Add base for sandboxing with libseccomp.

metacall · Sep 27, 2023 · 216f336 · 216f336
1 parent f85e888
commit 216f336
Show file tree

Hide file tree

Showing 16 changed files with 857 additions and 19 deletions.
diff --git a/source/cli/plugins/cli_core_plugin/source/cli_core_plugin.cpp b/source/cli/plugins/cli_core_plugin/source/cli_core_plugin.cpp
@@ -319,13 +319,13 @@ void *inspect(size_t argc, void *args[], void *data)
 int cli_core_plugin(void *loader, void *handle, void *context)
 {
 	(void)handle;
-	int ret = 0;
+
 	{
 		enum metacall_value_id *arg_types = NULL;
 		if (metacall_register_loaderv(loader, context, "inspect", inspect, METACALL_STRING, 0, arg_types) != 0)
 		{
 			log_write("metacall", LOG_LEVEL_ERROR, "Failed to register function: inspect");
-			ret = 1;
+			return 1;
 		}
 	}
 
@@ -334,7 +334,7 @@ int cli_core_plugin(void *loader, void *handle, void *context)
 		if (metacall_register_loaderv(loader, context, "clear", clear, METACALL_INT, sizeof(arg_types) / sizeof(arg_types[0]), arg_types) != 0)
 		{
 			log_write("metacall", LOG_LEVEL_ERROR, "Failed to register function: clear");
-			ret = 1;
+			return 1;
 		}
 	}
 
@@ -343,7 +343,7 @@ int cli_core_plugin(void *loader, void *handle, void *context)
 		if (metacall_register_loaderv(loader, context, "call", call, METACALL_PTR, sizeof(arg_types) / sizeof(arg_types[0]), arg_types) != 0)
 		{
 			log_write("metacall", LOG_LEVEL_ERROR, "Failed to register function: call");
-			ret = 1;
+			return 1;
 		}
 	}
 
@@ -352,7 +352,7 @@ int cli_core_plugin(void *loader, void *handle, void *context)
 		if (metacall_register_loaderv(loader, context, "await", await, METACALL_PTR, sizeof(arg_types) / sizeof(arg_types[0]), arg_types) != 0)
 		{
 			log_write("metacall", LOG_LEVEL_ERROR, "Failed to register function: await");
-			ret = 1;
+			return 1;
 		}
 	}
 
@@ -361,7 +361,7 @@ int cli_core_plugin(void *loader, void *handle, void *context)
 		if (metacall_register_loaderv(loader, context, "eval", eval, METACALL_INT, sizeof(arg_types) / sizeof(arg_types[0]), arg_types) != 0)
 		{
 			log_write("metacall", LOG_LEVEL_ERROR, "Failed to register function: eval");
-			ret = 1;
+			return 1;
 		}
 	}
 
@@ -370,9 +370,9 @@ int cli_core_plugin(void *loader, void *handle, void *context)
 		if (metacall_register_loaderv(loader, context, "load", load, METACALL_INT, sizeof(arg_types) / sizeof(arg_types[0]), arg_types) != 0)
 		{
 			log_write("metacall", LOG_LEVEL_ERROR, "Failed to register function: load");
-			ret = 1;
+			return 1;
 		}
 	}
 
-	return ret;
+	return 0;
 }
diff --git a/source/plugins/CMakeLists.txt b/source/plugins/CMakeLists.txt
@@ -5,9 +5,11 @@ endif()
 
 # Plugins options
 option(OPTION_BUILD_PLUGINS_BACKTRACE "Build cross-platform backtrace plugin." ON)
+option(OPTION_BUILD_PLUGINS_SANDBOX "Build cross-platform Linux sandbox plugin." OFF)
 
 # Plugin sub-projects
 add_subdirectory(backtrace_plugin)
+add_subdirectory(sandbox_plugin)
 
 # Install plugin directory
 install(DIRECTORY ${PROJECT_OUTPUT_DIR}/plugins

diff --git a/source/plugins/backtrace_plugin/CMakeLists.txt b/source/plugins/backtrace_plugin/CMakeLists.txt
@@ -32,7 +32,7 @@ find_package(Backward
 )
 
 if(NOT BACKWARD_FOUND)
-	message(SEND_ERROR "BackwardCpp could not be found, skipping backtrace plugin compilation")
+	message(WARNING "BackwardCpp could not be found, skipping backtrace plugin compilation")
 	return()
 endif()
 

diff --git a/source/plugins/backtrace_plugin/include/backtrace_plugin/backtrace_plugin.h b/source/plugins/backtrace_plugin/include/backtrace_plugin/backtrace_plugin.h
@@ -1,5 +1,5 @@
 /*
- *	CLI Core Plugin by Parra Studios
+ *	Backtrace Plugin by Parra Studios
  *	A plugin implementing backtracing functionality for MetaCall Core.
  *
  *	Copyright (C) 2016 - 2022 Vicente Eduardo Ferrer Garcia <vic798@gmail.com>

