Change the default action instead of appending ALLOW
Also create a visibility restricted version of the function. PiperOrigin-RevId: 513209752 Change-Id: I031fe62d5ccd81995536479b9af890ad111e336cpull/171/head
Wiktor Garbacz
Copybara-Service
parent
fbfbd13adf
commit
5a8a25e9ac
|
|
@ -24,6 +24,24 @@ package(
|
|||
|
||||
licenses(["notice"])
|
||||
|
||||
cc_library(
|
||||
name = "allow_all_syscalls",
|
||||
hdrs = ["allow_all_syscalls.h"],
|
||||
copts = sapi_platform_copts(),
|
||||
visibility = [
|
||||
"//sandboxed_api/sandbox2:__pkg__",
|
||||
"//sandboxed_api/sandbox2/examples/tool:__pkg__",
|
||||
],
|
||||
)
|
||||
|
||||
cc_library(
|
||||
name = "testonly_allow_all_syscalls",
|
||||
testonly = True,
|
||||
hdrs = ["allow_all_syscalls.h"],
|
||||
copts = sapi_platform_copts(),
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
||||
|
||||
cc_library(
|
||||
name = "bpfdisassembler",
|
||||
srcs = ["bpfdisassembler.cc"],
|
||||
|
|
@ -472,6 +490,7 @@ cc_library(
|
|||
hdrs = ["policybuilder.h"],
|
||||
copts = sapi_platform_copts(),
|
||||
deps = [
|
||||
":allow_all_syscalls",
|
||||
":mounts",
|
||||
":namespace",
|
||||
":policy",
|
||||
|
|
@ -652,6 +671,7 @@ cc_test(
|
|||
":comms",
|
||||
":namespace",
|
||||
":sandbox2",
|
||||
":testonly_allow_all_syscalls",
|
||||
"//sandboxed_api:config",
|
||||
"//sandboxed_api:testing",
|
||||
"//sandboxed_api/util:fileops",
|
||||
|
|
@ -822,6 +842,7 @@ cc_test(
|
|||
deps = [
|
||||
":limits",
|
||||
":sandbox2",
|
||||
":testonly_allow_all_syscalls",
|
||||
"//sandboxed_api:config",
|
||||
"//sandboxed_api:testing",
|
||||
"//sandboxed_api/util:status_matchers",
|
||||
|
|
@ -890,6 +911,7 @@ cc_test(
|
|||
],
|
||||
deps = [
|
||||
":sandbox2",
|
||||
":testonly_allow_all_syscalls",
|
||||
"//sandboxed_api:config",
|
||||
"//sandboxed_api:testing",
|
||||
"//sandboxed_api/util:status_matchers",
|
||||
|
|
@ -911,6 +933,7 @@ cc_test(
|
|||
":comms",
|
||||
":sandbox2",
|
||||
":sanitizer",
|
||||
":testonly_allow_all_syscalls",
|
||||
":util",
|
||||
"//sandboxed_api:testing",
|
||||
"//sandboxed_api/util:status_matchers",
|
||||
|
|
@ -945,6 +968,7 @@ cc_test(
|
|||
":regs",
|
||||
":sandbox2",
|
||||
":stack_trace",
|
||||
":testonly_allow_all_syscalls",
|
||||
"//sandboxed_api:testing",
|
||||
"//sandboxed_api/sandbox2/util:bpf_helper",
|
||||
"//sandboxed_api/util:fileops",
|
||||
|
|
@ -968,6 +992,7 @@ cc_test(
|
|||
deps = [
|
||||
":comms",
|
||||
":sandbox2",
|
||||
":testonly_allow_all_syscalls",
|
||||
"//sandboxed_api:testing",
|
||||
"//sandboxed_api/sandbox2/util:bpf_helper",
|
||||
"//sandboxed_api/util:status_matchers",
|
||||
|
|
@ -1002,6 +1027,7 @@ cc_test(
|
|||
":comms",
|
||||
":policybuilder",
|
||||
":sandbox2",
|
||||
":testonly_allow_all_syscalls",
|
||||
"//sandboxed_api:config",
|
||||
"//sandboxed_api:testing",
|
||||
"//sandboxed_api/sandbox2/util:bpf_helper",
|
||||
|
|
|
|||
|
|
@ -17,6 +17,15 @@ add_subdirectory(unwind)
|
|||
add_subdirectory(util)
|
||||
add_subdirectory(network_proxy)
|
||||
|
||||
# sandboxed_api/sandbox2:allow_all_syscalls
|
||||
add_library(sandbox2_allow_all_syscalls ${SAPI_LIB_TYPE}
|
||||
allow_all_syscalls.h
|
||||
)
|
||||
add_library(sandbox2::allow_all_syscalls ALIAS sandbox2_allow_all_syscalls)
|
||||
target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
|
||||
sapi::base
|
||||
)
|
||||
|
||||
# sandboxed_api/sandbox2:bpfdisassembler
|
||||
add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE}
|
||||
bpfdisassembler.cc
|
||||
|
|
@ -796,6 +805,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||
)
|
||||
target_link_libraries(sandbox2_namespace_test PRIVATE
|
||||
absl::strings
|
||||
sandbox2::allow_all_syscalls
|
||||
sandbox2::comms
|
||||
sapi::config
|
||||
sapi::fileops
|
||||
|
|
@ -905,6 +915,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||
sandbox2::testcase_minimal
|
||||
)
|
||||
target_link_libraries(sandbox2_limits_test PRIVATE
|
||||
sandbox2::allow_all_syscalls
|
||||
