Skip to content

Commit 71c412d

Browse files
paulsemelcopybara-github
paulsemel
authored and
copybara-github
committed
Introduce shared memory comms in Sandbox2.
This change adds a new communication channel based on shared memory (memfd) between the sandboxer and the sandboxee. When this feature is enabled, a memfd is created and passed to the sandboxee via the forkserver. The Comms object in both the sandboxer and sandboxee can then be initialized with this shared memory buffer, allowing for potentially faster data transfer. PiperOrigin-RevId: 912007765 Change-Id: If5fbe5b9687f2d5e7ebe66aaa265b8ae3d27edc6
1 parent f47b57b commit 71c412d

29 files changed

Lines changed: 448 additions & 48 deletions

sandboxed_api/sandbox2/BUILD

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -836,6 +836,7 @@ cc_library(
836836
deps = [
837837
":util",
838838
"//sandboxed_api/util:fileops",
839+
"//sandboxed_api/util:status",
839840
"@abseil-cpp//absl/base:core_headers",
840841
"@abseil-cpp//absl/memory",
841842
"@abseil-cpp//absl/status",
@@ -881,13 +882,18 @@ cc_library(
881882
copts = sapi_platform_copts(),
882883
visibility = ["//visibility:public"],
883884
deps = [
885+
":buffer",
884886
":util",
887+
"//sandboxed_api/sandbox2/util:asynchronous_byte_transport",
888+
"//sandboxed_api/sandbox2/util:potentially_blocking_region",
885889
"//sandboxed_api/util:fileops",
886890
"//sandboxed_api/util:raw_logging",
887891
"//sandboxed_api/util:status",
888892
"//sandboxed_api/util:status_cc_proto",
893+
"//sandboxed_api/util:thread",
889894
"@abseil-cpp//absl/base:core_headers",
890895
"@abseil-cpp//absl/base:dynamic_annotations",
896+
"@abseil-cpp//absl/log",
891897
"@abseil-cpp//absl/status",
892898
"@abseil-cpp//absl/status:statusor",
893899
"@abseil-cpp//absl/strings",

sandboxed_api/sandbox2/CMakeLists.txt

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -773,6 +773,7 @@ target_link_libraries(sandbox2_buffer
773773
absl::status
774774
absl::strings
775775
sapi::base
776+
sapi::status
776777
sandbox2::util
777778
PUBLIC absl::core_headers
778779
absl::statusor
@@ -815,10 +816,13 @@ add_library(sandbox2_comms ${SAPI_LIB_TYPE}
815816
)
816817
add_library(sandbox2::comms ALIAS sandbox2_comms)
817818
target_link_libraries(sandbox2_comms
818-
PRIVATE absl::status
819+
PRIVATE absl::log
820+
absl::status
819821
absl::statusor
820822
absl::str_format
821823
absl::strings
824+
sandbox2::asynchronous_byte_transport
825+
sandbox2::potentially_blocking_region
822826
sandbox2::util
823827
sapi::base
824828
sapi::raw_logging

sandboxed_api/sandbox2/buffer.cc

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
#include "absl/strings/str_cat.h"
3333
#include "sandboxed_api/sandbox2/util.h"
3434
#include "sandboxed_api/util/fileops.h"
35+
#include "sandboxed_api/util/status_macros.h"
3536

3637
namespace sandbox2 {
3738

@@ -97,14 +98,8 @@ absl::StatusOr<std::unique_ptr<Buffer>> Buffer::Expand(
9798
// will be immediately deleted.
9899
absl::StatusOr<std::unique_ptr<Buffer>> Buffer::CreateWithSize(
99100
size_t size, const char* name) {
100-
absl::StatusOr<FDCloser> fd = util::CreateMemFd(name);
101-
if (!fd.ok()) {
102-
return fd.status();
103-
}
104-
if (ftruncate(fd->get(), size) != 0) {
105-
return absl::ErrnoToStatus(errno, "Could not extend buffer fd");
106-
}
107-
return CreateFromFd(*std::move(fd), size);
101+
SAPI_ASSIGN_OR_RETURN(FDCloser fd, util::CreateMemFdWithSize(size, name));
102+
return CreateFromFd(std::move(fd), size);
108103
}
109104

110105
std::string Buffer::GetName() const {

sandboxed_api/sandbox2/client.cc

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,8 +198,14 @@ void Client::EnableSandbox() {
198198
ApplyPolicyAndBecomeTracee();
199199
}
200200

201+
void Client::ReceiveCommsUpgrade() {
202+
auto status = comms_->RecvSharedMemUpgrade();
203+
SAPI_RAW_CHECK(status.ok(), "receiving comms upgrade");
204+
}
205+
201206
void Client::SandboxMeHere() {
202207
PrepareEnvironment();
208+
ReceiveCommsUpgrade();
203209
EnableSandbox();
204210
}
205211

sandboxed_api/sandbox2/client.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,7 @@ class Client {
135135

136136
void PrepareEnvironment(int* preserved_fd = nullptr);
137137
void EnableSandbox();
138+
void ReceiveCommsUpgrade();
138139
};
139140

140141
} // namespace sandbox2

0 commit comments

Comments
 (0)