Change the default action instead of appending ALLOW

Also create a visibility restricted version of the function.

PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c
This commit is contained in:
Wiktor Garbacz 2023-03-01 05:35:51 -08:00 committed by Copybara-Service
parent fbfbd13adf
commit 5a8a25e9ac
15 changed files with 128 additions and 35 deletions

View File

@ -24,6 +24,24 @@ package(
licenses(["notice"]) licenses(["notice"])
cc_library(
name = "allow_all_syscalls",
hdrs = ["allow_all_syscalls.h"],
copts = sapi_platform_copts(),
visibility = [
"//sandboxed_api/sandbox2:__pkg__",
"//sandboxed_api/sandbox2/examples/tool:__pkg__",
],
)
cc_library(
name = "testonly_allow_all_syscalls",
testonly = True,
hdrs = ["allow_all_syscalls.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
)
cc_library( cc_library(
name = "bpfdisassembler", name = "bpfdisassembler",
srcs = ["bpfdisassembler.cc"], srcs = ["bpfdisassembler.cc"],
@ -472,6 +490,7 @@ cc_library(
hdrs = ["policybuilder.h"], hdrs = ["policybuilder.h"],
copts = sapi_platform_copts(), copts = sapi_platform_copts(),
deps = [ deps = [
":allow_all_syscalls",
":mounts", ":mounts",
":namespace", ":namespace",
":policy", ":policy",
@ -652,6 +671,7 @@ cc_test(
":comms", ":comms",
":namespace", ":namespace",
":sandbox2", ":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config", "//sandboxed_api:config",
"//sandboxed_api:testing", "//sandboxed_api:testing",
"//sandboxed_api/util:fileops", "//sandboxed_api/util:fileops",
@ -822,6 +842,7 @@ cc_test(
deps = [ deps = [
":limits", ":limits",
":sandbox2", ":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config", "//sandboxed_api:config",
"//sandboxed_api:testing", "//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers", "//sandboxed_api/util:status_matchers",
@ -890,6 +911,7 @@ cc_test(
], ],
deps = [ deps = [
":sandbox2", ":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config", "//sandboxed_api:config",
"//sandboxed_api:testing", "//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers", "//sandboxed_api/util:status_matchers",
@ -911,6 +933,7 @@ cc_test(
":comms", ":comms",
":sandbox2", ":sandbox2",
":sanitizer", ":sanitizer",
":testonly_allow_all_syscalls",
":util", ":util",
"//sandboxed_api:testing", "//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers", "//sandboxed_api/util:status_matchers",
@ -945,6 +968,7 @@ cc_test(
":regs", ":regs",
":sandbox2", ":sandbox2",
":stack_trace", ":stack_trace",
":testonly_allow_all_syscalls",
"//sandboxed_api:testing", "//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:fileops", "//sandboxed_api/util:fileops",
@ -968,6 +992,7 @@ cc_test(
deps = [ deps = [
":comms", ":comms",
":sandbox2", ":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:testing", "//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers", "//sandboxed_api/util:status_matchers",
@ -1002,6 +1027,7 @@ cc_test(
":comms", ":comms",
":policybuilder", ":policybuilder",
":sandbox2", ":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config", "//sandboxed_api:config",
"//sandboxed_api:testing", "//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/sandbox2/util:bpf_helper",

View File

@ -17,6 +17,15 @@ add_subdirectory(unwind)
add_subdirectory(util) add_subdirectory(util)
add_subdirectory(network_proxy) add_subdirectory(network_proxy)
# sandboxed_api/sandbox2:allow_all_syscalls
add_library(sandbox2_allow_all_syscalls ${SAPI_LIB_TYPE}
allow_all_syscalls.h
)
add_library(sandbox2::allow_all_syscalls ALIAS sandbox2_allow_all_syscalls)
target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
sapi::base
)
# sandboxed_api/sandbox2:bpfdisassembler # sandboxed_api/sandbox2:bpfdisassembler
add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE} add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE}
bpfdisassembler.cc bpfdisassembler.cc
@ -796,6 +805,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
) )
target_link_libraries(sandbox2_namespace_test PRIVATE target_link_libraries(sandbox2_namespace_test PRIVATE
absl::strings absl::strings
sandbox2::allow_all_syscalls
sandbox2::comms sandbox2::comms
sapi::config sapi::config
sapi::fileops sapi::fileops
@ -905,6 +915,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
sandbox2::testcase_minimal sandbox2::testcase_minimal
) )
target_link_libraries(sandbox2_limits_test PRIVATE target_link_libraries(sandbox2_limits_test PRIVATE
sandbox2::allow_all_syscalls
sandbox2::bpf_helper sandbox2::bpf_helper
sapi::config sapi::config
sandbox2::limits sandbox2::limits
@ -987,6 +998,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
) )
target_link_libraries(sandbox2_sandbox2_test PRIVATE target_link_libraries(sandbox2_sandbox2_test PRIVATE
absl::strings absl::strings
sandbox2::allow_all_syscalls
sapi::config sapi::config
sandbox2::sandbox2 sandbox2::sandbox2
sapi::testing sapi::testing
@ -1011,6 +1023,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
) )
target_link_libraries(sandbox2_sanitizer_test PRIVATE target_link_libraries(sandbox2_sanitizer_test PRIVATE
absl::strings absl::strings
sandbox2::allow_all_syscalls
sandbox2::bpf_helper sandbox2::bpf_helper
sandbox2::client sandbox2::client
sandbox2::comms sandbox2::comms
@ -1054,6 +1067,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
absl::flags absl::flags
absl::status absl::status
absl::strings absl::strings
sandbox2::allow_all_syscalls
sandbox2::bpf_helper sandbox2::bpf_helper
sandbox2::global_forkserver sandbox2::global_forkserver
sandbox2::namespace sandbox2::namespace
@ -1082,6 +1096,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
sandbox2::testcase_ipc sandbox2::testcase_ipc
) )
target_link_libraries(sandbox2_ipc_test PRIVATE target_link_libraries(sandbox2_ipc_test PRIVATE
sandbox2::allow_all_syscalls
sandbox2::bpf_helper sandbox2::bpf_helper
sandbox2::comms sandbox2::comms
sandbox2::ipc sandbox2::ipc
@ -1104,6 +1119,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
) )
target_link_libraries(sandbox2_policybuilder_test target_link_libraries(sandbox2_policybuilder_test
PRIVATE absl::strings PRIVATE absl::strings
sandbox2::allow_all_syscalls
sandbox2::bpf_helper sandbox2::bpf_helper
sandbox2::comms sandbox2::comms
sandbox2::policybuilder sandbox2::policybuilder

