Automated rollback of commit 800339d672.

PiperOrigin-RevId: 294644781
Change-Id: I88ad35abd96468476294039a41b6f2a8234db6ca
This commit is contained in:
Sandboxed API Team 2020-02-12 14:21:12 +01:00 committed by Christian Blichmann
parent 800339d672
commit 05280287e0
20 changed files with 547 additions and 146 deletions

View File

@ -89,7 +89,7 @@ cc_library(
":syscall",
":util",
"//sandboxed_api/util:status",
"//sandboxed_api/util:statusor",
"@com_google_absl//absl/base",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
],
@ -127,6 +127,36 @@ cc_library(
],
)
cc_library(
name = "network_proxy_server",
srcs = ["network_proxy_server.cc"],
hdrs = ["network_proxy_server.h"],
copts = sapi_platform_copts(),
deps = [
":comms",
"//sandboxed_api/sandbox2/util:fileops",
"@com_google_absl//absl/memory",
"@com_google_glog//:glog",
],
)
cc_library(
name = "network_proxy_client",
srcs = ["network_proxy_client.cc"],
hdrs = ["network_proxy_client.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
deps = [
":comms",
"//sandboxed_api/sandbox2/util:strerror",
"//sandboxed_api/util:status",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/synchronization",
"@com_google_glog//:glog",
],
)
cc_library(
name = "ipc",
srcs = ["ipc.cc"],
@ -136,6 +166,8 @@ cc_library(
":comms",
":logserver",
":logsink",
":network_proxy_client",
":network_proxy_server",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
@ -154,7 +186,6 @@ cc_library(
":regs",
":syscall",
":violation_cc_proto",
"//sandboxed_api/sandbox2/network_proxy:filtering",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:flags",
"@com_google_absl//absl/base:core_headers",
@ -275,10 +306,10 @@ cc_library(
":client",
":executor",
":comms",
":forkserver_cc_proto",
":global_forkserver",
":violation_cc_proto",
":forkserver",
":forkserver_cc_proto",
":global_forkserver",
":ipc",
":limits",
":logsink",
@ -290,6 +321,7 @@ cc_library(
":result",
":syscall",
":util",
":network_proxy_client",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/container:flat_hash_map",
"@com_google_absl//absl/container:flat_hash_set",
@ -301,17 +333,12 @@ cc_library(
"@com_google_absl//absl/time",
"@com_google_absl//absl/types:optional",
"@org_kernel_libcap//:libcap",
"//sandboxed_api/sandbox2/network_proxy:client",
"//sandboxed_api/sandbox2/network_proxy:filtering",
"//sandboxed_api/sandbox2/network_proxy:server",
"//sandboxed_api/sandbox2/unwind",
"//sandboxed_api/sandbox2/unwind:unwind_cc_proto",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/sandbox2/util:file_base",
"//sandboxed_api/sandbox2/util:fileops",
"//sandboxed_api/sandbox2/util:strerror",
"//sandboxed_api/util:raw_logging",
"//util/functional",
"//sandboxed_api/util:status",
"//sandboxed_api/util:statusor",
@ -337,7 +364,7 @@ cc_library(
deps = [
":comms",
":logsink",
"//sandboxed_api/sandbox2/network_proxy:client",
":network_proxy_client",
"//sandboxed_api/sandbox2/util:file_helpers",
"//sandboxed_api/sandbox2/util:fileops",
"//sandboxed_api/sandbox2/util:strerror",

View File

@ -15,7 +15,6 @@
add_subdirectory(examples)
add_subdirectory(unwind)
add_subdirectory(util)
add_subdirectory(network_proxy)
# sandboxed_api/sandbox2:bpfdisassembler
add_library(sandbox2_bpfdisassembler STATIC
@ -122,6 +121,36 @@ target_link_libraries(sandbox2_logsink
PUBLIC glog::glog
)
# sandboxed_api/sandbox2:network_proxy_server
add_library(sandbox2_network_proxy_server STATIC
network_proxy_server.cc
network_proxy_server.h
)
add_library(sandbox2::network_proxy_server ALIAS sandbox2_network_proxy_server)
target_link_libraries(sandbox2_network_proxy_server PRIVATE
absl::memory
glog::glog
sandbox2::comms
sandbox2::fileops
sapi::base
)
# sandboxed_api/sandbox2:network_proxy_client
add_library(sandbox2_network_proxy_client STATIC
network_proxy_client.cc
network_proxy_client.h
)
add_library(sandbox2::network_proxy_client ALIAS sandbox2_network_proxy_client)
target_link_libraries(sandbox2_network_proxy_client PRIVATE
absl::strings
absl::synchronization
glog::glog
sandbox2::comms
sandbox2::strerror
sapi::base
sapi::status
)
# sandboxed_api/sandbox2:ipc
add_library(sandbox2_ipc STATIC
ipc.cc

