1# Copyright 2019 Google LLC 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# https://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15# Description: sandbox2 is a C++ sandbox technology for Linux. 16 17load("@com_google_sandboxed_api//sandboxed_api/bazel:build_defs.bzl", "sapi_platform_copts") 18load("@com_google_sandboxed_api//sandboxed_api/bazel:embed_data.bzl", "sapi_cc_embed_data") 19load("@com_google_sandboxed_api//sandboxed_api/bazel:proto.bzl", "sapi_proto_library") 20 21package(default_visibility = ["@com_google_sandboxed_api//sandboxed_api:__subpackages__"]) 22 23licenses(["notice"]) 24 25cc_library( 26 name = "bpfdisassembler", 27 srcs = ["bpfdisassembler.cc"], 28 hdrs = ["bpfdisassembler.h"], 29 copts = sapi_platform_copts(), 30 visibility = ["//visibility:public"], 31 deps = [ 32 "@com_google_absl//absl/strings", 33 "@com_google_absl//absl/types:span", 34 ], 35) 36 37cc_library( 38 name = "bpf_evaluator", 39 srcs = ["bpf_evaluator.cc"], 40 hdrs = ["bpf_evaluator.h"], 41 copts = sapi_platform_copts(), 42 visibility = ["//visibility:public"], 43 deps = [ 44 "@com_google_absl//absl/status", 45 "@com_google_absl//absl/status:statusor", 46 "@com_google_absl//absl/strings", 47 "@com_google_absl//absl/types:span", 48 "@com_google_sandboxed_api//sandboxed_api/util:status", 49 ], 50) 51 52cc_library( 53 name = "regs", 54 srcs = ["regs.cc"], 55 hdrs = ["regs.h"], 56 copts = sapi_platform_copts(), 57 deps = [ 58 ":syscall", 59 "@com_google_absl//absl/base:core_headers", 60 "@com_google_absl//absl/status", 61 "@com_google_absl//absl/strings", 62 "@com_google_sandboxed_api//sandboxed_api:config", 63 ], 64) 65 66cc_test( 67 name = "regs_test", 68 srcs = ["regs_test.cc"], 69 copts = sapi_platform_copts(), 70 tags = ["no_qemu_user_mode"], 71 deps = [ 72 ":regs", 73 ":sanitizer", 74 ":syscall", 75 ":util", 76 "@com_google_absl//absl/log:check", 77 "@com_google_googletest//:gtest_main", 78 "@com_google_sandboxed_api//sandboxed_api:config", 79 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 80 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 81 ], 82) 83 84cc_library( 85 name = "syscall", 86 srcs = [ 87 "syscall.cc", 88 "syscall_defs.cc", 89 ], 90 hdrs = [ 91 "syscall.h", 92 "syscall_defs.h", 93 ], 94 copts = sapi_platform_copts(), 95 visibility = ["//visibility:public"], 96 deps = [ 97 ":util", 98 "@com_google_absl//absl/algorithm:container", 99 "@com_google_absl//absl/status", 100 "@com_google_absl//absl/status:statusor", 101 "@com_google_absl//absl/strings", 102 "@com_google_absl//absl/strings:str_format", 103 "@com_google_absl//absl/types:span", 104 "@com_google_sandboxed_api//sandboxed_api:config", 105 "@com_google_sandboxed_api//sandboxed_api/util:status", 106 ], 107) 108 109cc_test( 110 name = "syscall_test", 111 srcs = ["syscall_test.cc"], 112 copts = sapi_platform_copts(), 113 tags = ["no_qemu_user_mode"], 114 deps = [ 115 ":syscall", 116 "@com_google_absl//absl/strings", 117 "@com_google_googletest//:gtest_main", 118 "@com_google_sandboxed_api//sandboxed_api:config", 119 ], 120) 121 122cc_library( 123 name = "result", 124 srcs = ["result.cc"], 125 hdrs = ["result.h"], 126 copts = sapi_platform_copts(), 127 deps = [ 128 ":regs", 129 ":syscall", 130 ":util", 131 "@com_google_absl//absl/status", 132 "@com_google_absl//absl/strings", 133 "@com_google_sandboxed_api//sandboxed_api:config", 134 ], 135) 136 137sapi_proto_library( 138 name = "logserver_proto", 139 srcs = ["logserver.proto"], 140) 141 142cc_library( 143 name = "logserver", 144 srcs = ["logserver.cc"], 145 hdrs = ["logserver.h"], 146 copts = sapi_platform_copts(), 147 deps = [ 148 ":comms", 149 ":logserver_cc_proto", 150 "@com_google_absl//absl/base:log_severity", 151 "@com_google_absl//absl/log", 152 ], 153) 154 155cc_library( 156 name = "logsink", 157 srcs = ["logsink.cc"], 158 hdrs = ["logsink.h"], 159 copts = sapi_platform_copts(), 160 visibility = ["//visibility:public"], 161 deps = [ 162 ":comms", 163 ":logserver_cc_proto", 164 "@com_google_absl//absl/base:log_severity", 165 "@com_google_absl//absl/log:log_entry", 166 "@com_google_absl//absl/log:log_sink", 167 "@com_google_absl//absl/log:log_sink_registry", 168 "@com_google_absl//absl/strings", 169 "@com_google_absl//absl/strings:str_format", 170 "@com_google_absl//absl/synchronization", 