diff --git a/sandboxed_api/docs/howitworks.md b/sandboxed_api/docs/howitworks.md index ac0f8de..b34a96c 100644 --- a/sandboxed_api/docs/howitworks.md +++ b/sandboxed_api/docs/howitworks.md @@ -23,7 +23,7 @@ Libraries, and restarts them if they fail (e.g, due to security violations, crashes or resource exhaustion). -## Getting startd +## Getting started Read our [Get Started](getting-started.md) page to set up your first Sandboxed API project. diff --git a/sandboxed_api/sandbox2/violation.proto b/sandboxed_api/sandbox2/violation.proto deleted file mode 100644 index 8575d96..0000000 --- a/sandboxed_api/sandbox2/violation.proto +++ /dev/null @@ -1,148 +0,0 @@ -// Copyright 2019 Google LLC. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package sandbox2; - -import "sandboxed_api/sandbox2/mounttree.proto"; - -enum PBViolationType { - VIOLATION_TYPE_UNSPECIFIED = 0; - DISALLOWED_SYSCALL = 1; - RESOURCE_LIMIT_EXCEEDED = 2; - SYSCALL_ARCHITECTURE_MISMATCH = 3; -} - -// X86_64 not allowed (naming convention...) -message RegisterX8664 { - uint64 r15 = 1; - uint64 r14 = 2; - uint64 r13 = 3; - uint64 r12 = 4; - uint64 rbp = 5; - uint64 rbx = 6; - uint64 r11 = 7; - uint64 r10 = 8; - uint64 r9 = 9; - uint64 r8 = 10; - uint64 rax = 11; - uint64 rcx = 12; - uint64 rdx = 13; - uint64 rsi = 14; - uint64 rdi = 15; - uint64 orig_rax = 16; - uint64 rip = 17; - uint64 cs = 18; - uint64 eflags = 19; - uint64 rsp = 20; - uint64 ss = 21; - uint64 fs_base = 22; - uint64 gs_base = 23; - uint64 ds = 24; - uint64 es = 25; - uint64 fs = 26; - uint64 gs = 27; -} - -message RegisterPowerpc64 { - repeated uint64 gpr = 1; - uint64 nip = 2; - uint64 msr = 3; - uint64 orig_gpr3 = 4; - uint64 ctr = 5; - uint64 link = 6; - uint64 xer = 7; - uint64 ccr = 8; - uint64 softe = 9; - uint64 trap = 10; - uint64 dar = 11; - uint64 dsisr = 12; - uint64 result = 13; - - uint64 zero0 = 14; - uint64 zero1 = 15; - uint64 zero2 = 16; - uint64 zero3 = 17; -} - -// Deprecated. -message RegisterAarch64 { - repeated uint64 regs = 1; - uint64 sp = 2; - uint64 pc = 3; - uint64 pstate = 4; -} - -message RegisterValues { - // Architecture architecture = 1; - oneof register_values { - RegisterX8664 register_x86_64 = 2; - RegisterPowerpc64 register_powerpc64 = 3; - RegisterAarch64 register_aarch64 = 4; // Deprecated. - } -} - -message SyscallDescription { - int32 syscall = 1; - // Should we have a second one with the raw value? - // This would be redundant (We dump all registers) + should not be as useful - // for debugging as the decoded values. - repeated string argument = 2; - // Store the architecture of the desired syscall in here as well? Might be - // useful when the violation type was a change in syscall architecture. -} - -message FsDescription { - repeated string file_whitelist = 1; - repeated string symlink_whitelist = 2; - repeated string file_greylist = 3; - repeated string file_blacklist = 4; -} - -message PolicyBuilderDescription { - repeated int32 handled_syscalls = 1; - repeated string bind_mounts = 2; -} - -message NamespaceDescription { - int32 clone_flags = 1; - // Do we want to have the mount tree in here? - MountTree mount_tree_mounts = 2; -} - -message PolicyDescription { - bytes user_bpf_policy = 1; - reserved 2 to 5; - // This requires additional fields. (e.g. whitelisted syscall #s) - PolicyBuilderDescription policy_builder_description = 6; - - // namespace - NamespaceDescription namespace_description = 7; - - repeated int32 capabilities = 8; -} - -message Violation { - string legacy_fatal_message = 1; - PBViolationType violation_type = 2; - int32 pid = 3; - string prog_name = 4; - PolicyDescription policy = 5; - string stack_trace = 6; - SyscallDescription syscall_information = 7; - RegisterValues register_values = 8; - FsDescription fs = 9; - string proc_maps = 10; -}