• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright 2019 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7#     https://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15# The 'static' example demonstrates:
16# - separate executor and sandboxee
17# - sandboxee already sandboxed, not using google3 and compiled statically
18# - minimal syscall policy written with BPF macros
19# - communication with file descriptors and MapFd
20# - test to ensure sandbox executor runs sandboxee without issue
21
22load("@com_google_sandboxed_api//sandboxed_api/bazel:build_defs.bzl", "sapi_platform_copts")
23
24package(default_visibility = [
25    "@com_google_sandboxed_api//sandboxed_api/sandbox2:__subpackages__",
26])
27
28licenses(["notice"])
29
30# Executor
31cc_binary(
32    name = "static_sandbox",
33    srcs = ["static_sandbox.cc"],
34    copts = sapi_platform_copts(),
35    data = [":static_bin"],
36    tags = ["no_qemu_user_mode"],
37    deps = [
38        "@com_google_absl//absl/flags:parse",
39        "@com_google_absl//absl/log",
40        "@com_google_absl//absl/log:check",
41        "@com_google_absl//absl/log:globals",
42        "@com_google_absl//absl/log:initialize",
43        "@com_google_absl//absl/strings:string_view",
44        "@com_google_absl//absl/time",
45        "@com_google_sandboxed_api//sandboxed_api:config",
46        "@com_google_sandboxed_api//sandboxed_api/sandbox2",
47        "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper",
48        "@com_google_sandboxed_api//sandboxed_api/util:runfiles",
49    ],
50)
51
52# Sandboxee
53# security: disable=cc-static-no-pie
54cc_binary(
55    name = "static_bin",
56    srcs = ["static_bin.cc"],
57    copts = sapi_platform_copts(),
58    linkopts = [
59        "-static-pie",
60        "-fuse-ld=bfd",
61    ],
62    linkstatic = 1,
63)
64
65sh_test(
66    name = "static_sandbox_test",
67    srcs = ["static_sandbox_test.sh"],
68    data = [":static_sandbox"],
69    tags = ["no_qemu_user_mode"],
70)
71