Add DisableCompressStackDepot workaround also for global forkserver/stack tracing

PiperOrigin-RevId: 819837412
Change-Id: I1fad66d9d36f462286c54c61145b0c8c444e7138

Author: happyCoder92

sandboxed_api/sandbox2/BUILD

@@ -277,7 +277,7 @@ cc_library(
         "//sandboxed_api:embed_file",
         "//sandboxed_api/util:fileops",
         "//sandboxed_api/util:raw_logging",
-        "//sandboxed_api/util:status",
+        "@abseil-cpp//absl/algorithm:container",
         "@abseil-cpp//absl/base:core_headers",
         "@abseil-cpp//absl/cleanup",
         "@abseil-cpp//absl/flags:flag",
@@ -286,6 +286,7 @@ cc_library(
         "@abseil-cpp//absl/status:statusor",
         "@abseil-cpp//absl/strings",
         "@abseil-cpp//absl/synchronization",
+        "@com_google_protobuf//:protobuf",
     ],
 )
 
@@ -316,7 +317,6 @@ cc_library(
         ":limits",
         ":namespace",
         ":util",
-        "//sandboxed_api:config",
         "//sandboxed_api/util:fileops",
         "@abseil-cpp//absl/base:core_headers",
         "@abseil-cpp//absl/log",

sandboxed_api/sandbox2/CMakeLists.txt

@@ -242,13 +242,15 @@ add_library(sandbox2_global_forkserver ${SAPI_LIB_TYPE}
 )
 add_library(sandbox2::global_forkserver ALIAS sandbox2_global_forkserver)
 target_link_libraries(sandbox2_global_forkserver
-  PRIVATE absl::cleanup
+  PRIVATE absl::algorithm_container
+          absl::cleanup
           absl::strings
           absl::status
           absl::statusor
           absl::log
           sandbox2::client
           sandbox2::flags
+          sandbox2::forkserver
           sandbox2::forkserver_bin_embed
           sandbox2::util
           sapi::strerror
@@ -257,7 +259,6 @@ target_link_libraries(sandbox2_global_forkserver
           sapi::embed_file
           sapi::fileops
           sapi::raw_logging
-          sapi::status
   PUBLIC absl::core_headers
          absl::flags
          absl::synchronization
@@ -301,7 +302,6 @@ target_link_libraries(sandbox2_executor
          absl::span
          absl::statusor
          absl::strings
-         sapi::config
          sapi::fileops
          sapi::status
          sandbox2::fork_client

sandboxed_api/sandbox2/executor.cc

@@ -20,7 +20,6 @@
 #include <sys/socket.h>
 #include <unistd.h>
 
-#include <algorithm>
 #include <cerrno>
 #include <cstdint>
 #include <memory>
@@ -30,10 +29,8 @@
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
-#include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
-#include "sandboxed_api/config.h"
 #include "sandboxed_api/sandbox2/fork_client.h"
 #include "sandboxed_api/sandbox2/forkserver.pb.h"
 #include "sandboxed_api/sandbox2/global_forkclient.h"
@@ -46,41 +43,6 @@ namespace sandbox2 {
 
 namespace file_util = ::sapi::file_util;
 
-namespace {
-void DisableCompressStackDepot(ForkRequest& request) {
-  auto disable_compress_stack_depot = [&request](absl::string_view sanitizer) {
-    auto prefix = absl::StrCat(sanitizer, "_OPTIONS=");
-    auto it = std::find_if(request.mutable_envs()->begin(),
-                           request.mutable_envs()->end(),
-                           [&prefix](const std::string& env) {
-                             return absl::StartsWith(env, prefix);
-                           });
-    constexpr absl::string_view option = "compress_stack_depot=0";
-    if (it != request.mutable_envs()->end()) {
-      // If it's already there, the last value will be used.
-      absl::StrAppend(&*it, ":", option);
-      return;
-    }
-    request.add_envs(absl::StrCat(prefix, option));
-  };
-  if constexpr (sapi::sanitizers::IsASan()) {
-    disable_compress_stack_depot("ASAN");
-  }
-  if constexpr (sapi::sanitizers::IsMSan()) {
-    disable_compress_stack_depot("MSAN");
-  }
-  if constexpr (sapi::sanitizers::IsLSan()) {
-    disable_compress_stack_depot("LSAN");
-  }
-  if constexpr (sapi::sanitizers::IsHwASan()) {
-    disable_compress_stack_depot("HWSAN");
-  }
-  if constexpr (sapi::sanitizers::IsTSan()) {
-    disable_compress_stack_depot("TSAN");
-  }
-}
-}  // namespace
-
 std::vector<std::string> Executor::CopyEnviron() {
   return util::CharPtrArray(environ).ToStringVector();
 }
@@ -123,9 +85,7 @@ absl::StatusOr<SandboxeeProcess> Executor::StartSubProcess(
   }
 
   // Disable optimization to avoid related syscalls.
-  if constexpr (sapi::sanitizers::IsAny()) {
-    DisableCompressStackDepot(request);
-  }
+  DisableCompressStackDepot(request.mutable_envs());
 
