diff --git a/WORKSPACE b/WORKSPACE index 4c5a724..9633e6e 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -134,6 +134,7 @@ autotools_repository( build_file = "//sandboxed_api:bazel/external/libunwind.BUILD", configure_args = [ "--disable-documentation", + "--disable-minidebuginfo", "--disable-shared", "--enable-ptrace", ], diff --git a/sandboxed_api/sandbox2/violation.proto b/sandboxed_api/sandbox2/violation.proto new file mode 100644 index 0000000..8575d96 --- /dev/null +++ b/sandboxed_api/sandbox2/violation.proto @@ -0,0 +1,148 @@ +// Copyright 2019 Google LLC. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package sandbox2; + +import "sandboxed_api/sandbox2/mounttree.proto"; + +enum PBViolationType { + VIOLATION_TYPE_UNSPECIFIED = 0; + DISALLOWED_SYSCALL = 1; + RESOURCE_LIMIT_EXCEEDED = 2; + SYSCALL_ARCHITECTURE_MISMATCH = 3; +} + +// X86_64 not allowed (naming convention...) +message RegisterX8664 { + uint64 r15 = 1; + uint64 r14 = 2; + uint64 r13 = 3; + uint64 r12 = 4; + uint64 rbp = 5; + uint64 rbx = 6; + uint64 r11 = 7; + uint64 r10 = 8; + uint64 r9 = 9; + uint64 r8 = 10; + uint64 rax = 11; + uint64 rcx = 12; + uint64 rdx = 13; + uint64 rsi = 14; + uint64 rdi = 15; + uint64 orig_rax = 16; + uint64 rip = 17; + uint64 cs = 18; + uint64 eflags = 19; + uint64 rsp = 20; + uint64 ss = 21; + uint64 fs_base = 22; + uint64 gs_base = 23; + uint64 ds = 24; + uint64 es = 25; + uint64 fs = 26; + uint64 gs = 27; +} + +message RegisterPowerpc64 { + repeated uint64 gpr = 1; + uint64 nip = 2; + uint64 msr = 3; + uint64 orig_gpr3 = 4; + uint64 ctr = 5; + uint64 link = 6; + uint64 xer = 7; + uint64 ccr = 8; + uint64 softe = 9; + uint64 trap = 10; + uint64 dar = 11; + uint64 dsisr = 12; + uint64 result = 13; + + uint64 zero0 = 14; + uint64 zero1 = 15; + uint64 zero2 = 16; + uint64 zero3 = 17; +} + +// Deprecated. +message RegisterAarch64 { + repeated uint64 regs = 1; + uint64 sp = 2; + uint64 pc = 3; + uint64 pstate = 4; +} + +message RegisterValues { + // Architecture architecture = 1; + oneof register_values { + RegisterX8664 register_x86_64 = 2; + RegisterPowerpc64 register_powerpc64 = 3; + RegisterAarch64 register_aarch64 = 4; // Deprecated. + } +} + +message SyscallDescription { + int32 syscall = 1; + // Should we have a second one with the raw value? + // This would be redundant (We dump all registers) + should not be as useful + // for debugging as the decoded values. + repeated string argument = 2; + // Store the architecture of the desired syscall in here as well? Might be + // useful when the violation type was a change in syscall architecture. +} + +message FsDescription { + repeated string file_whitelist = 1; + repeated string symlink_whitelist = 2; + repeated string file_greylist = 3; + repeated string file_blacklist = 4; +} + +message PolicyBuilderDescription { + repeated int32 handled_syscalls = 1; + repeated string bind_mounts = 2; +} + +message NamespaceDescription { + int32 clone_flags = 1; + // Do we want to have the mount tree in here? + MountTree mount_tree_mounts = 2; +} + +message PolicyDescription { + bytes user_bpf_policy = 1; + reserved 2 to 5; + // This requires additional fields. (e.g. whitelisted syscall #s) + PolicyBuilderDescription policy_builder_description = 6; + + // namespace + NamespaceDescription namespace_description = 7; + + repeated int32 capabilities = 8; +} + +message Violation { + string legacy_fatal_message = 1; + PBViolationType violation_type = 2; + int32 pid = 3; + string prog_name = 4; + PolicyDescription policy = 5; + string stack_trace = 6; + SyscallDescription syscall_information = 7; + RegisterValues register_values = 8; + FsDescription fs = 9; + string proc_maps = 10; +}