platform_build_soong/cmd/path_interposer/main.go

// Copyright 2018 Google Inc. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// This tool tries to prohibit access to tools on the system on which the build
// is run.
//
// The rationale is that if the build uses a binary that is not shipped in the
// source tree, it is unknowable which version of that binary will be installed
// and therefore the output of the build will be unpredictable. Therefore, we
// should make every effort to use only tools under our control.
//
// This is currently implemented by a "sandbox" that sets $PATH to a specific,
// single directory and creates a symlink for every binary in $PATH in it. That
// symlink will point to path_interposer, which then uses an embedded
// configuration to determine whether to allow access to the binary (in which
// case it calls the original executable) or not (in which case it fails). It
// can also optionally log invocations.
//
// This, of course, does not help if one invokes the tool in question with its
// full path.
package main

import (
	"bytes"
	"fmt"
	"io"
	"io/ioutil"
	"os"
	"os/exec"
	"path/filepath"
	"strconv"
	"syscall"

	"android/soong/ui/build/paths"
)

func main() {
	interposer, err := os.Executable()
	if err != nil {
		fmt.Fprintln(os.Stderr, "Unable to locate interposer executable:", err)
		os.Exit(1)
	}

	if fi, err := os.Lstat(interposer); err == nil {
		if fi.Mode()&os.ModeSymlink != 0 {
			link, err := os.Readlink(interposer)
			if err != nil {
				fmt.Fprintln(os.Stderr, "Unable to read link to interposer executable:", err)
				os.Exit(1)
			}
			if filepath.IsAbs(link) {
				interposer = link
			} else {
				interposer = filepath.Join(filepath.Dir(interposer), link)
			}
		}
	} else {
		fmt.Fprintln(os.Stderr, "Unable to stat interposer executable:", err)
		os.Exit(1)
	}

	exitCode, err := Main(os.Stdout, os.Stderr, interposer, os.Args, mainOpts{
		sendLog:       paths.SendLog,
		config:        paths.GetConfig,
		lookupParents: lookupParents,
	})
	if err != nil {
		fmt.Fprintln(os.Stderr, err.Error())
	}
	os.Exit(exitCode)
}

var usage = fmt.Errorf(`To use the PATH interposer:
 * Write the original PATH variable to <interposer>_origpath
 * Set up a directory of symlinks to the PATH interposer, and use that in PATH

If a tool isn't in the allowed list, a log will be posted to the unix domain
socket at <interposer>_log.`)

type mainOpts struct {
	sendLog       func(logSocket string, entry *paths.LogEntry, done chan interface{})
	config        func(name string) paths.PathConfig
	lookupParents func() []paths.LogProcess
}

func Main(stdout, stderr io.Writer, interposer string, args []string, opts mainOpts) (int, error) {
	base := filepath.Base(args[0])

	origPathFile := interposer + "_origpath"
	if base == filepath.Base(interposer) {
		return 1, usage
	}

	origPath, err := ioutil.ReadFile(origPathFile)
	if err != nil {
		if os.IsNotExist(err) {
			return 1, usage
		} else {
			return 1, fmt.Errorf("Failed to read original PATH: %v", err)
		}
	}

	cmd := &exec.Cmd{
		Args: args,
		Env:  os.Environ(),

		Stdin:  os.Stdin,
		Stdout: stdout,
		Stderr: stderr,
	}

	if err := os.Setenv("PATH", string(origPath)); err != nil {
		return 1, fmt.Errorf("Failed to set PATH env: %v", err)
	}

	if config := opts.config(base); config.Log || config.Error {
		var procs []paths.LogProcess
		if opts.lookupParents != nil {
			procs = opts.lookupParents()
		}

		if opts.sendLog != nil {
			waitForLog := make(chan interface{})
			opts.sendLog(interposer+"_log", &paths.LogEntry{
				Basename: base,
				Args:     args,
				Parents:  procs,
			}, waitForLog)
			defer func() { <-waitForLog }()
		}
		if config.Error {
			return 1, fmt.Errorf("%q is not allowed to be used. See https://android.googlesource.com/platform/build/+/master/Changes.md#PATH_Tools for more information.", base)
		}
	}

