sandbox: Remove the flag --sandbox_block_path.

It is in the way of optimizing the performance of the sandbox, because it requires us to create two helper files (an unreadable file and an unreadable directory) which are bind-mounted on top of paths specified via this flag. These two helper files were created on a tmpfs mounted by the sandbox until now, which ensured that they were automatically deleted on exit. However, mounting tmpfs on /dev/shm or /tmp causes issues like #2686 or #1882. By removing this flag, we can get rid of the two helper files, which means we can also remove the reliance on a "sandbox temp directory" completely in the next change. -- PiperOrigin-RevId: 151107496 MOS_MIGRATED_REVID=151107496
author: Philipp Wollermann <philwo@google.com> 2017-03-24 09:47:11 +0000
committer: Yue Gan <yueg@google.com> 2017-03-24 12:20:06 +0000
commit: 3e2329a73ffd5d60e5e2babe60ebe5bf322c07da (patch)
tree: b1a66c81c4e59eedc84fb28bc8a02ec68fe3ed73 /src/main/tools
parent: 2879971666e0cc3f1f24ae91b88c4400af77e7f3 (diff)
4 files changed, 1 insertions, 58 deletions
diff --git a/src/main/tools/linux-sandbox-options.cc b/src/main/tools/linux-sandbox-options.cc
index 7db09f0dd8..3bd9a7e243 100644
--- a/src/main/tools/linux-sandbox-options.cc
+++ b/src/main/tools/linux-sandbox-options.cc
@@ -66,8 +66,6 @@ static void Usage(char *program_name, const char *fmt, ...) {
           "  -L <file>  redirect stderr to a file\n"
           "  -w <file>  make a file or directory writable for the sandboxed "
           "process\n"
-          "  -i <file>  make a file or directory inaccessible for the "
-          "sandboxed process\n"
           "  -e <dir>  mount an empty tmpfs on a directory\n"
           "  -M/-m <source/target>  directory to mount inside the sandbox\n"
           "    Multiple directories can be specified and each of them will be "
@@ -126,7 +124,7 @@ static void ParseCommandLine(unique_ptr<vector<char *>> args) {
   bool source_specified;
 
   while ((c = getopt(args->size(), args->data(),
-                     ":CS:W:T:t:l:L:w:i:e:M:m:HNRD")) != -1) {
+                     ":CS:W:T:t:l:L:w:e:M:m:HNRD")) != -1) {
     if (c != 'M' && c != 'm') source_specified = false;
     switch (c) {
       case 'C':
@@ -183,10 +181,6 @@ static void ParseCommandLine(unique_ptr<vector<char *>> args) {
         ValidateIsAbsolutePath(optarg, args->front(), static_cast<char>(c));
         opt.writable_files.push_back(strdup(optarg));
         break;
-      case 'i':
-        ValidateIsAbsolutePath(optarg, args->front(), static_cast<char>(c));
-        opt.inaccessible_files.push_back(strdup(optarg));
-        break;
       case 'e':
         ValidateIsAbsolutePath(optarg, args->front(), static_cast<char>(c));
         opt.tmpfs_dirs.push_back(strdup(optarg));
diff --git a/src/main/tools/linux-sandbox-options.h b/src/main/tools/linux-sandbox-options.h
index 342ed12c97..6f57eba3a4 100644
--- a/src/main/tools/linux-sandbox-options.h
+++ b/src/main/tools/linux-sandbox-options.h
@@ -36,8 +36,6 @@ struct Options {
   const char *stderr_path;
   // Files or directories to make writable for the sandboxed process (-w)
   std::vector<const char *> writable_files;
-  // Files or directories to make inaccessible for the sandboxed process (-i)
-  std::vector<const char *> inaccessible_files;
   // Directories where to mount an empty tmpfs (-e)
   std::vector<const char *> tmpfs_dirs;
   // Source of files or directories to explicitly bind mount in the sandbox (-M)
diff --git a/src/main/tools/linux-sandbox-pid1.cc b/src/main/tools/linux-sandbox-pid1.cc
index 2aba1273bf..0be62d9e5f 100644
--- a/src/main/tools/linux-sandbox-pid1.cc
+++ b/src/main/tools/linux-sandbox-pid1.cc
@@ -55,8 +55,6 @@
 #include <unistd.h>
 