View File

@ -40,6 +40,7 @@
#include "absl/strings/str_join.h"
#include "absl/strings/str_split.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/network_proxy_client.h"
#include "sandboxed_api/sandbox2/sanitizer.h"
#include "sandboxed_api/sandbox2/util/strerror.h"
#include "sandboxed_api/util/raw_logging.h"

View File

@ -25,7 +25,7 @@
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/logsink.h"
#include "sandboxed_api/sandbox2/network_proxy/client.h"
#include "sandboxed_api/sandbox2/network_proxy_client.h"
namespace sandbox2 {

View File

@ -14,10 +14,10 @@
# The 'network proxy' example demonstrates how to use network proxy server.
load("//sandboxed_api/bazel:build_defs.bzl", "sapi_platform_copts")
licenses(["notice"])
load("//sandboxed_api/bazel:build_defs.bzl", "sapi_platform_copts")
# Executor
cc_binary(
name = "networkproxy_sandbox",
@ -27,7 +27,6 @@ cc_binary(
deps = [
"//sandboxed_api/sandbox2",
"//sandboxed_api/sandbox2:comms",
"//sandboxed_api/sandbox2/network_proxy:filtering",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/sandbox2/util:fileops",
"//sandboxed_api/sandbox2/util:runfiles",
@ -43,7 +42,7 @@ cc_binary(
deps = [
"//sandboxed_api/sandbox2:client",
"//sandboxed_api/sandbox2:comms",
"//sandboxed_api/sandbox2/network_proxy:client",
"//sandboxed_api/sandbox2:network_proxy_client",
"//sandboxed_api/sandbox2/util:fileops",
"@com_google_absl//absl/strings:str_format",
],

View File

@ -14,7 +14,7 @@
#include "absl/strings/str_format.h"
#include "sandboxed_api/sandbox2/client.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/network_proxy/client.h"
#include "sandboxed_api/sandbox2/network_proxy_client.h"
#include "sandboxed_api/sandbox2/util/fileops.h"
static ssize_t ReadFromFd(int fd, uint8_t* buf, size_t size) {
@ -113,6 +113,5 @@ int main(int argc, char** argv) {
if (!CommunicationTest(client.get())) {
return 4;
}
return 0;
}

View File

@ -42,8 +42,6 @@ std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
.AllowSyscall(__NR_munmap)
.AllowSyscall(__NR_getpid)
.AddNetworkProxyHandlerPolicy()
.AllowTcMalloc()
.AllowIPv6("::1")
.AddLibrariesForBinary(sandboxee_path)
.BuildOrDie();
}
@ -131,7 +129,10 @@ int main(int argc, char** argv) {
// is capable of enabling sandboxing on its own).
->set_enable_sandbox_before_exec(false)
// Set cwd to / to get rids of warnings connected with file namespace.
.set_cwd("/");
.set_cwd("/")
// Enable built-in network proxy.
.ipc()
->EnableNetworkProxyServer();
executor
->limits()
// Remove restrictions on the size of address-space of sandboxed

View File

@ -17,12 +17,16 @@
#include "sandboxed_api/sandbox2/ipc.h"
#include <sys/socket.h>
#include <thread>
#include <unistd.h>
#include <thread> // NOLINT(build/c++11)
#include <glog/logging.h>
#include "absl/memory/memory.h"
#include "sandboxed_api/sandbox2/logserver.h"
#include "sandboxed_api/sandbox2/logsink.h"
#include "sandboxed_api/sandbox2/network_proxy_client.h"
#include "sandboxed_api/sandbox2/network_proxy_server.h"
namespace sandbox2 {
@ -99,4 +103,16 @@ void IPC::EnableLogServer() {
log_thread.detach();
}
void IPC::EnableNetworkProxyServer() {
int fd = ReceiveFd(NetworkProxyClient::kFDName);
auto proxy_server = [fd]() {
NetworkProxyServer network_proxy_server(fd);
network_proxy_server.Run();
};
std::thread proxy_thread{proxy_server};
proxy_thread.detach();
}
} // namespace sandbox2