	cmd.Path, err = exec.LookPath(base)
	if err != nil {
		return 1, err
	}

	if err = cmd.Run(); err != nil {
		if exitErr, ok := err.(*exec.ExitError); ok {
			if status, ok := exitErr.Sys().(syscall.WaitStatus); ok {
				if status.Exited() {
					return status.ExitStatus(), nil
				} else if status.Signaled() {
					exitCode := 128 + int(status.Signal())
					return exitCode, nil
				} else {
					return 1, exitErr
				}
			} else {
				return 1, nil
			}
		}
	}

	return 0, nil
}

type procEntry struct {
	Pid     int
	Ppid    int
	Command string
}

func readProcs() map[int]procEntry {
	cmd := exec.Command("ps", "-o", "pid,ppid,command")
	data, err := cmd.Output()
	if err != nil {
		return nil
	}

	return parseProcs(data)
}

func parseProcs(data []byte) map[int]procEntry {
	lines := bytes.Split(data, []byte("\n"))
	if len(lines) < 2 {
		return nil
	}
	// Remove the header
	lines = lines[1:]

	ret := make(map[int]procEntry, len(lines))
	for _, line := range lines {
		fields := bytes.SplitN(line, []byte(" "), 2)
		if len(fields) != 2 {
			continue
		}

		pid, err := strconv.Atoi(string(fields[0]))
		if err != nil {
			continue
		}

		line = bytes.TrimLeft(fields[1], " ")

		fields = bytes.SplitN(line, []byte(" "), 2)
		if len(fields) != 2 {
			continue
		}

		ppid, err := strconv.Atoi(string(fields[0]))
		if err != nil {
			continue
		}

		ret[pid] = procEntry{
			Pid:     pid,
			Ppid:    ppid,
			Command: string(bytes.TrimLeft(fields[1], " ")),
		}
	}

	return ret
}

func lookupParents() []paths.LogProcess {
	procs := readProcs()
	if procs == nil {
		return nil
	}

	list := []paths.LogProcess{}
	pid := os.Getpid()
	for {
		entry, ok := procs[pid]
		if !ok {
			break
		}

		list = append([]paths.LogProcess{
			{
				Pid:     pid,
				Command: entry.Command,
			},
		}, list...)

		pid = entry.Ppid
	}

	return list
}
Revert "Revert "Revert "Revert "Add path interposer"""" This reverts commit 09f4540d667a98e548bf5dfc94784382ebedc963. Fixes the raw call to net.Listen in the tests to go through the listen() helper and use the long socket path fallbacks. Removes the use of timeouts from the tests -- the behaviors being tested did not rely on timeouts, so removing them will reduce the flakiness if the build is heavily loading the machine at the same time the test is running. Also fixes some potential nil pointer dereferences. Test: OUT_DIR=<really long> m blueprint_tools Test: `while .../soong-ui-build-paths/test/test; do sleep 0.01; done` with a build running Change-Id: I16d44be7517bc415f1c808284088f4ba40df3bfa 2018-05-26 01:30:04 +02:00			`// Copyright 2018 Google Inc. All rights reserved.`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Add comments for path_interposer. Test: Presubmits. Change-Id: I22c08f282019050da1198cce1f92f5d825ee649f 2022-05-06 12:42:05 +02:00			`// This tool tries to prohibit access to tools on the system on which the build`
			`// is run.`
			`//`
			`// The rationale is that if the build uses a binary that is not shipped in the`
			`// source tree, it is unknowable which version of that binary will be installed`
			`// and therefore the output of the build will be unpredictable. Therefore, we`
			`// should make every effort to use only tools under our control.`
			`//`
			`// This is currently implemented by a "sandbox" that sets $PATH to a specific,`
			`// single directory and creates a symlink for every binary in $PATH in it. That`
			`// symlink will point to path_interposer, which then uses an embedded`
			`// configuration to determine whether to allow access to the binary (in which`
			`// case it calls the original executable) or not (in which case it fails). It`
			`// can also optionally log invocations.`
			`//`
			`// This, of course, does not help if one invokes the tool in question with its`
			`// full path.`
Revert "Revert "Revert "Revert "Add path interposer"""" This reverts commit 09f4540d667a98e548bf5dfc94784382ebedc963. Fixes the raw call to net.Listen in the tests to go through the listen() helper and use the long socket path fallbacks. Removes the use of timeouts from the tests -- the behaviors being tested did not rely on timeouts, so removing them will reduce the flakiness if the build is heavily loading the machine at the same time the test is running. Also fixes some potential nil pointer dereferences. Test: OUT_DIR=<really long> m blueprint_tools Test: `while .../soong-ui-build-paths/test/test; do sleep 0.01; done` with a build running Change-Id: I16d44be7517bc415f1c808284088f4ba40df3bfa 2018-05-26 01:30:04 +02:00			`package main`