sandbox2::bpf_helper
|
||||
sapi::config
|
||||
sandbox2::limits
|
||||
|
|
@ -987,6 +998,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||
)
|
||||
target_link_libraries(sandbox2_sandbox2_test PRIVATE
|
||||
absl::strings
|
||||
sandbox2::allow_all_syscalls
|
||||
sapi::config
|
||||
sandbox2::sandbox2
|
||||
sapi::testing
|
||||
|
|
@ -1011,6 +1023,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||
)
|
||||
target_link_libraries(sandbox2_sanitizer_test PRIVATE
|
||||
absl::strings
|
||||
sandbox2::allow_all_syscalls
|
||||
sandbox2::bpf_helper
|
||||
sandbox2::client
|
||||
sandbox2::comms
|
||||
|
|
@ -1054,6 +1067,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||
absl::flags
|
||||
absl::status
|
||||
absl::strings
|
||||
sandbox2::allow_all_syscalls
|
||||
sandbox2::bpf_helper
|
||||
sandbox2::global_forkserver
|
||||
sandbox2::namespace
|
||||
|
|
@ -1082,6 +1096,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||
sandbox2::testcase_ipc
|
||||
)
|
||||
target_link_libraries(sandbox2_ipc_test PRIVATE
|
||||
sandbox2::allow_all_syscalls
|
||||
sandbox2::bpf_helper
|
||||
sandbox2::comms
|
||||
sandbox2::ipc
|
||||
|
|
@ -1104,6 +1119,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
|||
)
|
||||
target_link_libraries(sandbox2_policybuilder_test
|
||||
PRIVATE absl::strings
|
||||
sandbox2::allow_all_syscalls
|
||||
sandbox2::bpf_helper
|
||||
sandbox2::comms
|
||||
sandbox2::policybuilder
|
||||
|
|
|
|||
|
|
@ -0,0 +1,27 @@
|
|||
// Copyright 2013 Google LLC
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// https://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
#ifndef SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
|
||||
#define SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
|
||||
|
||||
namespace sandbox2 {
|
||||
|
||||
class AllowAllSyscalls {
|
||||
public:
|
||||
explicit AllowAllSyscalls() = default;
|
||||
};
|
||||
|
||||
} // namespace sandbox2
|
||||
|
||||
#endif // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
|
||||
|
|
@ -31,6 +31,7 @@ cc_binary(
|
|||
copts = sapi_platform_copts(),
|
||||
deps = [
|
||||
"//sandboxed_api/sandbox2",
|
||||
"//sandboxed_api/sandbox2:allow_all_syscalls",
|
||||
"//sandboxed_api/sandbox2:util",
|
||||
"//sandboxed_api/sandbox2/util:bpf_helper",
|
||||
"//sandboxed_api/util:fileops",
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ target_link_libraries(sandbox2_sandbox2tool PRIVATE
|
|||
absl::log_initialize
|
||||
absl::strings
|
||||
absl::time
|
||||
sandbox2::allow_all_syscalls
|
||||
sandbox2::bpf_helper
|
||||
sandbox2::sandbox2
|
||||
sandbox2::util
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@
|
|||
#include "absl/strings/str_format.h"
|
||||
#include "absl/strings/str_split.h"
|
||||
#include "absl/time/time.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/executor.h"
|
||||
#include "sandboxed_api/sandbox2/ipc.h"
|
||||
#include "sandboxed_api/sandbox2/limits.h"
|
||||
|
|
@ -162,7 +163,7 @@ int main(int argc, char* argv[]) {
|
|||
|
||||
sandbox2::PolicyBuilder builder;
|
||||
builder.AddPolicyOnSyscall(__NR_tee, {KILL});
|
||||
builder.DangerDefaultAllowAll();
|
||||
builder.DefaultAction(sandbox2::AllowAllSyscalls());
|
||||
|
||||
if (absl::GetFlag(FLAGS_sandbox2tool_need_networking)) {
|
||||
builder.AllowUnrestrictedNetworking();
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@
|
|||
|
||||
#include "gmock/gmock.h"
|
||||
#include "gtest/gtest.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/comms.h"
|
||||
#include "sandboxed_api/sandbox2/executor.h"
|
||||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
|
|
@ -52,7 +53,7 @@ TEST_P(IPCTest, MapFDByNamePreExecve) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
|
||||
Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
|
|
@ -89,7 +90,7 @@ TEST_P(IPCTest, MapFDByNamePostExecve) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
|
||||
Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
|
|