171 ], 172) 173 174cc_library( 175 name = "ipc", 176 srcs = ["ipc.cc"], 177 hdrs = ["ipc.h"], 178 copts = sapi_platform_copts(), 179 deps = [ 180 ":comms", 181 ":logserver", 182 ":logsink", 183 "@com_google_absl//absl/base:core_headers", 184 "@com_google_absl//absl/log", 185 "@com_google_absl//absl/strings", 186 "@com_google_sandboxed_api//sandboxed_api/util:thread", 187 ], 188) 189 190cc_library( 191 name = "policy", 192 srcs = ["policy.cc"], 193 hdrs = ["policy.h"], 194 copts = sapi_platform_copts(), 195 deps = [ 196 ":bpfdisassembler", 197 ":namespace", 198 ":syscall", 199 ":util", 200 "@com_google_absl//absl/flags:flag", 201 "@com_google_absl//absl/log", 202 "@com_google_absl//absl/strings:string_view", 203 "@com_google_sandboxed_api//sandboxed_api:config", 204 "@com_google_sandboxed_api//sandboxed_api/sandbox2/network_proxy:filtering", 205 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 206 ], 207) 208 209cc_library( 210 name = "notify", 211 srcs = [], 212 hdrs = ["notify.h"], 213 copts = sapi_platform_copts(), 214 deps = [ 215 ":comms", 216 ":result", 217 ":syscall", 218 ":util", 219 "@com_google_absl//absl/base:core_headers", 220 "@com_google_absl//absl/log", 221 "@com_google_absl//absl/strings:str_format", 222 ], 223) 224 225cc_library( 226 name = "limits", 227 hdrs = ["limits.h"], 228 copts = sapi_platform_copts(), 229 deps = [ 230 "@com_google_absl//absl/base:core_headers", 231 "@com_google_absl//absl/time", 232 ], 233) 234 235cc_binary( 236 name = "forkserver_bin", 237 srcs = ["forkserver_bin.cc"], 238 copts = sapi_platform_copts(), 239 stamp = 0, 240 deps = [ 241 ":client", 242 ":comms", 243 ":forkserver", 244 ":sanitizer", 245 "@com_google_absl//absl/base:log_severity", 246 "@com_google_absl//absl/log:globals", 247 "@com_google_absl//absl/status", 248 "@com_google_sandboxed_api//sandboxed_api/sandbox2/unwind", 249 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 250 ], 251) 252 253sapi_cc_embed_data( 254 name = "forkserver_bin_embed", 255 srcs = [":forkserver_bin.stripped"], 256) 257 258cc_library( 259 name = "global_forkserver", 260 srcs = ["global_forkclient.cc"], 261 hdrs = ["global_forkclient.h"], 262 copts = sapi_platform_copts(), 263 visibility = ["//visibility:public"], 264 deps = [ 265 ":comms", 266 ":fork_client", 267 ":forkserver_bin_embed", 268 ":forkserver_cc_proto", 269 ":util", 270 "@com_google_absl//absl/base:core_headers", 271 "@com_google_absl//absl/cleanup", 272 "@com_google_absl//absl/flags:flag", 273 "@com_google_absl//absl/log", 274 "@com_google_absl//absl/status", 275 "@com_google_absl//absl/status:statusor", 276 "@com_google_absl//absl/strings", 277 "@com_google_absl//absl/synchronization", 278 "@com_google_sandboxed_api//sandboxed_api:config", 279 "@com_google_sandboxed_api//sandboxed_api:embed_file", 280 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 281 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 282 "@com_google_sandboxed_api//sandboxed_api/util:status", 283 ], 284) 285 286# Use only if Sandbox2 global forkserver has to be started very early on. 287# By default the forkserver is started on demand. 288cc_library( 289 name = "start_global_forkserver_lib_constructor", 290 srcs = ["global_forkclient_lib_ctor.cc"], 291 copts = sapi_platform_copts(), 292 visibility = ["//visibility:public"], 293 deps = [ 294 ":fork_client", 295 ":global_forkserver", 296 "@com_google_absl//absl/base:core_headers", 297 ], 298) 299 300cc_library( 301 name = "executor", 302 srcs = ["executor.cc"], 303 hdrs = ["executor.h"], 304 copts = sapi_platform_copts(), 305 deps = [ 306 ":fork_client", 307 ":forkserver_cc_proto", 308 ":global_forkserver", 309 ":ipc", 310 ":limits", 311 ":namespace", 312 ":util", 313 "@com_google_absl//absl/base:core_headers", 314 "@com_google_absl//absl/log", 315 "@com_google_absl//absl/log:check", 316 "@com_google_absl//absl/status", 317 "@com_google_absl//absl/status:statusor", 318 "@com_google_absl//absl/strings", 319 "@com_google_absl//absl/types:span", 320 "@com_google_sandboxed_api//sandboxed_api:config", 321 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 322 ], 323) 324 325# Should not be used in sandboxee code if it only uses sandbox2::Comms and 326# sandbox2::Client objects 327cc_library( 328 name = "sandbox2", 329 srcs = [ 330 "sandbox2.cc", 331 ], 332 hdrs = [ 333 "client.h", 334 "executor.h", 335 "ipc.h", 336 "limits.h", 337 "notify.h", 338 "policy.h", 339 "policybuilder.h", 340 "result.h", 341 "sandbox2.h", 342 "syscall.h", 343 ], 344 copts = sapi_platform_copts(), 345 visibility = ["//visibility:public"], 346 deps = [ 347 ":client", 348 ":comms", 349 ":executor", 350 ":fork_client", 351 ":forkserver_cc_proto", 352 ":ipc", 353 ":limits", 354 ":logsink", 355 ":monitor_base", 356 ":monitor_ptrace", 357 ":monitor_unotify", 358 ":mounts", 359 ":namespace", 360 ":notify", 361 ":policy", 362 ":policybuilder", 363 ":regs", 364 ":result", 365 ":stack_trace", 366 ":syscall", 367 ":util", 368 "@com_google_absl//absl/base", 369 "@com_google_absl//absl/base:core_headers", 370 "@com_google_absl//absl/container:flat_hash_map", 371 "@com_google_absl//absl/container:flat_hash_set", 372 "@com_google_absl//absl/log", 373 "@com_google_absl//absl/log:check", 374 "@com_google_absl//absl/status", 375 "@com_google_absl//absl/status:statusor", 376 "@com_google_absl//absl/strings", 377 "@com_google_absl//absl/strings:str_format", 378 "@com_google_absl//absl/time", 379 "@com_google_absl//absl/types:optional", 380 "@com_google_absl//absl/types:span", 381 "@com_google_sandboxed_api//sandboxed_api:config", 382 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:map_exec", # TODO b/371179394 - Remove this after migrating to Allow(MapExec). 383 "@com_google_sandboxed_api//sandboxed_api/sandbox2/network_proxy:client", 384 "@com_google_sandboxed_api//sandboxed_api/sandbox2/network_proxy:filtering", 385 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 386 ], 387) 388 389cc_library( 390 name = "stack_trace", 391 srcs = ["stack_trace.cc"], 392 hdrs = ["stack_trace.h"], 393 copts = sapi_platform_copts(), 394 deps = [ 395 ":comms", 396 ":executor", 397 ":limits", 398 ":mounts", 399 ":namespace", 400 ":policy", 401 ":policybuilder", 402 ":regs", 403 ":result", 404 "@com_google_absl//absl/cleanup", 405 "@com_google_absl//absl/flags:flag", 406 "@com_google_absl//absl/log", 407 "@com_google_absl//absl/log:check", 408 "@com_google_absl//absl/memory", 409 "@com_google_absl//absl/status", 410 "@com_google_absl//absl/status:statusor", 411 "@com_google_absl//absl/strings", 412 "@com_google_absl//absl/time", 413 "@com_google_sandboxed_api//sandboxed_api/sandbox2/unwind:unwind_cc_proto", 414 "@com_google_sandboxed_api//sandboxed_api/util:file_base", 415 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 416 "@com_google_sandboxed_api//sandboxed_api/util:status", 417 ], 418) 419 420cc_library( 421 name = "monitor_ptrace", 422 srcs = ["monitor_ptrace.cc"], 423 hdrs = ["monitor_ptrace.h"], 424 copts = sapi_platform_copts(), 425 deps = [ 426 ":client", 427 ":comms", 428 ":executor", 429 ":monitor_base", 430 ":notify", 431 ":policy", 432 ":regs", 433 ":result", 434 ":sanitizer", 435 ":syscall", 436 ":util", 437 "@com_google_absl//absl/base:core_headers", 438 "@com_google_absl//absl/cleanup", 439 "@com_google_absl//absl/container:flat_hash_map", 440 "@com_google_absl//absl/container:flat_hash_set", 441 "@com_google_absl//absl/flags:flag", 442 "@com_google_absl//absl/log", 443 "@com_google_absl//absl/log:check", 444 "@com_google_absl//absl/log:vlog_is_on", 445 "@com_google_absl//absl/status", 446 "@com_google_absl//absl/status:statusor", 447 "@com_google_absl//absl/strings", 448 "@com_google_absl//absl/strings:str_format", 449 "@com_google_absl//absl/synchronization", 450 "@com_google_absl//absl/time", 451 "@com_google_sandboxed_api//sandboxed_api:config", 452 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:pid_waiter", 453 "@com_google_sandboxed_api//sandboxed_api/util:status", 454 "@com_google_sandboxed_api//sandboxed_api/util:thread", 455 ], 456) 457 458cc_library( 459 name = "monitor_unotify", 460 srcs = ["monitor_unotify.cc"], 461 hdrs = ["monitor_unotify.h"], 462 copts = sapi_platform_copts(), 463 deps = [ 464 ":bpf_evaluator", 465 ":client", 466 ":executor", 467 ":forkserver_cc_proto", 468 ":monitor_base", 469 ":notify", 470 ":policy", 471 ":result", 472 "@com_google_absl//absl/base:core_headers", 473 "@com_google_absl//absl/cleanup", 474 "@com_google_absl//absl/log", 475 "@com_google_absl//absl/log:check", 476 "@com_google_absl//absl/status", 477 "@com_google_absl//absl/status:statusor", 478 "@com_google_absl//absl/strings", 479 "@com_google_absl//absl/synchronization", 480 "@com_google_absl//absl/time", 481 "@com_google_absl//absl/types:span", 482 "@com_google_sandboxed_api//sandboxed_api:config", 483 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 484 "@com_google_sandboxed_api//sandboxed_api/util:status", 485 "@com_google_sandboxed_api//sandboxed_api/util:thread", 486 ], 487) 488 489cc_library( 490 name = "monitor_base", 491 srcs = ["monitor_base.cc"], 492 hdrs = ["monitor_base.h"], 493 copts = sapi_platform_copts(), 494 deps = [ 495 ":client", 496 ":comms", 497 ":executor", 498 ":fork_client", 499 ":forkserver_cc_proto", 500 ":ipc", 501 ":limits", 502 ":mounts", 503 ":namespace", 504 ":notify", 505 ":policy", 506 ":regs", 507 ":result", 508 ":stack_trace", 509 ":syscall", 510 ":util", 511 "@com_google_absl//absl/base", 512 "@com_google_absl//absl/cleanup", 513 "@com_google_absl//absl/flags:flag", 514 "@com_google_absl//absl/log", 515 "@com_google_absl//absl/log:check", 516 "@com_google_absl//absl/log:vlog_is_on", 517 "@com_google_absl//absl/memory", 518 "@com_google_absl//absl/status", 519 "@com_google_absl//absl/status:statusor", 520 "@com_google_absl//absl/strings", 521 "@com_google_absl//absl/synchronization", 522 "@com_google_absl//absl/time", 523 "@com_google_sandboxed_api//sandboxed_api/sandbox2/network_proxy:client", 524 "@com_google_sandboxed_api//sandboxed_api/sandbox2/network_proxy:server", 525 "@com_google_sandboxed_api//sandboxed_api/util:file_helpers", 526 "@com_google_sandboxed_api//sandboxed_api/util:strerror", 527 "@com_google_sandboxed_api//sandboxed_api/util:temp_file", 528 "@com_google_sandboxed_api//sandboxed_api/util:thread", 529 ], 530) 531 532cc_library( 533 name = "policybuilder", 534 srcs = ["policybuilder.cc"], 535 hdrs = ["policybuilder.h"], 536 copts = sapi_platform_copts(), 537 deps = [ 538 ":forkserver_cc_proto", 539 ":mounts", 540 ":namespace", 541 ":policy", 542 ":syscall", 543 "@com_google_absl//absl/base:core_headers", 544 "@com_google_absl//absl/container:flat_hash_set", 545 "@com_google_absl//absl/log", 546 "@com_google_absl//absl/log:check", 547 "@com_google_absl//absl/memory", 548 "@com_google_absl//absl/status", 549 "@com_google_absl//absl/status:statusor", 550 "@com_google_absl//absl/strings", 551 "@com_google_absl//absl/types:optional", 552 "@com_google_absl//absl/types:span", 553 "@com_google_sandboxed_api//sandboxed_api:config", 554 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:all_syscalls", 555 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:map_exec", # TODO b/371179394 - Remove this after migrating to Allow(MapExec). 556 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:namespaces", 557 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:seccomp_speculation", 558 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:trace_all_syscalls", 559 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:unrestricted_networking", 560 "@com_google_sandboxed_api//sandboxed_api/sandbox2/network_proxy:filtering", 561 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 562 "@com_google_sandboxed_api//sandboxed_api/util:file_base", 563 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 564 "@com_google_sandboxed_api//sandboxed_api/util:status", 565 ], 566) 567 568# Should be used in sandboxee code instead of :sandbox2 if it uses just 569# sandbox2::Client::SandboxMeHere() and sandbox2::Comms 570cc_library( 571 name = "client", 572 srcs = ["client.cc"], 573 hdrs = ["client.h"], 574 copts = sapi_platform_copts(), 575 visibility = ["//visibility:public"], 576 deps = [ 577 ":comms", 578 ":logsink", 579 ":policy", 580 ":sanitizer", 581 ":syscall", 582 "@com_google_absl//absl/base:core_headers", 583 "@com_google_absl//absl/container:flat_hash_map", 584 "@com_google_absl//absl/status", 585 "@com_google_absl//absl/strings", 586 "@com_google_sandboxed_api//sandboxed_api/sandbox2/network_proxy:client", 587 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 588 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 589 ], 590) 591 592cc_library( 593 name = "sanitizer", 594 srcs = ["sanitizer.cc"], 595 hdrs = ["sanitizer.h"], 596 copts = sapi_platform_copts(), 597 visibility = ["//visibility:public"], 598 