			`import (`
			`"bytes"`
			`"fmt"`
			`"io"`
			`"io/ioutil"`
			`"os"`
			`"os/exec"`
			`"path/filepath"`
			`"strconv"`
			`"syscall"`

			`"android/soong/ui/build/paths"`
			`)`

			`func main() {`
			`interposer, err := os.Executable()`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, "Unable to locate interposer executable:", err)`
			`os.Exit(1)`
			`}`

			`if fi, err := os.Lstat(interposer); err == nil {`
			`if fi.Mode()&os.ModeSymlink != 0 {`
			`link, err := os.Readlink(interposer)`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, "Unable to read link to interposer executable:", err)`
			`os.Exit(1)`
			`}`
			`if filepath.IsAbs(link) {`
			`interposer = link`
			`} else {`
			`interposer = filepath.Join(filepath.Dir(interposer), link)`
			`}`
			`}`
			`} else {`
			`fmt.Fprintln(os.Stderr, "Unable to stat interposer executable:", err)`
			`os.Exit(1)`
			`}`

			`exitCode, err := Main(os.Stdout, os.Stderr, interposer, os.Args, mainOpts{`
			`sendLog: paths.SendLog,`
			`config: paths.GetConfig,`
			`lookupParents: lookupParents,`
			`})`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, err.Error())`
			`}`
			`os.Exit(exitCode)`
			`}`

			var usage = fmt.Errorf(`To use the PATH interposer:
			`* Write the original PATH variable to <interposer>_origpath`
			`* Set up a directory of symlinks to the PATH interposer, and use that in PATH`

			`If a tool isn't in the allowed list, a log will be posted to the unix domain`
			socket at <interposer>_log.`)

			`type mainOpts struct {`
			`sendLog func(logSocket string, entry *paths.LogEntry, done chan interface{})`
			`config func(name string) paths.PathConfig`
			`lookupParents func() []paths.LogProcess`
			`}`

			`func Main(stdout, stderr io.Writer, interposer string, args []string, opts mainOpts) (int, error) {`
			`base := filepath.Base(args[0])`

			`origPathFile := interposer + "_origpath"`
			`if base == filepath.Base(interposer) {`
			`return 1, usage`
			`}`

			`origPath, err := ioutil.ReadFile(origPathFile)`
			`if err != nil {`
			`if os.IsNotExist(err) {`
			`return 1, usage`
			`} else {`
			`return 1, fmt.Errorf("Failed to read original PATH: %v", err)`
			`}`
			`}`

			`cmd := &exec.Cmd{`
			`Args: args,`
			`Env: os.Environ(),`

			`Stdin: os.Stdin,`
			`Stdout: stdout,`
			`Stderr: stderr,`
			`}`

			`if err := os.Setenv("PATH", string(origPath)); err != nil {`
			`return 1, fmt.Errorf("Failed to set PATH env: %v", err)`
			`}`

			`if config := opts.config(base); config.Log \|\| config.Error {`
			`var procs []paths.LogProcess`
			`if opts.lookupParents != nil {`
			`procs = opts.lookupParents()`
			`}`