diff --git a/source/plugins/backtrace_plugin/source/backtrace_plugin.cpp b/source/plugins/backtrace_plugin/source/backtrace_plugin.cpp
@@ -1,5 +1,5 @@
 /*
- *	CLI Core Plugin by Parra Studios
+ *	Backtrace Plugin by Parra Studios
  *	A plugin implementing backtracing functionality for MetaCall Core.
  *
  *	Copyright (C) 2016 - 2022 Vicente Eduardo Ferrer Garcia <vic798@gmail.com>
@@ -37,5 +37,6 @@ int backtrace_plugin(void *loader, void *handle, void *context)
 		log_write("metacall", LOG_LEVEL_ERROR, "Backtrace plugin failed to load, you need unwind/libunwind for stacktracing and libbfd/libdw/libdwarf for the debug information. Install the required libraries and recompile to utilise the backtrace plugin. For more information visit https://github.com/bombela/backward-cpp");
 		return 1;
 	}
+
 	return 0;
 }
diff --git a/source/plugins/sandbox_plugin/CMakeLists.txt b/source/plugins/sandbox_plugin/CMakeLists.txt
@@ -0,0 +1,227 @@
+# Check if this loader is enabled
+if(NOT OPTION_BUILD_LOADERS OR NOT OPTION_BUILD_LOADERS_EXT OR NOT OPTION_BUILD_EXTENSIONS OR NOT OPTION_BUILD_PLUGINS_SANDBOX)
+	return()
+endif()
+
+include(Portability)
+
+if(NOT PROJECT_OS_FAMILY STREQUAL unix)
+	message(WARNING "Sandbox plugin requires LibSecComp which only works on Linux families by now, skipping sandbox plugin compilation")
+	return()
+endif()
+
+#
+# External dependencies
+#
+
+# Include cmake modules
+list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
+
+find_package(LibSecComp 2)
+
+if(NOT LibSecComp_FOUND)
+	message(WARNING "LibSecComp could not be found, skipping sandbox plugin compilation")
+	return()
+endif()
+
+#
+# Plugin name and options
+#
+
+# Target name
+set(target sandbox_plugin)
+
+# Exit here if required dependencies are not met
+message(STATUS "Plugin ${target}")
+
+# Set API export file and macro
+string(TOUPPER ${target} target_upper)
+set(export_file  "include/${target}/${target}_api.h")
+set(export_macro "${target_upper}_API")
+
+#
+# Compiler warnings
+#
+
+include(Warnings)
+
+#
+# Compiler security
+#
+
+include(SecurityFlags)
+
+#
+# Sources
+#
+
+set(include_path "${CMAKE_CURRENT_SOURCE_DIR}/include/${target}")
+set(source_path  "${CMAKE_CURRENT_SOURCE_DIR}/source")
+
+set(headers
+	${include_path}/sandbox_plugin.h
+)
+
+set(sources
+	${source_path}/sandbox_plugin.cpp
+)
+
+# Group source files
+set(header_group "Header Files (API)")
+set(source_group "Source Files")
+source_group_by_path(${include_path} "\\\\.h$|\\\\.hpp$"
+	${header_group} ${headers})
+source_group_by_path(${source_path}  "\\\\.cpp$|\\\\.c$|\\\\.h$|\\\\.hpp$"
+	${source_group} ${sources})
+
+#
+# Create library
+#
+
+# Build library
+add_library(${target} MODULE
+	${sources}
+	${headers}
+)
+
+# Create namespaced alias
+add_library(${META_PROJECT_NAME}::${target} ALIAS ${target})
+
+# Export library for downstream projects
+export(TARGETS ${target} NAMESPACE ${META_PROJECT_NAME}:: FILE ${PROJECT_BINARY_DIR}/cmake/${target}/${target}-export.cmake)
+
+# Create API export header
+generate_export_header(${target}
