StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Make PolicyBuilder helpers more self-contained

Browse Source 
PiperOrigin-RevId: 561032912
Change-Id: I74db0c33609eb74df144db8d1d844b7267bf8ce4
This commit is contained in:
Wiktor Garbacz 2023-08-29 08:11:31 -07:00 committed by Copybara-Service
parent 37f00991b9
commit 0150026d38
2 changed files with 23 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
sandboxed_api/sandbox2/policy_test.cc
View File

@ -178,12 +178,7 @@ std::unique_ptr<Policy> MinimalTestcasePolicy() {
builder.DisableNamespaces();
}
builder.AllowStaticStartup()
.BlockSyscallWithErrno(__NR_prlimit64, EPERM)
#ifdef __NR_access
.BlockSyscallWithErrno(__NR_access, ENOENT)
#endif
.AllowExit();
builder.AllowStaticStartup().AllowExit();
return builder.BuildOrDie();
}
@ -217,18 +212,7 @@ TEST(MinimalTest, MinimalSharedBinaryWorks) {
builder.AddLibrariesForBinary(path);
}
builder.AllowDynamicStartup()
.AllowOpen()
.AllowExit()
.AllowMmap()
#ifdef __NR_access
// New glibc accesses /etc/ld.so.preload
.BlockSyscallWithErrno(__NR_access, ENOENT)
#endif
#ifdef __NR_faccessat
.BlockSyscallWithErrno(__NR_faccessat, ENOENT)
#endif
.BlockSyscallWithErrno(__NR_prlimit64, EPERM);
builder.AllowDynamicStartup().AllowExit();
auto policy = builder.BuildOrDie();
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
@ -255,13 +239,7 @@ TEST(MallocTest, SystemMallocWorks) {
});
}
builder.AllowStaticStartup()
.AllowSystemMalloc()
.BlockSyscallWithErrno(__NR_prlimit64, EPERM)
#ifdef __NR_access
.BlockSyscallWithErrno(__NR_access, ENOENT)
#endif
.AllowExit();
builder.AllowStaticStartup().AllowSystemMalloc().AllowExit();
auto policy = builder.BuildOrDie();
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));
@ -324,19 +302,7 @@ TEST(MultipleSyscalls, AddPolicyOnSyscallsWorks) {
},
{ERRNO(42)})
.AddPolicyOnSyscalls({__NR_read, __NR_write}, {ERRNO(43)})
.AddPolicyOnSyscall(__NR_umask, {DENY})
.BlockSyscallsWithErrno(
{
#ifdef __NR_open
__NR_open,
#endif
__NR_openat,
#ifdef __NR_access
__NR_access,
#endif
},
ENOENT)
.BlockSyscallWithErrno(__NR_prlimit64, EPERM);
.AddPolicyOnSyscall(__NR_umask, {DENY});
auto policy = builder.BuildOrDie();
Sandbox2 s2(std::make_unique<Executor>(path, args), std::move(policy));

21
sandboxed_api/sandbox2/policybuilder.cc
View File

@ -221,7 +221,14 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {
AllowFutexOp(FUTEX_WAKE);
AllowLimitedMadvise();
AllowGetRandom();
AllowGetPIDs();
AllowWipeOnFork();
#ifdef __NR_open
OverridableBlockSyscallWithErrno(__NR_open, ENOENT);
#endif
#ifdef __NR_openat
OverridableBlockSyscallWithErrno(__NR_openat, ENOENT);
#endif
return AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
return {
@ -254,6 +261,13 @@ PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
AllowLimitedMadvise();
AllowPrctlSetVma();
AllowPoll();
AllowGetPIDs();
#ifdef __NR_open
OverridableBlockSyscallWithErrno(__NR_open, ENOENT);
#endif
#ifdef __NR_openat
OverridableBlockSyscallWithErrno(__NR_openat, ENOENT);
#endif
AddPolicyOnSyscall(__NR_mprotect, {
ARG_32(2),
@ -945,6 +959,9 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
OverridableBlockSyscallWithErrno(__NR_readlink, ENOENT);
#endif
#ifdef __NR_prlimit64
OverridableBlockSyscallWithErrno(__NR_prlimit64, EPERM);
#endif
AddPolicyOnSyscall(__NR_mprotect, {
ARG_32(2),
JEQ32(PROT_READ, ALLOW),
@ -955,12 +972,10 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
PolicyBuilder& PolicyBuilder::AllowDynamicStartup() {
#ifdef __ANDROID__
AllowAccess();
AllowSafeFcntl();
AllowGetIDs();
AllowGetPIDs();
AllowGetRandom();
AllowOpen();
AllowSyscalls({
#ifdef __NR_fstatfs
__NR_fstatfs,
@ -1026,6 +1041,8 @@ PolicyBuilder& PolicyBuilder::AllowDynamicStartup() {
});
#endif
AllowAccess();
AllowOpen();
AllowRead();
AllowStat();
AllowSyscalls({__NR_lseek,