work

MikailBag · MikailBag · commit babaf059acdd · 2020-08-26T20:05:38.000+03:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,6 +10,7 @@ serde = { version = "1.0.106", features = ["derive"] }
 backtrace = "0.3.46"
 thiserror = "1.0.19"
 anyhow = "1.0.32"
+tracing = "0.1.19"
 
 [target.'cfg(target_os="linux")'.dependencies]
 tiny-nix-ipc = { git = "https://github.com/myfreeweb/tiny-nix-ipc", features = ["ser_json", "zero_copy"] }
@@ -21,7 +22,7 @@ serde_json = "1.0.51"
 
 [target.'cfg(target_os="windows")'.dependencies]
 winapi = { version = "0.3.9", features = ["std", "processthreadsapi", "jobapi2", "errhandlingapi",
- "namedpipeapi", "fileapi", "synchapi", "winnt", "userenv", "handleapi"] }
+ "namedpipeapi", "fileapi", "synchapi", "winnt", "userenv", "handleapi", "securitybaseapi", "sddl"] }
 
 [workspace]
 members = ["minion-ffi", ".", "minion-tests", "minion-cli"]
diff --git a/rustfmt.toml b/rustfmt.toml
@@ -0,0 +1 @@
+merge_imports = true
diff --git a/src/windows.rs b/src/windows.rs
@@ -3,8 +3,10 @@
 mod child;
 pub mod error;
 mod pipe;
-mod sandbox;
+mod constrain;
 mod spawn;
+mod sandbox;
+mod isolate;
 