View File

@ -23,6 +23,7 @@
#include <tuple>
#include <vector>
#include "absl/base/macros.h"
#include "absl/strings/string_view.h"
#include "sandboxed_api/sandbox2/comms.h"
@ -59,6 +60,10 @@ class IPC final {
// Client::SendLogsToSupervisor in the sandboxee.
void EnableLogServer();
// Enable network proxy server, this will start a thread in the sandbox
// that waits for connection requests from the sandboxee.
void EnableNetworkProxyServer();
private:
friend class Executor;
friend class Monitor;

View File

@ -53,7 +53,6 @@
#include "sandboxed_api/sandbox2/limits.h"
#include "sandboxed_api/sandbox2/mounts.h"
#include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/network_proxy/server.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/regs.h"
#include "sandboxed_api/sandbox2/result.h"
@ -141,9 +140,6 @@ Monitor::~Monitor() {
if (log_file_) {
std::fclose(log_file_);
}
if (network_proxy_server_) {
network_proxy_thread_.join();
}
}
namespace {
@ -202,10 +198,6 @@ void Monitor::Run() {
// sandbox master/monitor, which ptrace_attach'es to the child.
int clone_flags = CLONE_UNTRACED;
if (policy_->allowed_hosts_) {
EnableNetworkProxyServer();
}
// Get PID of the sandboxee.
pid_t init_pid = 0;
Namespace* ns = policy_->GetNamespace();
@ -357,14 +349,6 @@ void Monitor::MainLoop(sigset_t* sset) {
KillSandboxee();
}
if (network_proxy_server_ &&
network_proxy_server_->violation_occurred_.load(
std::memory_order_acquire) &&
!network_violation_) {
network_violation_ = true;
KillSandboxee();
}
// It should be a non-blocking operation (hence WNOHANG), so this function
// returns quickly if there are no events to be processed.
// Prioritize main pid to avoid resource starvation
@ -417,10 +401,7 @@ void Monitor::MainLoop(sigset_t* sset) {
VLOG(1) << "PID: " << ret << " terminated with signal: "
<< util::GetSignalName(WTERMSIG(status));
if (ret == pid_) {
if (network_violation_) {
SetExitStatusCode(Result::NETWORK_VIOLATION, 0);
result_.SetNetworkViolation(network_proxy_server_->violation_msg_);
} else if (external_kill_) {
if (external_kill_) {
SetExitStatusCode(Result::EXTERNAL_KILL, 0);
} else if (timed_out_) {
SetExitStatusCode(Result::TIMEOUT, 0);
@ -813,10 +794,7 @@ void Monitor::EventPtraceExit(pid_t pid, int event_msg) {
// 3) Regular signal/other exit cause.
if (pid == pid_) {
VLOG(1) << "PID: " << pid << " main special exit";
if (network_violation_) {
SetExitStatusCode(Result::NETWORK_VIOLATION, 0);
result_.SetNetworkViolation(network_proxy_server_->violation_msg_);
} else if (external_kill_) {
if (external_kill_) {
SetExitStatusCode(Result::EXTERNAL_KILL, 0);
} else if (timed_out_) {
SetExitStatusCode(Result::TIMEOUT, 0);
@ -948,14 +926,4 @@ void Monitor::LogSyscallViolationExplanation(const Syscall& syscall) const {
}
}
void Monitor::EnableNetworkProxyServer() {
int fd = ipc_->ReceiveFd(NetworkProxyClient::kFDName);
network_proxy_server_ = absl::make_unique<NetworkProxyServer>(
fd, &policy_->allowed_hosts_.value(), pthread_self());
network_proxy_thread_ = std::thread(&NetworkProxyServer::Run,
network_proxy_server_.get());
}
} // namespace sandbox2

