capabilities: forbid fork() and start use Cap.fork (semgrep/semgrep-p…

…roprietary#2118) test plan: make test synced from Pro 904da30960c05633f22650f67f25d72ff2d9ae87
shombo · Sep 2, 2024 · f4084a4 · f4084a4
1 parent 324a299
commit f4084a4
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 14 deletions.
diff --git a/TCB/CapUnix.ml b/TCB/CapUnix.ml
@@ -1,2 +1,3 @@
 let execvp _caps = Unix.execvp
 let system _caps = Unix.system
+let fork _caps = Unix.fork
diff --git a/TCB/CapUnix.mli b/TCB/CapUnix.mli
@@ -5,3 +5,4 @@ val execvp : Cap.Exec.t -> string -> string array -> 'a
 
 (* You should use CapExec.ml instead *)
 val system : Cap.Exec.t -> string -> Unix.process_status
+val fork : Cap.Process.fork -> unit -> int
diff --git a/TCB/forbid_everything.jsonnet b/TCB/forbid_everything.jsonnet
@@ -6,7 +6,6 @@
 //
 // TODO:
 //  - forbid_fs (long)
-//  - forbid_process
 //  - Cap.xxx_caps_UNSAFE()
 //  - many more
 
@@ -16,6 +15,7 @@ local forbid_exec = import 'forbid_exec.jsonnet';
 local forbid_chdir = import 'forbid_chdir.jsonnet';
 local forbid_tmp = import "forbid_tmp.jsonnet";
 local forbid_console = import 'forbid_console.jsonnet';
+local forbid_process = import 'forbid_process.jsonnet';
 local forbid_misc = import 'forbid_misc.jsonnet';
 
 { rules:
@@ -25,5 +25,6 @@ local forbid_misc = import 'forbid_misc.jsonnet';
     forbid_chdir.rules +
     forbid_tmp.rules +
     forbid_console.rules +
+    forbid_process.rules +
     forbid_misc.rules
 }
diff --git a/TCB/forbid_process.jsonnet b/TCB/forbid_process.jsonnet
@@ -0,0 +1,32 @@
+// See also forbid_{exec,exit,chdir}.jsonnet
+local common = import 'common.libsonnet';
+
+local unix_funcs = [
+  'fork',
+  //TODO: alarm, signal, kill, waitpid
+];
+
+{
+  rules: [
+    {
+      id: 'forbid-process',
+      match: { any:
+        // Unix
+        [('Unix.' + p) for p in unix_funcs] +
+        [('UUnix.' + p) for p in unix_funcs] +
+        //TODO Other libs?
+	[]
+      },
+      languages: ['ocaml'],
+      paths: {
+        exclude: common.exclude_paths
+      },
+      severity: 'ERROR',
+      message: |||
+        Do not use directly process functions. Use the
+        safer CapProcess module.
+      |||,
+    },
+  ],
+
+}
diff --git a/libs/commons/CapProcess.ml b/libs/commons/CapProcess.ml
@@ -1,10 +1,11 @@
 (* src: harrop article on fork-based parallelism
  * returns a futur
- * TODO: require fork capability
+ * old: was called invoke() and was in pfff/commons/parallel.ml
+ * related work: my pfff/commons/distribution.ml
  *)
-let invoke_in_child_process f x =
+let apply_in_child_process (caps : < Cap.fork >) f x =
   let input, output = UUnix.pipe () in
-  match UUnix.fork () with
+  match CapUnix.fork caps#fork () with
   (* error, could not create process, well compute now then *)
   | -1 ->
       let v = f x in

diff --git a/libs/commons/CapProcess.mli b/libs/commons/CapProcess.mli
@@ -1,13 +1,6 @@
 (*
- * Important note about exception:
- * from marshal.mli in the OCaml stdlib:
- *  "Values of extensible variant types, for example exceptions (of
- *  extensible type [exn]), returned by the unmarshaller should not be
- *  pattern-matched over through [match ... with] or [try ... with],
- *  because unmarshalling does not preserve the information required for
- *  matching their constructors. Structural equalities with other
- *  extensible variant values does not work either.  Most other uses such
- *  as Printexc.to_string, will still work as expected."
+ * The unit argument is actually so that a call to
+ * [invoke_in_child_process caps f args] can return a promise on the result.
  *)
 
-val invoke_in_child_process : ('a -> 'b) -> 'a -> unit -> 'b
+val apply_in_child_process : < Cap.fork > -> ('a -> 'b) -> 'a -> unit -> 'b
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,3 +5,4 @@ val execvp : Cap.Exec.t -> string -> string array -> 'a

		(* You should use CapExec.ml instead *)
		val system : Cap.Exec.t -> string -> Unix.process_status
		val fork : Cap.Process.fork -> unit -> int