			`if opts.sendLog != nil {`
			`waitForLog := make(chan interface{})`
			`opts.sendLog(interposer+"_log", &paths.LogEntry{`
			`Basename: base,`
			`Args: args,`
			`Parents: procs,`
			`}, waitForLog)`
			`defer func() { <-waitForLog }()`
			`}`
Remove TEMPORARY_DISABLE_PATH_RESTRICTIONS This was a temporary migration tool, and has been broken ever since the ninja environment started being restricted. Remove it, since it has lasted two releases. Test: TEMPORARY_DISABLE_PATH_RESTRICTIONS=true m Change-Id: I2e3709525598030f5c24d12fa966e531dfed33ae 2020-05-02 01:29:00 +02:00			`if config.Error {`
Revert "Revert "Revert "Revert "Add path interposer"""" This reverts commit 09f4540d667a98e548bf5dfc94784382ebedc963. Fixes the raw call to net.Listen in the tests to go through the listen() helper and use the long socket path fallbacks. Removes the use of timeouts from the tests -- the behaviors being tested did not rely on timeouts, so removing them will reduce the flakiness if the build is heavily loading the machine at the same time the test is running. Also fixes some potential nil pointer dereferences. Test: OUT_DIR=<really long> m blueprint_tools Test: `while .../soong-ui-build-paths/test/test; do sleep 0.01; done` with a build running Change-Id: I16d44be7517bc415f1c808284088f4ba40df3bfa 2018-05-26 01:30:04 +02:00			`return 1, fmt.Errorf("%q is not allowed to be used. See https://android.googlesource.com/platform/build/+/master/Changes.md#PATH_Tools for more information.", base)`
			`}`
			`}`

			`cmd.Path, err = exec.LookPath(base)`
			`if err != nil {`
			`return 1, err`
			`}`

			`if err = cmd.Run(); err != nil {`
			`if exitErr, ok := err.(*exec.ExitError); ok {`
			`if status, ok := exitErr.Sys().(syscall.WaitStatus); ok {`
			`if status.Exited() {`
			`return status.ExitStatus(), nil`
			`} else if status.Signaled() {`
			`exitCode := 128 + int(status.Signal())`
			`return exitCode, nil`
			`} else {`
			`return 1, exitErr`
			`}`
			`} else {`
			`return 1, nil`
			`}`
			`}`
			`}`

			`return 0, nil`
			`}`

			`type procEntry struct {`
			`Pid int`
			`Ppid int`
			`Command string`
			`}`

			`func readProcs() map[int]procEntry {`
			`cmd := exec.Command("ps", "-o", "pid,ppid,command")`
			`data, err := cmd.Output()`
			`if err != nil {`
			`return nil`
			`}`

			`return parseProcs(data)`
			`}`

			`func parseProcs(data []byte) map[int]procEntry {`
			`lines := bytes.Split(data, []byte("\n"))`
			`if len(lines) < 2 {`
			`return nil`
			`}`
			`// Remove the header`
			`lines = lines[1:]`

			`ret := make(map[int]procEntry, len(lines))`
			`for _, line := range lines {`
			`fields := bytes.SplitN(line, []byte(" "), 2)`
			`if len(fields) != 2 {`
			`continue`
			`}`

			`pid, err := strconv.Atoi(string(fields[0]))`
			`if err != nil {`
			`continue`
			`}`

			`line = bytes.TrimLeft(fields[1], " ")`

			`fields = bytes.SplitN(line, []byte(" "), 2)`
			`if len(fields) != 2 {`
			`continue`
			`}`

			`ppid, err := strconv.Atoi(string(fields[0]))`
			`if err != nil {`
			`continue`
			`}`

			`ret[pid] = procEntry{`
			`Pid: pid,`
			`Ppid: ppid,`
			`Command: string(bytes.TrimLeft(fields[1], " ")),`
			`}`
			`}`

			`return ret`
			`}`

			`func lookupParents() []paths.LogProcess {`
			`procs := readProcs()`
			`if procs == nil {`
			`return nil`
			`}`

			`list := []paths.LogProcess{}`
			`pid := os.Getpid()`
			`for {`
			`entry, ok := procs[pid]`
			`if !ok {`
			`break`
			`}`

			`list = append([]paths.LogProcess{`
			`{`
			`Pid: pid,`
			`Command: entry.Command,`
			`},`
			`}, list...)`

			`pid = entry.Ppid`
			`}`

			`return list`
			`}`