@ -121,7 +122,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
|
||||
Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@
|
|||
#include "gmock/gmock.h"
|
||||
#include "gtest/gtest.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/executor.h"
|
||||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
#include "sandboxed_api/sandbox2/policybuilder.h"
|
||||
|
|
@ -45,7 +46,7 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
sandbox2::PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
auto result = s2.Run();
|
||||
|
|
@ -63,7 +64,7 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
sandbox2::PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
auto result = s2.Run();
|
||||
|
|
@ -81,7 +82,7 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
sandbox2::PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
auto result = s2.Run();
|
||||
|
|
@ -99,7 +100,7 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
sandbox2::PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
auto result = s2.Run();
|
||||
|
|
@ -117,7 +118,7 @@ TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
sandbox2::PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
auto result = s2.Run();
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@
|
|||
#include "absl/strings/numbers.h"
|
||||
#include "absl/strings/str_cat.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/comms.h"
|
||||
#include "sandboxed_api/sandbox2/executor.h"
|
||||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
|
|
@ -73,7 +74,7 @@ TEST(NamespaceTest, FileNamespaceWorks) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "0", "/binary_path", "/etc/passwd"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.AddFileAt(path, "/binary_path")
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(2));
|
||||
|
|
@ -90,7 +91,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "0", "/temp_file"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.AddFileAt(name, "/temp_file")
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(0));
|
||||
|
|
@ -100,7 +101,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "1", "/temp_file"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.AddFileAt(name, "/temp_file")
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(1));
|
||||
|
|
@ -115,7 +116,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "2"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(0));
|
||||
}
|
||||
|
|
@ -126,7 +127,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
|
|||
path, {path, "2"},
|
||||
PolicyBuilder()
|
||||
.DisableNamespaces()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Ne(0));
|
||||
}
|
||||
|
|
@ -140,7 +141,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "3", "1000", "1000"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(0));
|
||||
}
|
||||
|
|
@ -151,7 +152,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
|
|||
path, {path, "3", absl::StrCat(getuid()), absl::StrCat(getgid())},
|
||||
PolicyBuilder()
|
||||
.DisableNamespaces()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(0));
|
||||
}
|
||||
|
|
@ -164,7 +165,7 @@ TEST(NamespaceTest, RootReadOnly) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "4", "/tmp/testfile", "/testfile"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */)
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(2));
|
||||
|
|
@ -176,7 +177,7 @@ TEST(NamespaceTest, RootWritable) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "4", "/testfile"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.SetRootWritable()
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(0));
|
||||
|
|
@ -188,7 +189,7 @@ TEST(HostnameTest, None) {
|
|||
path, {path, "sandbox2"},
|
||||
PolicyBuilder()
|
||||
.DisableNamespaces()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(1));
|
||||
}
|
||||
|
|
@ -198,7 +199,7 @@ TEST(HostnameTest, Default) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "sandbox2"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(0));
|
||||
}