View File

@ -26,13 +26,11 @@
#include <cstdio>
#include <ctime>
#include <memory>
#include <thread>
#include "absl/synchronization/notification.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/ipc.h"
#include "sandboxed_api/sandbox2/network_proxy/server.h"
#include "sandboxed_api/sandbox2/notify.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/regs.h"
@ -141,10 +139,6 @@ class Monitor final {
// Processes stop path.
void EventPtraceStop(pid_t pid, int stopsig);
// Enable network proxy server, this will start a thread in the sandbox
// that waits for connection requests from the sandboxee.
void EnableNetworkProxyServer();
// Internal objects, owned by the Sandbox2 object.
Executor* executor_;
Notify* notify_;
@ -174,8 +168,6 @@ class Monitor final {
std::atomic<int64_t> deadline_millis_{0};
// Was external kill sent to the sandboxee
bool external_kill_ = false;
// Network violation occurred and process of killing sandboxee started
bool network_violation_ = false;
// Is the sandboxee timed out
bool timed_out_ = false;
// Should we dump the main sandboxed PID's stack?
@ -186,12 +178,6 @@ class Monitor final {
// Log file specified by
// --sandbox_danger_danger_permit_all_and_log flag.
FILE* log_file_ = nullptr;
// Handle to the class responsible for proxying and validating connect()
// requests.
std::unique_ptr<NetworkProxyServer> network_proxy_server_;
std::thread network_proxy_thread_;
};
} // namespace sandbox2