 pub use error::Error;
 pub use pipe::{ReadPipe, WritePipe};
@@ -36,5 +38,6 @@ impl crate::Backend for WindowsBackend {
         &self,
         options: crate::ChildProcessOptions<Self::Sandbox>,
     ) -> Result<Self::ChildProcess, Self::Error> {
+        todo!()
     }
 }
diff --git a/src/windows/constrain.rs b/src/windows/constrain.rs
@@ -0,0 +1,142 @@
+//! Implements resource limits
+
+use std::{ffi::OsString, os::windows::ffi::OsStrExt};
+
+use crate::{
+    windows::{Cvt, Error},
+    ResourceUsageData,
+};
+
+use winapi::um::{
+    handleapi::CloseHandle,
+    jobapi2::{
+        AssignProcessToJobObject, CreateJobObjectW, QueryInformationJobObject,
+        SetInformationJobObject, TerminateJobObject,
+    },
+    winnt::{
+        JobObjectBasicAccountingInformation, JobObjectExtendedLimitInformation,
+        JobObjectLimitViolationInformation, HANDLE, JOBOBJECT_BASIC_ACCOUNTING_INFORMATION,
+        JOBOBJECT_EXTENDED_LIMIT_INFORMATION, JOBOBJECT_LIMIT_VIOLATION_INFORMATION,
+        JOB_OBJECT_LIMIT_ACTIVE_PROCESS, JOB_OBJECT_LIMIT_JOB_MEMORY, JOB_OBJECT_LIMIT_JOB_TIME,
+        JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE,
+    },
+};
+
+/// Responsible for resource isolation & adding & killing
+#[derive(Debug)]
+pub(crate) struct Job {
+    handle: HANDLE,
+}
+
+unsafe impl Send for Job {}
+unsafe impl Sync for Job {}
+
+impl Job {
+    pub(crate) fn new(jail_id: &str) -> Result<Self, Error> {
+        let name: OsString = format!("minion-sandbox-job-{}", jail_id).into();
+        let name: Vec<u16> = name.encode_wide().collect();
+        let handle = unsafe {
+            Cvt::nonzero(CreateJobObjectW(std::ptr::null_mut(), name.as_ptr()) as i32)? as HANDLE
+        };
+        Ok(Self { handle })
+    }
+    pub(crate) fn enable_resource_limits(
+        &mut self,
+        options: &crate::SandboxOptions,
+    ) -> Result<(), Error> {
+        let mut info: JOBOBJECT_EXTENDED_LIMIT_INFORMATION = unsafe { std::mem::zeroed() };
+        info.JobMemoryLimit = options.memory_limit as usize;
+        info.BasicLimitInformation.ActiveProcessLimit = options.max_alive_process_count;
+        unsafe {
+            *info
+                .BasicLimitInformation
+                .PerJobUserTimeLimit
+                .QuadPart_mut() = (options.cpu_time_limit.as_nanos() / 100) as i64;
+        };
+        info.BasicLimitInformation.LimitFlags = JOB_OBJECT_LIMIT_JOB_MEMORY
+            | JOB_OBJECT_LIMIT_ACTIVE_PROCESS
+            | JOB_OBJECT_LIMIT_JOB_TIME
+            // let's make sure sandbox will die if we panic / abort
+            | JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
+        unsafe {
+            Cvt::nonzero(SetInformationJobObject(
+                self.handle,
+                JobObjectExtendedLimitInformation,
+                (&mut info as *mut JOBOBJECT_EXTENDED_LIMIT_INFORMATION).cast(),
+                sizeof::<JOBOBJECT_EXTENDED_LIMIT_INFORMATION>(),
+            ))?;
+        }
+        Ok(())
+    }
+    pub(crate) fn kill(&self) -> Result<(), Error> {
+        unsafe { Cvt::nonzero(TerminateJobObject(self.handle, 0xDEADBEEF)).map(|_| ()) }
+    }
+    pub(crate) fn add_process(&self, process_handle: HANDLE) -> Result<(), Error> {
+        unsafe { Cvt::nonzero(AssignProcessToJobObject(self.handle, process_handle)).map(|_| ()) }
+    }
+    pub(crate) fn resource_usage(&self) -> Result<crate::ResourceUsageData, Error> {
+        let cpu = unsafe {
+            let mut info: JOBOBJECT_BASIC_ACCOUNTING_INFORMATION = std::mem::zeroed();
+            Cvt::nonzero(QueryInformationJobObject(
+                self.handle,
+                JobObjectBasicAccountingInformation,
+                (&mut info as *mut JOBOBJECT_BASIC_ACCOUNTING_INFORMATION).cast(),
+                sizeof::<JOBOBJECT_BASIC_ACCOUNTING_INFORMATION>(),
+                std::ptr::null_mut(),
+            ))?;
+
+            let user_ticks = *info.TotalUserTime.QuadPart() as u64;
+            let kernel_ticks = *info.TotalKernelTime.QuadPart() as u64;
+            (user_ticks + kernel_ticks) * 100
+        };
+        let memory = unsafe {
+            let mut info: JOBOBJECT_EXTENDED_LIMIT_INFORMATION = std::mem::zeroed();
+            Cvt::nonzero(QueryInformationJobObject(
+                self.handle,
+                JobObjectExtendedLimitInformation,
+                (&mut info as *mut JOBOBJECT_EXTENDED_LIMIT_INFORMATION).cast(),
+                sizeof::<JOBOBJECT_EXTENDED_LIMIT_INFORMATION>(),
+                std::ptr::null_mut(),
+            ))?;
+            info.PeakJobMemoryUsed as u64
+        };
+
+        Ok(ResourceUsageData {
+            time: Some(cpu),
+            memory: Some(memory),
+        })
+    }
+    pub(crate) fn check_cpu_tle(&self) -> Result<bool, Error> {
+        unsafe {
+            let mut info: JOBOBJECT_LIMIT_VIOLATION_INFORMATION = std::mem::zeroed();
+            Cvt::nonzero(QueryInformationJobObject(
+                self.handle,
+                JobObjectLimitViolationInformation,
+                (&mut info as *mut JOBOBJECT_LIMIT_VIOLATION_INFORMATION).cast(),
+                sizeof::<JOBOBJECT_LIMIT_VIOLATION_INFORMATION>(),
+                std::ptr::null_mut(),
+            ))?;
+            let viol = info.ViolationLimitFlags & JOB_OBJECT_LIMIT_JOB_TIME;
+            Ok(viol != 0)
+        }
+    }
+
+    pub(crate) fn check_real_tle(&self) -> Result<bool, Error> {
+        // TODO
+        Ok(false)
+    }
+}
+
+impl Drop for Job {
+    fn drop(&mut self) {
+        unsafe {
+            CloseHandle(self.handle);
+        }
+    }
+}
+
+fn sizeof<T>() -> u32 {
+    let sz = std::mem::size_of::<T>();
+    assert!(sz <= (u32::max_value() as usize));
+    sz as u32
+}
diff --git a/src/windows/error.rs b/src/windows/error.rs
@@ -1,7 +1,9 @@
 #[derive(Debug, thiserror::Error)]
 pub enum Error {
-    #[error("winapi call failed")]
+    #[error("winapi call failed: {errno}")]
     Syscall { errno: u32 },
+    #[error("hresult call failed: {hresult}")]
+    Hresult { hresult: i32 },
 }
 
 impl From<u32> for Error {
@@ -12,9 +14,9 @@ impl From<u32> for Error {
 
 impl Error {
     pub(crate) fn last() -> Self {
-        Error::Syscall {
-            errno: unsafe { winapi::um::errhandlingapi::GetLastError() },
-        }
+        let errno = unsafe { winapi::um::errhandlingapi::GetLastError() };
+        tracing::error!(errno = errno, "win32 error");
+        Error::Syscall { errno }
     }
 }
 