|
||||
|
|
@ -208,7 +209,7 @@ TEST(HostnameTest, Configured) {
|
|||
int reason_code = RunSandboxeeWithArgsAndPolicy(
|
||||
path, {path, "configured"},
|
||||
PolicyBuilder()
|
||||
.DangerDefaultAllowAll() // Do not restrict syscalls
|
||||
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
|
||||
.SetHostname("configured")
|
||||
.BuildOrDie());
|
||||
EXPECT_THAT(reason_code, Eq(0));
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@
|
|||
#include "absl/strings/match.h"
|
||||
#include "absl/strings/string_view.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/namespace.h"
|
||||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
||||
|
|
@ -1112,7 +1113,12 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) {
|
|||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() {
|
||||
user_policy_.push_back(ALLOW);
|
||||
default_action_ = ALLOW;
|
||||
return *this;
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) {
|
||||
default_action_ = ALLOW;
|
||||
return *this;
|
||||
}
|
||||
|
||||
|
|
@ -1185,6 +1191,9 @@ absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
|
|||
output->collect_stacktrace_on_kill_ = collect_stacktrace_on_kill_;
|
||||
output->collect_stacktrace_on_exit_ = collect_stacktrace_on_exit_;
|
||||
output->user_policy_ = std::move(user_policy_);
|
||||
if (default_action_) {
|
||||
output->user_policy_.push_back(*default_action_);
|
||||
}
|
||||
output->user_policy_.insert(output->user_policy_.end(),
|
||||
overridable_policy_.begin(),
|
||||
overridable_policy_.end());
|
||||
|
|
|
|||
|
|
@ -40,6 +40,8 @@ struct bpf_labels;
|
|||
|
||||
namespace sandbox2 {
|
||||
|
||||
class AllowAllSyscalls;
|
||||
|
||||
// PolicyBuilder is a helper class to simplify creation of policies. The builder
|
||||
// uses fluent interface for convenience and increased readability of policies.
|
||||
//
|
||||
|
|
@ -666,10 +668,13 @@ class PolicyBuilder final {
|
|||
// Enables/disables stack trace collection on normal process exit.
|
||||
PolicyBuilder& CollectStacktracesOnExit(bool enable);
|
||||
|
||||
// Appends an unconditional ALLOW action for all syscalls.
|
||||
// Changes the default action to ALLOW.
|
||||
// All syscalls not handled explicitly by the policy will thus be allowed.
|
||||
// Do not use in environment with untrusted code and/or data, ask
|
||||
// sandbox-team@ first if unsure.
|
||||
ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead")
|
||||
PolicyBuilder& DangerDefaultAllowAll();
|
||||
PolicyBuilder& DefaultAction(AllowAllSyscalls);
|
||||
|
||||
// Allows syscalls that are necessary for the NetworkProxyClient
|
||||
PolicyBuilder& AddNetworkProxyPolicy();
|
||||
|
|
@ -739,6 +744,7 @@ class PolicyBuilder final {
|
|||
// Seccomp fields
|
||||
std::vector<sock_filter> user_policy_;
|
||||
std::vector<sock_filter> overridable_policy_;
|
||||
std::optional<sock_filter> default_action_;
|
||||
bool user_policy_handles_bpf_ = false;
|
||||
bool user_policy_handles_ptrace_ = false;
|
||||
absl::flat_hash_set<uint32_t> handled_syscalls_;
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@
|
|||
#include "absl/strings/str_cat.h"
|
||||
#include "absl/strings/str_split.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/comms.h"
|
||||
#include "sandboxed_api/sandbox2/executor.h"
|
||||
#include "sandboxed_api/sandbox2/ipc.h"
|
||||
|
|
@ -109,8 +110,6 @@ TEST_F(PolicyBuilderTest, Testpolicy_size) {
|
|||
builder.AllowTCGETS(); assert_increased();
|
||||
builder.AllowTCGETS(); assert_increased();
|
||||
|
||||
builder.DangerDefaultAllowAll(); assert_increased();
|
||||
builder.DangerDefaultAllowAll(); assert_increased();
|
||||
builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased();
|
||||
builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased();
|
||||
|
||||
|
|
@ -160,7 +159,7 @@ std::string PolicyBuilderTest::Run(const std::vector<std::string>& args,
|
|||
bool network) {
|
||||
PolicyBuilder builder;
|
||||
// Don't restrict the syscalls at all.