View File

@ -0,0 +1,217 @@
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "sandboxed_api/sandbox2/network_proxy_client.h"
#include <linux/net.h>
#include <linux/seccomp.h>
#include <stdio.h>
#include <syscall.h>
#include <ucontext.h>
#include <cerrno>
#include <iostream>
#include <glog/logging.h>
#include "absl/memory/memory.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/util/strerror.h"
#include "sandboxed_api/util/canonical_errors.h"
#include "sandboxed_api/util/status.h"
#include "sandboxed_api/util/status_macros.h"
namespace sandbox2 {
#ifndef SYS_SECCOMP
constexpr int SYS_SECCOMP = 1;
#endif
#if defined(__x86_64__)
constexpr int kRegResult = REG_RAX;
constexpr int kRegSyscall = REG_RAX;
constexpr int kRegArg0 = REG_RDI;
constexpr int kRegArg1 = REG_RSI;
constexpr int kRegArg2 = REG_RDX;
#endif
#if defined(__powerpc64__)
constexpr int kRegResult = 3;
constexpr int kRegSyscall = 0;
constexpr int kRegArg0 = 3;
constexpr int kRegArg1 = 4;
constexpr int kRegArg2 = 5;
#endif
constexpr char NetworkProxyClient::kFDName[];
int NetworkProxyClient::ConnectHandler(int sockfd, const struct sockaddr* addr,
socklen_t addrlen) {
sapi::Status status = Connect(sockfd, addr, addrlen);
if (status.ok()) {
return 0;
}
LOG(ERROR) << "ConnectHandler() failed: " << status.message();
return -1;
}
sapi::Status NetworkProxyClient::Connect(int sockfd,
const struct sockaddr* addr,
socklen_t addrlen) {
absl::MutexLock lock(&mutex_);
// Check if socket is SOCK_STREAM
int type;
socklen_t type_size = sizeof(int);
int result = getsockopt(sockfd, SOL_SOCKET, SO_TYPE, &type, &type_size);
if (result == -1) {
return sapi::FailedPreconditionError("Invalid socket FD");
}
if (type_size != sizeof(int) || type != SOCK_STREAM) {
errno = EINVAL;
return sapi::InvalidArgumentError(
"Invalid socket, only SOCK_STREAM is allowed");
}
// Send sockaddr struct
if (!comms_.SendBytes(reinterpret_cast<const uint8_t*>(addr), addrlen)) {
errno = EIO;
return sapi::InternalError("Sending data to network proxy failed");
}
SAPI_RETURN_IF_ERROR(ReceiveRemoteResult());
// Receive new socket
int s;
if (!comms_.RecvFD(&s)) {
errno = EIO;
return sapi::InternalError("Receiving data from network proxy failed");
}
if (dup2(s, sockfd) == -1) {
close(s);
return sapi::InternalError("Processing data from network proxy failed");
}
return sapi::OkStatus();
}
sapi::Status NetworkProxyClient::ReceiveRemoteResult() {
int result;
if (!comms_.RecvInt32(&result)) {
errno = EIO;
return sapi::InternalError("Receiving data from the network proxy failed");
}
if (result != 0) {
errno = result;
return sapi::InternalError(
absl::StrCat("Error in network proxy server: ", StrError(errno)));
}
return sapi::OkStatus();
}
namespace {
static NetworkProxyHandler* g_network_proxy_handler = nullptr;
void SignalHandler(int nr, siginfo_t* info, void* void_context) {
g_network_proxy_handler->ProcessSeccompTrap(nr, info, void_context);
}
} // namespace
sapi::Status NetworkProxyHandler::InstallNetworkProxyHandler(
NetworkProxyClient* npc) {
if (g_network_proxy_handler) {
return sapi::AlreadyExistsError(
"Network proxy handler is already installed");
}
g_network_proxy_handler = new NetworkProxyHandler(npc);
return sapi::OkStatus();
}
void NetworkProxyHandler::InvokeOldAct(int nr, siginfo_t* info,
void* void_context) {
if (oldact_.sa_flags & SA_SIGINFO) {
if (oldact_.sa_sigaction) {
oldact_.sa_sigaction(nr, info, void_context);
}
} else if (oldact_.sa_handler == SIG_IGN) {
return;
} else if (oldact_.sa_handler == SIG_DFL) {
sigaction(SIGSYS, &oldact_, nullptr);
raise(SIGSYS);
} else if (oldact_.sa_handler) {
oldact_.sa_handler(nr);
}
} // namespace sandbox2
void NetworkProxyHandler::ProcessSeccompTrap(int nr, siginfo_t* info,
void* void_context) {
ucontext_t* ctx = (ucontext_t*)(void_context);
if (info->si_code != SYS_SECCOMP) {
InvokeOldAct(nr, info, void_context);
return;
}
if (!ctx) return;
#if defined(__x86_64__)
auto* registers = ctx->uc_mcontext.gregs;
#elif defined(__powerpc64__)
auto* registers = ctx->uc_mcontext.gp_regs;
using ppc_gpreg_t = std::decay<decltype(registers[0])>::type;
#endif
int syscall = registers[kRegSyscall];
int sockfd;
const struct sockaddr* addr;
socklen_t addrlen;
if (syscall == __NR_connect) {
sockfd = static_cast<int>(registers[kRegArg0]);
addr = reinterpret_cast<const struct sockaddr*>(registers[kRegArg1]);
addrlen = static_cast<socklen_t>(registers[kRegArg2]);
#if defined(__powerpc64__)
} else if (syscall == __NR_socketcall &&
static_cast<int>(registers[kRegArg0]) == SYS_CONNECT) {
ppc_gpreg_t* args = reinterpret_cast<ppc_gpreg_t*>(registers[kRegArg1]);
sockfd = static_cast<int>(args[0]);
addr = reinterpret_cast<const struct sockaddr*>(args[1]);
addrlen = static_cast<socklen_t>(args[2]);
#endif
} else {
InvokeOldAct(nr, info, void_context);
return;
}
sapi::Status result = network_proxy_client_->Connect(sockfd, addr, addrlen);
if (result.ok()) {
registers[kRegResult] = 0;
} else {
registers[kRegResult] = -errno;
}
}
void NetworkProxyHandler::InstallSeccompTrap() {
sigset_t mask;
sigemptyset(&mask);
sigaddset(&mask, SIGSYS);
struct sigaction act = {};
act.sa_sigaction = &SignalHandler;
act.sa_flags = SA_SIGINFO;
CHECK_EQ(sigaction(SIGSYS, &act, &oldact_), 0);
CHECK_EQ(sigprocmask(SIG_UNBLOCK, &mask, nullptr), 0);
}
} // namespace sandbox2