+	EXPORT_FILE_NAME  ${export_file}
+	EXPORT_MACRO_NAME ${export_macro}
+)
+
+#
+# Project options
+#
+
+set(PLUGIN_OUTPUT_DIRECTORY "${PROJECT_OUTPUT_DIR}/plugins/${target}")
+
+set_target_properties(${target}
+	PROPERTIES
+	${DEFAULT_PROJECT_OPTIONS}
+	FOLDER "${IDE_FOLDER}"
+	BUNDLE $<$<BOOL:${APPLE}>:$<$<VERSION_GREATER:${PROJECT_OS_VERSION},8>>>
+
+	# Define custom build output directory
+	LIBRARY_OUTPUT_DIRECTORY "${PLUGIN_OUTPUT_DIRECTORY}"
+	LIBRARY_OUTPUT_DIRECTORY_DEBUG "${PLUGIN_OUTPUT_DIRECTORY}"
+	LIBRARY_OUTPUT_DIRECTORY_RELEASE "${PLUGIN_OUTPUT_DIRECTORY}"
+	LIBRARY_OUTPUT_DIRECTORY_RELWITHDEBINFO "${PLUGIN_OUTPUT_DIRECTORY}"
+	LIBRARY_OUTPUT_DIRECTORY_MINSIZEREL "${PLUGIN_OUTPUT_DIRECTORY}"
+
+	RUNTIME_OUTPUT_DIRECTORY "${PLUGIN_OUTPUT_DIRECTORY}"
+	RUNTIME_OUTPUT_DIRECTORY_DEBUG "${PLUGIN_OUTPUT_DIRECTORY}"
+	RUNTIME_OUTPUT_DIRECTORY_RELEASE "${PLUGIN_OUTPUT_DIRECTORY}"
+	RUNTIME_OUTPUT_DIRECTORY_RELWITHDEBINFO "${PLUGIN_OUTPUT_DIRECTORY}"
+	RUNTIME_OUTPUT_DIRECTORY_MINSIZEREL "${PLUGIN_OUTPUT_DIRECTORY}"
+
+	ARCHIVE_OUTPUT_DIRECTORY "${PLUGIN_OUTPUT_DIRECTORY}"
+	ARCHIVE_OUTPUT_DIRECTORY_DEBUG "${PLUGIN_OUTPUT_DIRECTORY}"
+	ARCHIVE_OUTPUT_DIRECTORY_RELEASE "${PLUGIN_OUTPUT_DIRECTORY}"
+	ARCHIVE_OUTPUT_DIRECTORY_RELWITHDEBINFO "${PLUGIN_OUTPUT_DIRECTORY}"
+	ARCHIVE_OUTPUT_DIRECTORY_MINSIZEREL "${PLUGIN_OUTPUT_DIRECTORY}"
+)
+
+#
+# Include directories
+#
+
+target_include_directories(${target}
+	PRIVATE
+	${PROJECT_BINARY_DIR}/source/include
+	${CMAKE_CURRENT_SOURCE_DIR}/include
+	${CMAKE_CURRENT_BINARY_DIR}/include
+
+	$<TARGET_PROPERTY:${META_PROJECT_NAME}::metacall,INCLUDE_DIRECTORIES> # MetaCall includes
+
+	PUBLIC
+	${DEFAULT_INCLUDE_DIRECTORIES}
+
+	INTERFACE
+	$<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
+	$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/include>
+	$<INSTALL_INTERFACE:include>
+)
+
+#
+# Libraries
+#
+
+target_link_libraries(${target}
+	PRIVATE
+	${META_PROJECT_NAME}::metacall # MetaCall library
+
+	LibSecComp::LibSecComp # LibSecComp library
+
+	PUBLIC
+	${DEFAULT_LIBRARIES}
+
+	INTERFACE
+)
+
+#
+# Compile definitions
+#
+
+target_compile_definitions(${target}
+	PRIVATE
+
+	PUBLIC
+	$<$<NOT:$<BOOL:${BUILD_SHARED_LIBS}>>:${target_upper}_STATIC_DEFINE>
+	${DEFAULT_COMPILE_DEFINITIONS}
+
+	INTERFACE
+)
+
+#
+# Compile options
+#
+
+target_compile_options(${target}
+	PRIVATE
+
+	PUBLIC
+	${DEFAULT_COMPILE_OPTIONS}
+
+	INTERFACE
+)
+
+#
+# Linker options
+#
+
+target_link_libraries(${target}
+	PRIVATE
+
+	PUBLIC
+	${DEFAULT_LINKER_OPTIONS}
+
+	INTERFACE
+)
+
+#
+# Define dependencies
+#
+
+# Copy metacall.json
+add_custom_target(${target}-create-plugin-dir ALL
+	WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+	COMMAND ${CMAKE_COMMAND} -E make_directory ${PLUGIN_OUTPUT_DIRECTORY}
+	COMMAND ${CMAKE_COMMAND} -E copy ${source_path}/metacall.json ${PLUGIN_OUTPUT_DIRECTORY}/metacall.json
+)
+
+set_target_properties(${target}-create-plugin-dir
+	PROPERTIES
+	FOLDER "${IDE_FOLDER}"
+)
+
+add_dependencies(${target}
+	${target}-create-plugin-dir
+	plugin_extension
+)