@@ -32,4 +34,14 @@ impl Cvt {
             Err(Error::last())
         }
     }
+
+    /// Checks HRESULT is successful
+    pub fn hresult(hr: winapi::shared::winerror::HRESULT) -> Result<(), Error> {
+        if winapi::shared::winerror::SUCCEEDED(hr) {
+            Ok(())
+        } else {
+            tracing::error!(result = hr, "Unsuccessful HRESULT");
+            Err(Error::Hresult { hresult: hr })
+        }
+    }
 }
diff --git a/src/windows/isolate.rs b/src/windows/isolate.rs
@@ -0,0 +1,80 @@
+//! Implements security restrictions
+use crate::windows::{Cvt, Error};
+use std::{
+    ffi::OsString,
+    os::windows::ffi::{OsStrExt, OsStringExt},
+};
+use tracing::instrument;
+use winapi::{
+    shared::sddl::ConvertSidToStringSidW,
+    um::{
+        securitybaseapi::FreeSid,
+        userenv::{CreateAppContainerProfile, DeleteAppContainerProfile},
+        winbase::LocalFree,
+        winnt::{PSID, SECURITY_CAPABILITIES},
+    },
+};
+
+/// Represents one AppContainer
+#[derive(Debug)]
+pub(crate) struct Profile {
+    /// Pointer to the Security Identifier (SID) of this container
+    sid: PSID,
+}
+
+unsafe impl Send for Profile {}
+unsafe impl Sync for Profile {}
+
+impl Profile {
+    /// Creates new profile. Takes new, unique sandbox_id.
+    #[instrument(skip(sandbox_id))]
+    pub(crate) fn new(sandbox_id: &str) -> Result<Profile, Error> {
+        tracing::info!(sandbox_id, "creating profile");
+        let profile_name = OsString::from(format!("minion-sandbox-appcontainer-{}", sandbox_id));
+        let mut profile_name: Vec<u16> = profile_name.encode_wide().collect();
+        profile_name.push(0);
+        let profile_name = profile_name.as_ptr();
+        let mut sid = std::ptr::null_mut();
+        unsafe {
+            let mut sid_string_repr = std::ptr::null_mut();
+            let res = ConvertSidToStringSidW(sid, &mut sid_string_repr);
+            if res != 0 {
+                let mut cnt = 0;
+                while *(sid_string_repr.add(cnt)) == 0 {
+                    cnt += 1;
+                }
+                let repr = OsString::from_wide(std::slice::from_raw_parts(sid_string_repr, cnt));
+                let repr = repr.to_string_lossy();
+                tracing::info!(sid=%repr, "obtained SID");
+                LocalFree(sid_string_repr.cast());
+            }
+        }
+        unsafe {
+            Cvt::hresult(CreateAppContainerProfile(
+                profile_name,
+                profile_name,
+                profile_name,
+                std::ptr::null_mut(),
+                0,
+                &mut sid,
+            ))?;
+        }
+        Ok(Profile { sid })
+    }
+    /// Returns `SECURITY_CAPABILITIES` representing this container.
+    #[instrument(skip(self))]
+    pub(crate) fn get_security_capabilities(&self) -> SECURITY_CAPABILITIES {
+        let mut caps: SECURITY_CAPABILITIES = unsafe { std::mem::zeroed() };
+        caps.CapabilityCount = 0;
+        caps.AppContainerSid = self.sid;
+        caps
+    }
+}
+
+impl Drop for Profile {
+    fn drop(&mut self) {
+        unsafe {
+            FreeSid(self.sid);
+        }
+    }
+}
diff --git a/src/windows/sandbox.rs b/src/windows/sandbox.rs
diff --git a/src/windows/spawn.rs b/src/windows/spawn.rs

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,9 @@`
`1`	`1`	`#[derive(Debug, thiserror::Error)]`
`2`	`2`	`pub enum Error {`
`3`		`- #[error("winapi call failed")]`
	`3`	`+ #[error("winapi call failed: {errno}")]`
`4`	`4`	`Syscall { errno: u32 },`
	`5`	`+ #[error("hresult call failed: {hresult}")]`
	`6`	`+ Hresult { hresult: i32 },`
`5`	`7`	`}`
`6`	`8`
`7`	`9`	`impl From<u32> for Error {`
`@@ -12,9 +14,9 @@ impl From<u32> for Error {`
`12`	`14`
`13`	`15`	`impl Error {`
`14`	`16`	`pub(crate) fn last() -> Self {`
`15`		`- Error::Syscall {`
`16`		`- errno: unsafe { winapi::um::errhandlingapi::GetLastError() },`
`17`		`- }`
	`17`	`+ let errno = unsafe { winapi::um::errhandlingapi::GetLastError() };`
	`18`	`+ tracing::error!(errno = errno, "win32 error");`
	`19`	`+ Error::Syscall { errno }`
`18`	`20`	`}`
`19`	`21`	`}`
`20`	`22`
`@@ -32,4 +34,14 @@ impl Cvt {`
`32`	`34`	`Err(Error::last())`
`33`	`35`	`}`
`34`	`36`	`}`
	`37`	`+`
	`38`	`+ /// Checks HRESULT is successful`
	`39`	`+ pub fn hresult(hr: winapi::shared::winerror::HRESULT) -> Result<(), Error> {`
	`40`	`+ if winapi::shared::winerror::SUCCEEDED(hr) {`
	`41`	`+ Ok(())`
	`42`	`+ } else {`
	`43`	`+ tracing::error!(result = hr, "Unsuccessful HRESULT");`
	`44`	`+ Err(Error::Hresult { hresult: hr })`
	`45`	`+ }`
	`46`	`+ }`
`35`	`47`	`}`