View File

@ -0,0 +1,75 @@
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SANDBOXED_API_SANDBOX2_NETWORK_PROXY_CLIENT_H_
#define SANDBOXED_API_SANDBOX2_NETWORK_PROXY_CLIENT_H_
#include <netinet/in.h>
#include "absl/synchronization/mutex.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/util/status.h"
namespace sandbox2 {
class NetworkProxyClient {
public:
static constexpr char kFDName[] = "sb2_networkproxy";
explicit NetworkProxyClient(int fd) : comms_(fd) {}
NetworkProxyClient(const NetworkProxyClient&) = delete;
NetworkProxyClient& operator=(const NetworkProxyClient&) = delete;
// Establishes a new network connection.
// Semantic is similar to a regular connect() call.
// Arguments are sent to network proxy server, which sends back a connected
// socket.
sapi::Status Connect(int sockfd, const struct sockaddr* addr,
socklen_t addrlen);
// Same as Connect, but with same API as regular connect() call.
int ConnectHandler(int sockfd, const struct sockaddr* addr,
socklen_t addrlen);
private:
Comms comms_;
sapi::Status ReceiveRemoteResult();
// Needed to make the Proxy thread safe.
absl::Mutex mutex_;
};
class NetworkProxyHandler {
public:
// Installs the handler that redirects connect() syscalls to the trap
// function. This function exchange data with NetworkProxyServer that checks
// if this connection is allowed and sends the connected socket to us.
// In other words, this function just use NetworkProxyClient class.
static sapi::Status InstallNetworkProxyHandler(NetworkProxyClient* npc);
void ProcessSeccompTrap(int nr, siginfo_t* info, void* void_context);
private:
NetworkProxyHandler(NetworkProxyClient* npc) : network_proxy_client_(npc) {
InstallSeccompTrap();
}
void InvokeOldAct(int nr, siginfo_t* info, void* void_context);
void InstallSeccompTrap();
struct sigaction oldact_;
NetworkProxyClient* network_proxy_client_;
};
} // namespace sandbox2
#endif // SANDBOXED_API_SANDBOX2_NETWORK_PROXY_CLIENT_H_

View File

@ -0,0 +1,95 @@
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "sandboxed_api/sandbox2/network_proxy_server.h"
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <syscall.h>
#include <cerrno>
#include <cstring>
#include <glog/logging.h>
#include "absl/memory/memory.h"
#include "sandboxed_api/sandbox2/util/fileops.h"
namespace sandbox2 {
NetworkProxyServer::NetworkProxyServer(int fd)
: comms_{absl::make_unique<Comms>(fd)}, fatal_error_{false} {}
void NetworkProxyServer::ProcessConnectRequest() {
std::vector<uint8_t> addr;
if (!comms_->RecvBytes(&addr)) {
fatal_error_ = true;
return;
}
const struct sockaddr_in* saddr =
reinterpret_cast<const sockaddr_in*>(addr.data());
// Only IPv4 TCP and IPv6 TCP are supported.
if (!((addr.size() == sizeof(sockaddr_in) && saddr->sin_family == AF_INET) ||
(addr.size() == sizeof(sockaddr_in6) &&
saddr->sin_family == AF_INET6))) {
SendError(EINVAL);
return;
}
int new_socket = socket(saddr->sin_family, SOCK_STREAM, 0);
if (new_socket < 0) {
SendError(errno);
return;
}
file_util::fileops::FDCloser new_socket_closer(new_socket);
int result = connect(
new_socket, reinterpret_cast<const sockaddr*>(addr.data()), addr.size());
if (result == 0) {
NotifySuccess();
if (!fatal_error_) {
if (!comms_->SendFD(new_socket)) {
fatal_error_ = true;
return;
}
}
}
}
void NetworkProxyServer::Run() {
while (!fatal_error_) {
ProcessConnectRequest();
}
LOG(INFO)
<< "Clean shutdown or error occurred, shutting down NetworkProxyServer";
}
void NetworkProxyServer::SendError(int saved_errno) {
if (!comms_->SendInt32(saved_errno)) {
fatal_error_ = true;
}
}
void NetworkProxyServer::NotifySuccess() {
if (!comms_->SendInt32(0)) {
fatal_error_ = true;
}
}
} // namespace sandbox2

View File

@ -0,0 +1,53 @@
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SANDBOXED_API_SANDBOX2_NETWORK_PROXY_SERVER_H_
#define SANDBOXED_API_SANDBOX2_NETWORK_PROXY_SERVER_H_
#include <memory>
#include "sandboxed_api/sandbox2/comms.h"
namespace sandbox2 {
// This is a proxy server that spawns connected sockets on requests.
// Then it sends the file descriptor to the requestor. It is used to get around
// limitations created by network namespaces.
class NetworkProxyServer {
public:
explicit NetworkProxyServer(int fd);
NetworkProxyServer(const NetworkProxyServer&) = delete;
NetworkProxyServer& operator=(const NetworkProxyServer&) = delete;
// Starts handling incoming connection requests.
void Run();
private:
// Notifies the network proxy client about the error and sends its code.
void SendError(int saved_errno);
// Notifies the network proxy client that no error occurred.
void NotifySuccess();
// Serves connection requests from the network proxy client.
void ProcessConnectRequest();
std::unique_ptr<Comms> comms_;
bool fatal_error_;
};
} // namespace sandbox2
#endif // SANDBOXED_API_SANDBOX2_NETWORK_PROXY_SERVER_H_

