", inaccessible_file); - if (mount(global_inaccessible_file, inaccessible_file + 1, NULL, MS_BIND, - NULL) < 0) { - DIE("mount(%s, %s, NULL, MS_BIND, NULL", global_inaccessible_file, - inaccessible_file + 1); - } - } - } } // We later remount everything read-only, except the paths for which this method diff --git a/src/main/tools/linux-sandbox.cc b/src/main/tools/linux-sandbox.cc index e450ccdd0d..799ece4ebb 100644 --- a/src/main/tools/linux-sandbox.cc +++ b/src/main/tools/linux-sandbox.cc @@ -20,8 +20,6 @@ * - The working directory (-W) will be made read-write, though. * - Individual files or directories can be made writable (but not deletable) * (-w). - * - Individual files or directories can be made inaccessible / unreadable - * (-i). * - tmpfs will be mounted on /tmp. * - tmpfs can be mounted on top of existing directories (-e), too. * - If the process takes longer than the timeout (-T), it will be killed with |