deps = [ 599 ":util", 600 "@com_google_absl//absl/container:flat_hash_set", 601 "@com_google_absl//absl/status", 602 "@com_google_absl//absl/status:statusor", 603 "@com_google_absl//absl/strings", 604 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 605 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 606 "@com_google_sandboxed_api//sandboxed_api/util:status", 607 ], 608) 609 610cc_library( 611 name = "forkserver", 612 srcs = ["forkserver.cc"], 613 hdrs = ["forkserver.h"], 614 copts = sapi_platform_copts(), 615 deps = [ 616 ":client", 617 ":comms", 618 ":fork_client", 619 ":forkserver_cc_proto", 620 ":namespace", 621 ":policy", 622 ":sanitizer", 623 ":syscall", 624 ":util", 625 "@com_google_absl//absl/base:core_headers", 626 "@com_google_absl//absl/container:flat_hash_map", 627 "@com_google_absl//absl/container:flat_hash_set", 628 "@com_google_absl//absl/log", 629 "@com_google_absl//absl/status", 630 "@com_google_absl//absl/status:statusor", 631 "@com_google_absl//absl/strings", 632 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 633 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 634 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 635 "@com_google_sandboxed_api//sandboxed_api/util:strerror", 636 "@org_kernel_libcap//:libcap", 637 ], 638) 639 640cc_library( 641 name = "fork_client", 642 srcs = ["fork_client.cc"], 643 hdrs = ["fork_client.h"], 644 copts = sapi_platform_copts(), 645 visibility = ["//visibility:public"], 646 deps = [ 647 ":comms", 648 ":forkserver_cc_proto", 649 "@com_google_absl//absl/base:core_headers", 650 "@com_google_absl//absl/log", 651 "@com_google_absl//absl/log:check", 652 "@com_google_absl//absl/synchronization", 653 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 654 ], 655) 656 657cc_library( 658 name = "mounts", 659 srcs = ["mounts.cc"], 660 hdrs = ["mounts.h"], 661 copts = sapi_platform_copts(), 662 deps = [ 663 ":mount_tree_cc_proto", 664 "@com_google_absl//absl/container:flat_hash_set", 665 "@com_google_absl//absl/status", 666 "@com_google_absl//absl/status:statusor", 667 "@com_google_absl//absl/strings", 668 "@com_google_sandboxed_api//sandboxed_api:config", 669 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:minielf", 670 "@com_google_sandboxed_api//sandboxed_api/util:file_base", 671 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 672 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 673 "@com_google_sandboxed_api//sandboxed_api/util:status", 674 ], 675) 676 677cc_test( 678 name = "mounts_test", 679 srcs = ["mounts_test.cc"], 680 copts = sapi_platform_copts(), 681 data = ["@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:minimal_dynamic"], 682 deps = [ 683 ":mount_tree_cc_proto", 684 ":mounts", 685 "@com_google_absl//absl/status", 686 "@com_google_absl//absl/strings", 687 "@com_google_googletest//:gtest_main", 688 "@com_google_sandboxed_api//sandboxed_api:testing", 689 "@com_google_sandboxed_api//sandboxed_api/util:file_base", 690 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 691 "@com_google_sandboxed_api//sandboxed_api/util:temp_file", 692 ], 693) 694 695cc_library( 696 name = "namespace", 697 srcs = ["namespace.cc"], 698 hdrs = ["namespace.h"], 699 copts = sapi_platform_copts(), 700 deps = [ 701 ":forkserver_cc_proto", 702 ":mounts", 703 "@com_google_absl//absl/strings", 704 "@com_google_sandboxed_api//sandboxed_api/util:file_base", 705 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 706 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 707 ], 708) 709 710cc_test( 711 name = "namespace_test", 712 srcs = ["namespace_test.cc"], 713 copts = sapi_platform_copts(), 714 data = [ 715 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:namespace", 716 ], 717 tags = [ 718 "requires-net:external", 719 ], 720 deps = [ 721 ":namespace", 722 ":sandbox2", 723 "@com_google_absl//absl/log:check", 724 "@com_google_absl//absl/status", 725 "@com_google_absl//absl/status:statusor", 726 "@com_google_absl//absl/strings", 727 "@com_google_googletest//:gtest_main", 728 "@com_google_sandboxed_api//sandboxed_api:testing", 729 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:namespaces", 730 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:testonly_all_syscalls", 731 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:testonly_unrestricted_networking", 