View File

@ -31,7 +31,6 @@
#include "absl/base/macros.h"
#include "absl/types/optional.h"
#include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/network_proxy/filtering.h"
#include "sandboxed_api/sandbox2/syscall.h"
#include "sandboxed_api/sandbox2/violation.pb.h"
@ -105,9 +104,6 @@ class Policy final {
// Get a policy which would allow the Monitor module to track all syscalls.
std::vector<sock_filter> GetTrackingPolicy() const;
// Contains a list of hosts the sandboxee is allowed to connect to.
absl::optional<AllowedHosts> allowed_hosts_;
friend class Monitor;
friend class PolicyBuilder;
friend class PolicyBuilderPeer; // For testing

View File

@ -39,7 +39,6 @@
#include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/sandbox2/util/path.h"
#include "sandboxed_api/sandbox2/util/strerror.h"
#include "sandboxed_api/util/canonical_errors.h"
#include "sandboxed_api/util/status_macros.h"
@ -48,7 +47,7 @@ namespace {
} // namespace
PolicyBuilder& PolicyBuilder::AllowSyscall(uint32_t num) {
PolicyBuilder& PolicyBuilder::AllowSyscall(unsigned int num) {
if (handled_syscalls_.insert(num).second) {
user_policy_.insert(user_policy_.end(), {SYSCALL(num, ALLOW)});
}
@ -69,7 +68,8 @@ PolicyBuilder& PolicyBuilder::AllowSyscalls(SyscallInitializer nums) {
return *this;
}
PolicyBuilder& PolicyBuilder::BlockSyscallWithErrno(uint32_t num, int error) {
PolicyBuilder& PolicyBuilder::BlockSyscallWithErrno(unsigned int num,
int error) {
if (handled_syscalls_.insert(num).second) {
user_policy_.insert(user_policy_.end(), {SYSCALL(num, ERRNO(error))});
}
@ -545,17 +545,17 @@ PolicyBuilder& PolicyBuilder::AllowDynamicStartup() {
});
}
PolicyBuilder& PolicyBuilder::AddPolicyOnSyscall(uint32_t num,
PolicyBuilder& PolicyBuilder::AddPolicyOnSyscall(unsigned int num,
BpfInitializer policy) {
return AddPolicyOnSyscalls({num}, policy);
}
PolicyBuilder& PolicyBuilder::AddPolicyOnSyscall(
uint32_t num, const std::vector<sock_filter>& policy) {
unsigned int num, const std::vector<sock_filter>& policy) {
return AddPolicyOnSyscalls({num}, policy);
}
PolicyBuilder& PolicyBuilder::AddPolicyOnSyscall(uint32_t num, BpfFunc f) {
PolicyBuilder& PolicyBuilder::AddPolicyOnSyscall(unsigned int num, BpfFunc f) {
return AddPolicyOnSyscalls({num}, f);
}
@ -700,7 +700,6 @@ sapi::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
StoreDescription(pb_description.get());
output->policy_builder_description_ = std::move(pb_description);
output->allowed_hosts_ = std::move(allowed_hosts_);
already_built_ = true;
return std::move(output);
}
@ -849,15 +848,6 @@ PolicyBuilder& PolicyBuilder::CollectStacktracesOnKill(bool enable) {
}
PolicyBuilder& PolicyBuilder::AddNetworkProxyPolicy() {
if (allowed_hosts_) {
SetError(sapi::FailedPreconditionError(
"AddNetworkProxyPolicy or AddNetworkProxyHandlerPolicy can be called "
"at most once"));
return *this;
}
allowed_hosts_ = AllowedHosts();
AllowFutexOp(FUTEX_WAKE);
AllowFutexOp(FUTEX_WAIT);
AllowFutexOp(FUTEX_WAIT_BITSET);
@ -930,36 +920,4 @@ void PolicyBuilder::StoreDescription(PolicyBuilderDescription* pb_description) {
}
}
PolicyBuilder& PolicyBuilder::AllowIPv4(const std::string& ip_and_mask,
uint32_t port) {
if (!allowed_hosts_) {
SetError(sapi::FailedPreconditionError(
"AddNetworkProxyPolicy or AddNetworkProxyHandlerPolicy must be called "
"before adding IP rules"));
return *this;
}
sapi::Status status = allowed_hosts_->AllowIPv4(ip_and_mask, port);
if (!status.ok()) {
SetError(status);
}
return *this;
}
PolicyBuilder& PolicyBuilder::AllowIPv6(const std::string& ip_and_mask,
uint32_t port) {
if (!allowed_hosts_) {
SetError(sapi::FailedPreconditionError(
"AddNetworkProxyPolicy or AddNetworkProxyHandlerPolicy must be called "
"before adding IP rules"));
return *this;
}
sapi::Status status = allowed_hosts_->AllowIPv6(ip_and_mask, port);
if (!status.ok()) {
SetError(status);
}
return *this;
}
} // namespace sandbox2