 static int global_child_pid;
-static char global_inaccessible_directory[] = "tmp/empty.XXXXXX";
-static char global_inaccessible_file[] = "tmp/empty.XXXXXX";
 
 static void SetupSelfDestruction(int *sync_pipe) {
   // We could also poll() on the pipe fd to find out when the parent goes away,
@@ -147,26 +145,6 @@ static void SetupUtsNamespace() {
   }
 }
 
-static void SetupHelperFiles() {
-  if (mkdtemp(global_inaccessible_directory) == NULL) {
-    DIE("mkdtemp(%s)", global_inaccessible_directory);
-  }
-  if (chmod(global_inaccessible_directory, 0) < 0) {
-    DIE("chmod(%s, 0)", global_inaccessible_directory);
-  }
-
-  int handle = mkstemp(global_inaccessible_file);
-  if (handle < 0) {
-    DIE("mkstemp(%s)", global_inaccessible_file);
-  }
-  if (fchmod(handle, 0)) {
-    DIE("fchmod(%s, 0)", global_inaccessible_file);
-  }
-  if (close(handle) < 0) {
-    DIE("close(%s)", global_inaccessible_file);
-  }
-}
-
 // Recursively creates the file or directory specified in "path" and its parent
 // directories.
 static int CreateTarget(const char *path, bool is_directory) {
@@ -265,31 +243,6 @@ static void MountFilesystems() {
           writable_file + 1);
     }
   }
-
-  SetupHelperFiles();
-
-  for (const char *inaccessible_file : opt.inaccessible_files) {
-    struct stat sb;
-    if (stat(inaccessible_file, &sb) < 0) {
-      DIE("stat(%s)", inaccessible_file);
-    }
-
-    if (S_ISDIR(sb.st_mode)) {
-      PRINT_DEBUG("inaccessible dir: %s", inaccessible_file);
-      if (mount(global_inaccessible_directory, inaccessible_file + 1, NULL,
-                MS_BIND, NULL) < 0) {
-        DIE("mount(%s, %s, NULL, MS_BIND, NULL)", global_inaccessible_directory,
-            inaccessible_file + 1);
-      }
-    } else {
-      PRINT_DEBUG("inaccessible file: %s", inaccessible_file);
-      if (mount(global_inaccessible_file, inaccessible_file + 1, NULL, MS_BIND,
-                NULL) < 0) {
-        DIE("mount(%s, %s, NULL, MS_BIND, NULL", global_inaccessible_file,
-            inaccessible_file + 1);
-      }
-    }
-  }
 }
 
 // We later remount everything read-only, except the paths for which this method
diff --git a/src/main/tools/linux-sandbox.cc b/src/main/tools/linux-sandbox.cc
index e450ccdd0d..799ece4ebb 100644
--- a/src/main/tools/linux-sandbox.cc
+++ b/src/main/tools/linux-sandbox.cc
@@ -20,8 +20,6 @@
  *  - The working directory (-W) will be made read-write, though.
  *  - Individual files or directories can be made writable (but not deletable)
  *    (-w).
- *  - Individual files or directories can be made inaccessible / unreadable
- *    (-i).
  *  - tmpfs will be mounted on /tmp.
  *  - tmpfs can be mounted on top of existing directories (-e), too.
  *  - If the process takes longer than the timeout (-T), it will be killed with
author	Philipp Wollermann <philwo@google.com>	2017-03-24 09:47:11 +0000
committer	Yue Gan <yueg@google.com>	2017-03-24 12:20:06 +0000
commit	3e2329a73ffd5d60e5e2babe60ebe5bf322c07da (patch)
tree	b1a66c81c4e59eedc84fb28bc8a02ec68fe3ed73 /src/main/tools
parent	2879971666e0cc3f1f24ae91b88c4400af77e7f3 (diff)