732 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 733 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 734 "@com_google_sandboxed_api//sandboxed_api/util:temp_file", 735 ], 736) 737 738cc_library( 739 name = "forkingclient", 740 srcs = ["forkingclient.cc"], 741 hdrs = ["forkingclient.h"], 742 copts = sapi_platform_copts(), 743 visibility = ["//visibility:public"], 744 deps = [ 745 ":client", 746 ":comms", 747 ":forkserver", 748 ":sanitizer", 749 "@com_google_absl//absl/log", 750 "@com_google_absl//absl/log:check", 751 ], 752) 753 754cc_library( 755 name = "util", 756 srcs = ["util.cc"], 757 hdrs = ["util.h"], 758 # The default is 16384, however we need to do a clone with a 759 # stack-allocated buffer -- and PTHREAD_STACK_MIN also happens to be 16384. 760 # Thus the slight increase. 761 copts = sapi_platform_copts(), 762 visibility = ["//visibility:public"], 763 deps = [ 764 "@com_google_absl//absl/algorithm:container", 765 "@com_google_absl//absl/base:core_headers", 766 "@com_google_absl//absl/status", 767 "@com_google_absl//absl/status:statusor", 768 "@com_google_absl//absl/strings", 769 "@com_google_absl//absl/strings:str_format", 770 "@com_google_absl//absl/types:span", 771 "@com_google_sandboxed_api//sandboxed_api:config", 772 "@com_google_sandboxed_api//sandboxed_api/util:file_base", 773 "@com_google_sandboxed_api//sandboxed_api/util:file_helpers", 774 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 775 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 776 "@com_google_sandboxed_api//sandboxed_api/util:status", 777 ], 778) 779 780cc_library( 781 name = "buffer", 782 srcs = ["buffer.cc"], 783 hdrs = ["buffer.h"], 784 copts = sapi_platform_copts(), 785 visibility = ["//visibility:public"], 786 deps = [ 787 ":util", 788 "@com_google_absl//absl/memory", 789 "@com_google_absl//absl/status", 790 "@com_google_absl//absl/status:statusor", 791 ], 792) 793 794cc_test( 795 name = "buffer_test", 796 srcs = ["buffer_test.cc"], 797 copts = sapi_platform_copts(), 798 data = ["@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:buffer"], 799 tags = ["no_qemu_user_mode"], 800 deps = [ 801 ":buffer", 802 ":sandbox2", 803 "@com_google_googletest//:gtest_main", 804 "@com_google_sandboxed_api//sandboxed_api:testing", 805 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 806 ], 807) 808 809sapi_proto_library( 810 name = "forkserver_proto", 811 srcs = ["forkserver.proto"], 812 deps = [":mount_tree_proto"], 813) 814 815sapi_proto_library( 816 name = "mount_tree_proto", 817 srcs = ["mount_tree.proto"], 818) 819 820cc_library( 821 name = "comms", 822 srcs = ["comms.cc"], 823 hdrs = ["comms.h"], 824 copts = sapi_platform_copts(), 825 visibility = ["//visibility:public"], 826 deps = [ 827 ":util", 828 "@com_google_absl//absl/base:core_headers", 829 "@com_google_absl//absl/base:dynamic_annotations", 830 "@com_google_absl//absl/status", 831 "@com_google_absl//absl/status:statusor", 832 "@com_google_absl//absl/strings", 833 "@com_google_absl//absl/strings:str_format", 834 "@com_google_protobuf//:protobuf", 835 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 836 "@com_google_sandboxed_api//sandboxed_api/util:raw_logging", 837 "@com_google_sandboxed_api//sandboxed_api/util:status", 838 "@com_google_sandboxed_api//sandboxed_api/util:status_cc_proto", 839 ], 840) 841 842sapi_proto_library( 843 name = "comms_test_proto", 844 srcs = ["comms_test.proto"], 845) 846 847cc_test( 848 name = "comms_test", 849 srcs = ["comms_test.cc"], 850 copts = sapi_platform_copts(), 851 deps = [ 852 ":comms", 853 ":comms_test_cc_proto", 854 "@com_google_absl//absl/container:fixed_array", 855 "@com_google_absl//absl/log", 856 "@com_google_absl//absl/log:check", 857 "@com_google_absl//absl/status", 858 "@com_google_absl//absl/strings", 859 "@com_google_googletest//:gtest_main", 860 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 861 "@com_google_sandboxed_api//sandboxed_api/util:thread", 862 ], 863) 864 865cc_test( 866 name = "forkserver_test", 867 srcs = ["forkserver_test.cc"], 868 copts = sapi_platform_copts(), 869 data = ["@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:minimal"], 870 tags = ["no_qemu_user_mode"], 871 deps = [ 872 ":forkserver", 873 ":forkserver_cc_proto", 874 ":global_forkserver", 875 ":sandbox2", 876 "@com_google_absl//absl/log", 877 "@com_google_absl//absl/log:check", 878 "@com_google_absl//absl/strings", 879 "@com_google_googletest//:gtest_main", 880 "@com_google_sandboxed_api//sandboxed_api:testing", 881 ], 882) 883 884cc_test( 885 name = "limits_test", 886 srcs = ["limits_test.cc"], 887 copts = sapi_platform_copts(), 888 data = [ 889 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:limits", 890 ], 891 deps = [ 892 ":limits", 893 ":sandbox2", 894 "@com_google_googletest//:gtest_main", 895 "@com_google_sandboxed_api//sandboxed_api:config", 896 "@com_google_sandboxed_api//sandboxed_api:testing", 897 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 898 ], 899) 900 901cc_test( 902 name = "notify_test", 903 srcs = ["notify_test.cc"], 904 copts = sapi_platform_copts(), 905 data = [ 906 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:minimal", 907 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:personality", 908 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:pidcomms", 909 ], 910 tags = ["no_qemu_user_mode"], 911 deps = [ 912 ":comms", 913 ":sandbox2", 914 "@com_google_absl//absl/log", 915 "@com_google_absl//absl/status", 916 "@com_google_absl//absl/strings", 917 "@com_google_googletest//:gtest_main", 918 "@com_google_sandboxed_api//sandboxed_api:testing", 919 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:trace_all_syscalls", 920 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 921 ], 922) 923 924cc_test( 925 name = "policy_test", 926 srcs = ["policy_test.cc"], 927 copts = sapi_platform_copts(), 928 data = [ 929 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:add_policy_on_syscalls", 930 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:malloc_system", 931 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:minimal", 932 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:minimal_dynamic", 933 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:policy", 934 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:posix_timers", 935 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:sandbox_detection", 936 ], 937 tags = ["no_qemu_user_mode"], 938 deps = [ 939 ":sandbox2", 940 "@com_google_absl//absl/strings", 941 "@com_google_googletest//:gtest_main", 942 "@com_google_sandboxed_api//sandboxed_api:config", 943 "@com_google_sandboxed_api//sandboxed_api:testing", 944 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 945 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 946 ], 947) 948 949cc_test( 950 name = "sandbox2_test", 951 srcs = ["sandbox2_test.cc"], 952 copts = sapi_platform_copts(), 953 data = [ 954 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:abort", 955 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:custom_fork", 956 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:minimal", 957 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:sleep", 958 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:starve", 959 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:tsync", 960 ], 961 tags = [ 962 "local", 963 "no_qemu_user_mode", 964 ], 965 deps = [ 966 ":fork_client", 967 ":sandbox2", 968 "@com_google_absl//absl/status", 969 "@com_google_absl//absl/status:statusor", 970 "@com_google_absl//absl/strings", 971 "@com_google_absl//absl/synchronization", 972 "@com_google_absl//absl/time", 973 "@com_google_googletest//:gtest_main", 974 "@com_google_sandboxed_api//sandboxed_api:config", 975 "@com_google_sandboxed_api//sandboxed_api:testing", 976 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 977 "@com_google_sandboxed_api//sandboxed_api/util:thread", 978 ], 979) 980 981cc_test( 982 name = "sanitizer_test", 983 srcs = ["sanitizer_test.cc"], 984 copts = sapi_platform_copts(), 985 data = [ 986 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:close_fds", 987 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:sanitizer", 988 ], 989 tags = ["no_qemu_user_mode"], 990 deps = [ 991 ":comms", 992 ":sandbox2", 993 ":sanitizer", 994 ":util", 995 "@com_google_absl//absl/container:flat_hash_set", 996 "@com_google_absl//absl/log", 997 "@com_google_absl//absl/strings", 998 "@com_google_googletest//:gtest_main", 999 "@com_google_sandboxed_api//sandboxed_api:testing", 1000 