View File

@ -31,7 +31,6 @@
#include "absl/memory/memory.h"
#include "absl/strings/string_view.h"
#include "sandboxed_api/sandbox2/mounts.h"
#include "sandboxed_api/sandbox2/network_proxy/filtering.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/util/statusor.h"
@ -502,10 +501,6 @@ class PolicyBuilder final {
// Not recommended
PolicyBuilder& SetRootWritable();
// Allows connections to this IP.
PolicyBuilder& AllowIPv4(const std::string& ip_and_mask, uint32_t port = 0);
PolicyBuilder& AllowIPv6(const std::string& ip_and_mask, uint32_t port = 0);
private:
friend class PolicyBuilderPeer; // For testing
friend class StackTracePeer;
@ -547,9 +542,6 @@ class PolicyBuilder final {
// This function returns a PolicyBuilder so that we can use it in the status
// macros
PolicyBuilder& SetError(const sapi::Status& status);
// Contains list of allowed hosts.
absl::optional<AllowedHosts> allowed_hosts_;
};
} // namespace sandbox2

View File

@ -79,10 +79,6 @@ std::string Result::ToString() const {
Syscall(GetSyscallArch(), reason_code()).GetName(),
"] Stack: ", GetStackTrace());
break;
case sandbox2::Result::NETWORK_VIOLATION:
result = absl::StrCat("NETWORK VIOLATION - Violating network policy: ",
network_violation_);
break;
case sandbox2::Result::SIGNALED:
result = absl::StrCat("Process terminated with a SIGNAL - Signal: ",
util::GetSignalName(reason_code()),
@ -133,8 +129,6 @@ std::string Result::StatusEnumToString(StatusEnum value) {
return "SETUP_ERROR";
case sandbox2::Result::VIOLATION:
return "VIOLATION";
case sandbox2::Result::NETWORK_VIOLATION:
return "NETWORK_VIOLATION";
case sandbox2::Result::SIGNALED:
return "SIGNALED";
case sandbox2::Result::TIMEOUT:

View File

@ -45,8 +45,6 @@ class Result {
SETUP_ERROR,
// Syscall violation
VIOLATION,
// Network policy violation
NETWORK_VIOLATION,
// Process terminated with a signal
SIGNALED,
// Process terminated with a timeout
@ -121,10 +119,6 @@ class Result {
syscall_ = std::move(syscall);
}
void SetNetworkViolation(std::string network_violation) {
network_violation_ = std::move(network_violation);
}
StatusEnum final_status() const { return final_status_; }
uintptr_t reason_code() const { return reason_code_; }
@ -143,8 +137,6 @@ class Result {
const std::string& GetProgName() const { return prog_name_; }
const std::string& GetNetworkViolation() const { return network_violation_; }
void SetProgName(const std::string& name) { prog_name_ = name; }
const std::string& GetProcMaps() const { return proc_maps_; }
@ -187,8 +179,6 @@ class Result {
std::string prog_name_;
// /proc/pid/maps of the main process.
std::string proc_maps_;
// IP and port if network violation occurred
std::string network_violation_;
// Final resource usage as defined in <sys/resource.h> (man getrusage), for
// the Monitor thread.
rusage rusage_monitor_;