2020-01-17 21:05:03 +08:00
|
|
|
// Copyright 2019 Google LLC
|
2019-03-19 00:21:48 +08:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
2022-01-28 17:38:27 +08:00
|
|
|
// https://www.apache.org/licenses/LICENSE-2.0
|
2019-03-19 00:21:48 +08:00
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
// The sandbox2::Policy class provides methods for manipulating seccomp-bpf
|
|
|
|
// syscall policies.
|
|
|
|
|
|
|
|
#ifndef SANDBOXED_API_SANDBOX2_POLICY_H_
|
|
|
|
#define SANDBOXED_API_SANDBOX2_POLICY_H_
|
|
|
|
|
|
|
|
#include <asm/types.h>
|
|
|
|
#include <linux/filter.h>
|
|
|
|
|
|
|
|
#include <cstddef>
|
|
|
|
#include <memory>
|
|
|
|
#include <set>
|
|
|
|
#include <utility>
|
|
|
|
#include <vector>
|
|
|
|
|
|
|
|
#include "absl/base/macros.h"
|
|
|
|
#include "absl/types/optional.h"
|
2021-05-20 23:16:45 +08:00
|
|
|
#include "sandboxed_api/config.h"
|
2019-03-19 00:21:48 +08:00
|
|
|
#include "sandboxed_api/sandbox2/namespace.h"
|
2020-02-20 23:45:22 +08:00
|
|
|
#include "sandboxed_api/sandbox2/network_proxy/filtering.h"
|
2019-03-19 00:21:48 +08:00
|
|
|
#include "sandboxed_api/sandbox2/syscall.h"
|
2019-03-20 20:19:28 +08:00
|
|
|
#include "sandboxed_api/sandbox2/violation.pb.h"
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
#define SANDBOX2_TRACE TRACE(::sandbox2::Syscall::GetHostArch())
|
|
|
|
|
|
|
|
namespace sandbox2 {
|
|
|
|
|
|
|
|
namespace internal {
|
|
|
|
// Magic values of registers when executing sys_execveat, so we can recognize
|
|
|
|
// the pre-sandboxing state and notify the Monitor
|
2021-07-12 17:37:17 +08:00
|
|
|
inline constexpr uintptr_t kExecveMagic = 0x921c2c34;
|
2019-03-19 00:21:48 +08:00
|
|
|
} // namespace internal
|
|
|
|
|
|
|
|
class Comms;
|
|
|
|
|
|
|
|
class Policy final {
|
|
|
|
public:
|
|
|
|
// Skips creation of a user namespace and keep capabilities in the global
|
|
|
|
// namespace. This only makes sense in some rare cases where the sandbox is
|
|
|
|
// started as root, please talk to sandbox-team@ before using this function.
|
2021-07-12 20:42:57 +08:00
|
|
|
void AllowUnsafeKeepCapabilities(std::vector<int> caps);
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
// Stores information about the policy (and the policy builder if existing)
|
|
|
|
// in the protobuf structure.
|
|
|
|
void GetPolicyDescription(PolicyDescription* policy) const;
|
|
|
|
|
|
|
|
private:
|
2023-01-23 17:41:42 +08:00
|
|
|
friend class MonitorBase;
|
|
|
|
friend class PtraceMonitor;
|
2021-05-17 19:06:39 +08:00
|
|
|
friend class PolicyBuilder;
|
|
|
|
friend class PolicyBuilderPeer; // For testing
|
|
|
|
friend class StackTracePeer;
|
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
// Private constructor only called by the PolicyBuilder.
|
|
|
|
Policy() = default;
|
|
|
|
|
|
|
|
// Sends the policy over the IPC channel.
|
|
|
|
bool SendPolicy(Comms* comms) const;
|
|
|
|
|
|
|
|
// Returns the policy, but modifies it according to FLAGS and internal
|
|
|
|
// requirements (message passing via Comms, Executor::WaitForExecve etc.).
|
|
|
|
std::vector<sock_filter> GetPolicy() const;
|
|
|
|
|
|
|
|
Namespace* GetNamespace() { return namespace_.get(); }
|
|
|
|
void SetNamespace(std::unique_ptr<Namespace> ns) {
|
|
|
|
namespace_ = std::move(ns);
|
|
|
|
}
|
|
|
|
|
2021-07-12 17:37:17 +08:00
|
|
|
const std::vector<int>& capabilities() const { return capabilities_; }
|
2019-03-19 00:21:48 +08:00
|
|
|
|
2021-05-20 23:16:45 +08:00
|
|
|
// Returns the default policy, which blocks certain dangerous syscalls and
|
|
|
|
// mismatched syscall tables.
|
|
|
|
std::vector<sock_filter> GetDefaultPolicy() const;
|
|
|
|
// Returns a policy allowing the Monitor module to track all syscalls.
|
|
|
|
std::vector<sock_filter> GetTrackingPolicy() const;
|
|
|
|
|
2019-03-19 00:21:48 +08:00
|
|
|
// The Namespace object, defines ways of putting sandboxee into namespaces.
|
|
|
|
std::unique_ptr<Namespace> namespace_;
|
|
|
|
|
|
|
|
// Gather stack traces on violations, signals, timeouts or when getting
|
|
|
|
// killed. See policybuilder.h for more information.
|
|
|
|
bool collect_stacktrace_on_violation_ = true;
|
|
|
|
bool collect_stacktrace_on_signal_ = true;
|
|
|
|
bool collect_stacktrace_on_timeout_ = true;
|
|
|
|
bool collect_stacktrace_on_kill_ = true;
|
2021-08-16 18:12:39 +08:00
|
|
|
bool collect_stacktrace_on_exit_ = false;
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
// The capabilities to keep in the sandboxee.
|
2021-07-12 17:37:17 +08:00
|
|
|
std::vector<int> capabilities_;
|
2019-03-19 00:21:48 +08:00
|
|
|
|
|
|
|
// Optional pointer to a PolicyBuilder description pb object.
|
|
|
|
std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;
|
|
|
|
|
|
|
|
// The policy set by the user.
|
|
|
|
std::vector<sock_filter> user_policy_;
|
2020-12-03 00:37:55 +08:00
|
|
|
bool user_policy_handles_bpf_ = false;
|
2022-05-27 17:57:03 +08:00
|
|
|
bool user_policy_handles_ptrace_ = false;
|
2019-03-19 00:21:48 +08:00
|
|
|
|
2020-02-20 23:45:22 +08:00
|
|
|
// Contains a list of hosts the sandboxee is allowed to connect to.
|
|
|
|
absl::optional<AllowedHosts> allowed_hosts_;
|
2019-03-19 00:21:48 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
} // namespace sandbox2
|
|
|
|
|
|
|
|
#endif // SANDBOXED_API_SANDBOX2_POLICY_H_
|