   // If neither the path, nor exec_fd is specified, just assume that we need to
   // send a fork request.

sandboxed_api/sandbox2/global_forkclient.cc

@@ -27,13 +27,16 @@
 #include <cstdlib>
 #include <memory>
 #include <string>
+#include <vector>
 
+#include "absl/algorithm/container.h"
 #include "absl/base/const_init.h"
 #include "absl/cleanup/cleanup.h"
 #include "absl/flags/flag.h"
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
+#include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 #include "absl/synchronization/mutex.h"
@@ -59,8 +62,42 @@ GlobalForkserverStartModeSet GetForkserverStartMode() {
 struct ForkserverArgs {
   int exec_fd;
   int comms_fd;
+  const char* const* envp;
 };
 
+template <typename C, typename AddFn>
+void DisableCompressStackDepotImpl(C& envs, AddFn&& add_env) {
+  auto disable_compress_stack_depot = [&envs,
+                                       &add_env](absl::string_view sanitizer) {
+    auto prefix = absl::StrCat(sanitizer, "_OPTIONS=");
+    constexpr absl::string_view option = "compress_stack_depot=0";
+    auto it = absl::c_find_if(envs, [&prefix](const std::string& env) {
+      return absl::StartsWith(env, prefix);
+    });
+    if (it != envs.end()) {
+      // If it's already there, the last value will be used.
+      absl::StrAppend(&*it, ":", option);
+      return;
+    }
+    add_env(absl::StrCat(prefix, option));
+  };
+  if constexpr (sapi::sanitizers::IsASan()) {
+    disable_compress_stack_depot("ASAN");
+  }
+  if constexpr (sapi::sanitizers::IsMSan()) {
+    disable_compress_stack_depot("MSAN");
+  }
+  if constexpr (sapi::sanitizers::IsLSan()) {
+    disable_compress_stack_depot("LSAN");
+  }
+  if constexpr (sapi::sanitizers::IsHwASan()) {
+    disable_compress_stack_depot("HWSAN");
+  }
+  if constexpr (sapi::sanitizers::IsTSan()) {
+    disable_compress_stack_depot("TSAN");
+  }
+}
+
 int LaunchForkserver(void* vargs) {
   auto* args = static_cast<ForkserverArgs*>(vargs);
   // Move the comms FD to the proper, expected FD number.
@@ -78,7 +115,7 @@ int LaunchForkserver(void* vargs) {
 
   char proc_name[] = "S2-FORK-SERV";
   char* const argv[] = {proc_name, nullptr};
-  util::Execveat(args->exec_fd, "", argv, environ, AT_EMPTY_PATH);
+  util::Execveat(args->exec_fd, "", argv, args->envp, AT_EMPTY_PATH);
   SAPI_RAW_PLOG(FATAL, "Could not launch forkserver binary");
 }
 
@@ -128,9 +165,15 @@ absl::StatusOr<std::unique_ptr<GlobalForkClient>> StartGlobalForkServer() {
   absl::Cleanup stack_dealloc = [stack, stack_size] {
     munmap(stack, stack_size);
   };
+  std::vector<std::string> env = util::CharPtrArray(environ).ToStringVector();
+  DisableCompressStackDepotImpl(env, [&env](absl::string_view value) {
+    env.push_back(std::string(value));
+  });
+  util::CharPtrArray envp = util::CharPtrArray::FromStringVector(env);
   ForkserverArgs args = {
       .exec_fd = exec_fd,
       .comms_fd = sv[0],
+      .envp = envp.data(),
   };
   pid_t pid = clone(LaunchForkserver, &stack[stack_size], clone_flags, &args,
                     nullptr, nullptr, nullptr);
@@ -167,6 +210,11 @@ void WaitForForkserver(pid_t pid) {
 absl::Mutex GlobalForkClient::instance_mutex_(absl::kConstInit);
 GlobalForkClient* GlobalForkClient::instance_ = nullptr;
 
+void DisableCompressStackDepot(google::protobuf::RepeatedPtrField<std::string>* envs) {
+  DisableCompressStackDepotImpl(
+      *envs, [&envs](absl::string_view env) { envs->Add(std::string(env)); });
+}
+
 void GlobalForkClient::EnsureStarted(GlobalForkserverStartMode mode) {
   absl::MutexLock lock(&instance_mutex_);
   EnsureStartedLocked(mode);

sandboxed_api/sandbox2/global_forkclient.h

@@ -20,15 +20,20 @@
 
 #include <sys/types.h>
 
+#include <string>
+
 #include "absl/base/thread_annotations.h"
 #include "absl/synchronization/mutex.h"
+#include "google/protobuf/repeated_ptr_field.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/flags.h"  // IWYU pragma: export
 #include "sandboxed_api/sandbox2/fork_client.h"
 #include "sandboxed_api/sandbox2/forkserver.pb.h"
 
 namespace sandbox2 {
 
+void DisableCompressStackDepot(google::protobuf::RepeatedPtrField<std::string>* envs);
+
 class GlobalForkClient {
  public:
   GlobalForkClient(int fd, pid_t pid)