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 1001 ], 1002) 1003 1004cc_test( 1005 name = "util_test", 1006 srcs = ["util_test.cc"], 1007 copts = sapi_platform_copts(), 1008 data = [ 1009 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:util_communicate", 1010 ], 1011 deps = [ 1012 ":util", 1013 "@com_google_absl//absl/cleanup", 1014 "@com_google_absl//absl/log:check", 1015 "@com_google_absl//absl/status", 1016 "@com_google_absl//absl/status:statusor", 1017 "@com_google_absl//absl/strings", 1018 "@com_google_absl//absl/types:span", 1019 "@com_google_googletest//:gtest_main", 1020 "@com_google_sandboxed_api//sandboxed_api:testing", 1021 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 1022 ], 1023) 1024 1025cc_test( 1026 name = "stack_trace_test", 1027 srcs = [ 1028 "stack_trace_test.cc", 1029 ], 1030 copts = sapi_platform_copts(), 1031 data = ["@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:symbolize"], 1032 tags = ["no_qemu_user_mode"], 1033 deps = [ 1034 ":global_forkserver", 1035 ":sandbox2", 1036 ":stack_trace", 1037 "@com_google_absl//absl/base:log_severity", 1038 "@com_google_absl//absl/log:check", 1039 "@com_google_absl//absl/log:scoped_mock_log", 1040 "@com_google_absl//absl/strings", 1041 "@com_google_absl//absl/time", 1042 "@com_google_googletest//:gtest_main", 1043 "@com_google_sandboxed_api//sandboxed_api:testing", 1044 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:testonly_all_syscalls", 1045 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:testonly_namespaces", 1046 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 1047 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 1048 ], 1049) 1050 1051cc_test( 1052 name = "ipc_test", 1053 srcs = ["ipc_test.cc"], 1054 copts = sapi_platform_copts(), 1055 data = ["@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:ipc"], 1056 tags = ["no_qemu_user_mode"], 1057 deps = [ 1058 ":comms", 1059 ":sandbox2", 1060 "@com_google_googletest//:gtest_main", 1061 "@com_google_sandboxed_api//sandboxed_api:testing", 1062 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 1063 ], 1064) 1065 1066cc_library( 1067 name = "testing", 1068 testonly = 1, 1069 hdrs = ["testing.h"], 1070 copts = sapi_platform_copts(), 1071 visibility = ["//visibility:public"], 1072 deps = ["@com_google_sandboxed_api//sandboxed_api:testing"], 1073) 1074 1075cc_test( 1076 name = "policybuilder_test", 1077 srcs = ["policybuilder_test.cc"], 1078 copts = sapi_platform_copts(), 1079 deps = [ 1080 ":policy", 1081 ":policybuilder", 1082 "@com_google_absl//absl/status", 1083 "@com_google_absl//absl/strings", 1084 "@com_google_googletest//:gtest_main", 1085 "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:unrestricted_networking", 1086 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 1087 "@com_google_sandboxed_api//sandboxed_api/util:file_base", 1088 "@com_google_sandboxed_api//sandboxed_api/util:fileops", 1089 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 1090 ], 1091) 1092 1093cc_test( 1094 name = "bpfdisassembler_test", 1095 srcs = ["bpfdisassembler_test.cc"], 1096 copts = sapi_platform_copts(), 1097 deps = [ 1098 ":bpfdisassembler", 1099 "@com_google_googletest//:gtest_main", 1100 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 1101 ], 1102) 1103 1104cc_test( 1105 name = "bpf_evaluator_test", 1106 srcs = ["bpf_evaluator_test.cc"], 1107 copts = sapi_platform_copts(), 1108 deps = [ 1109 ":bpf_evaluator", 1110 "@com_google_absl//absl/status", 1111 "@com_google_googletest//:gtest_main", 1112 "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper", 1113 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 1114 ], 1115) 1116 1117cc_test( 1118 name = "network_proxy_test", 1119 srcs = ["network_proxy_test.cc"], 1120 copts = sapi_platform_copts(), 1121 data = [ 1122 "@com_google_sandboxed_api//sandboxed_api/sandbox2/testcases:network_proxy", 1123 ], 1124 tags = ["no_qemu_user_mode"], 1125 deps = [ 1126 ":sandbox2", 1127 "@com_google_absl//absl/status", 1128 "@com_google_absl//absl/time", 1129 "@com_google_googletest//:gtest_main", 1130 "@com_google_sandboxed_api//sandboxed_api:testing", 1131 "@com_google_sandboxed_api//sandboxed_api/sandbox2/network_proxy:testing", 1132 "@com_google_sandboxed_api//sandboxed_api/util:status_matchers", 1133 ], 1134) 1135