|
||||
builder.DangerDefaultAllowAll();
|
||||
builder.DefaultAction(AllowAllSyscalls());
|
||||
|
||||
if constexpr (sapi::host_os::IsAndroid()) {
|
||||
builder.DisableNamespaces();
|
||||
|
|
@ -206,14 +205,15 @@ TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) {
|
|||
|
||||
TEST_F(PolicyBuilderTest, TestIsCopyable) {
|
||||
PolicyBuilder builder;
|
||||
builder.DangerDefaultAllowAll();
|
||||
builder.AllowSyscall(__NR_getpid);
|
||||
|
||||
PolicyBuilder copy = builder;
|
||||
ASSERT_EQ(PolicyBuilderPeer(©).policy_size(), 1);
|
||||
ASSERT_EQ(PolicyBuilderPeer(©).policy_size(),
|
||||
PolicyBuilderPeer(&builder).policy_size());
|
||||
|
||||
// Building both does not crash.
|
||||
builder.BuildOrDie();
|
||||
copy.BuildOrDie();
|
||||
// Both can be built.
|
||||
EXPECT_THAT(builder.TryBuild(), IsOk());
|
||||
EXPECT_THAT(copy.TryBuild(), IsOk());
|
||||
}
|
||||
|
||||
TEST_F(PolicyBuilderTest, TestEcho) {
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@
|
|||
#include "gtest/gtest.h"
|
||||
#include "absl/strings/str_cat.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/executor.h"
|
||||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
#include "sandboxed_api/sandbox2/policybuilder.h"
|
||||
|
|
@ -40,7 +41,7 @@ namespace {
|
|||
PolicyBuilder CreateDefaultPolicyBuilder(absl::string_view path) {
|
||||
PolicyBuilder builder;
|
||||
// Don't restrict the syscalls at all.
|
||||
builder.DangerDefaultAllowAll();
|
||||
builder.DefaultAction(AllowAllSyscalls());
|
||||
if constexpr (sapi::sanitizers::IsAny()) {
|
||||
builder.AddLibrariesForBinary(path);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@
|
|||
#include "absl/container/flat_hash_set.h"
|
||||
#include "absl/log/log.h"
|
||||
#include "absl/strings/str_cat.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/comms.h"
|
||||
#include "sandboxed_api/sandbox2/executor.h"
|
||||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
|
|
@ -119,7 +120,7 @@ TEST(SanitizerTest, TestSandboxedBinary) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.TryBuild());
|
||||
|
||||
Sandbox2 s2(std::move(executor), std::move(policy));
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@
|
|||
#include "absl/flags/reflection.h"
|
||||
#include "absl/strings/match.h"
|
||||
#include "absl/strings/str_cat.h"
|
||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/executor.h"
|
||||
#include "sandboxed_api/sandbox2/global_forkclient.h"
|
||||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
|
|
@ -74,7 +75,7 @@ void SymbolizationWorksCommon(
|
|||
|
||||
auto policybuilder = PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.AddFile(path)
|
||||
.AddLibrariesForBinary(path)
|
||||
.AddFileAt(temp_filename, "/proc/cpuinfo");
|
||||
|
|
@ -186,7 +187,7 @@ TEST(StackTraceTest, SymbolizationTrustedFilesOnly) {
|
|||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
||||
PolicyBuilder()
|
||||
// Don't restrict the syscalls at all.
|
||||
.DangerDefaultAllowAll()
|
||||
.DefaultAction(AllowAllSyscalls())
|
||||
.AddFile(path)
|
||||
.AddLibrariesForBinary(path)
|
||||
.TryBuild());
|
||||
|
|
|
|||
Loading…
Reference in New Issue