View File

@ -0,0 +1,27 @@
// Copyright 2013 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
#define SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
namespace sandbox2 {
class AllowAllSyscalls {
public:
explicit AllowAllSyscalls() = default;
};
} // namespace sandbox2
#endif // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_

View File

@ -31,6 +31,7 @@ cc_binary(
copts = sapi_platform_copts(), copts = sapi_platform_copts(),
deps = [ deps = [
"//sandboxed_api/sandbox2", "//sandboxed_api/sandbox2",
"//sandboxed_api/sandbox2:allow_all_syscalls",
"//sandboxed_api/sandbox2:util", "//sandboxed_api/sandbox2:util",
"//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:fileops", "//sandboxed_api/util:fileops",

View File

@ -27,6 +27,7 @@ target_link_libraries(sandbox2_sandbox2tool PRIVATE
absl::log_initialize absl::log_initialize
absl::strings absl::strings
absl::time absl::time
sandbox2::allow_all_syscalls
sandbox2::bpf_helper sandbox2::bpf_helper
sandbox2::sandbox2 sandbox2::sandbox2
sandbox2::util sandbox2::util

View File

@ -43,6 +43,7 @@
#include "absl/strings/str_format.h" #include "absl/strings/str_format.h"
#include "absl/strings/str_split.h" #include "absl/strings/str_split.h"
#include "absl/time/time.h" #include "absl/time/time.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/ipc.h" #include "sandboxed_api/sandbox2/ipc.h"
#include "sandboxed_api/sandbox2/limits.h" #include "sandboxed_api/sandbox2/limits.h"
@ -162,7 +163,7 @@ int main(int argc, char* argv[]) {
sandbox2::PolicyBuilder builder; sandbox2::PolicyBuilder builder;
builder.AddPolicyOnSyscall(__NR_tee, {KILL}); builder.AddPolicyOnSyscall(__NR_tee, {KILL});
builder.DangerDefaultAllowAll(); builder.DefaultAction(sandbox2::AllowAllSyscalls());
if (absl::GetFlag(FLAGS_sandbox2tool_need_networking)) { if (absl::GetFlag(FLAGS_sandbox2tool_need_networking)) {
builder.AllowUnrestrictedNetworking(); builder.AllowUnrestrictedNetworking();

View File

@ -19,6 +19,7 @@
#include "gmock/gmock.h" #include "gmock/gmock.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
@ -52,7 +53,7 @@ TEST_P(IPCTest, MapFDByNamePreExecve) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder() PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy)); Sandbox2 s2(std::move(executor), std::move(policy));
@ -89,7 +90,7 @@ TEST_P(IPCTest, MapFDByNamePostExecve) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder() PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy)); Sandbox2 s2(std::move(executor), std::move(policy));
@ -121,7 +122,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder() PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy)); Sandbox2 s2(std::move(executor), std::move(policy));

View File

@ -23,6 +23,7 @@
#include "gmock/gmock.h" #include "gmock/gmock.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include "sandboxed_api/config.h" #include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h" #include "sandboxed_api/sandbox2/policybuilder.h"
@ -45,7 +46,7 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder() sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run(); auto result = s2.Run();
@ -63,7 +64,7 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder() sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run(); auto result = s2.Run();
@ -81,7 +82,7 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder() sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run(); auto result = s2.Run();
@ -99,7 +100,7 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder() sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run(); auto result = s2.Run();
@ -117,7 +118,7 @@ TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder() sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run(); auto result = s2.Run();

View File

@ -29,6 +29,7 @@
#include "absl/strings/numbers.h" #include "absl/strings/numbers.h"
#include "absl/strings/str_cat.h" #include "absl/strings/str_cat.h"
#include "sandboxed_api/config.h" #include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
@ -73,7 +74,7 @@ TEST(NamespaceTest, FileNamespaceWorks) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "0", "/binary_path", "/etc/passwd"}, path, {path, "0", "/binary_path", "/etc/passwd"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(path, "/binary_path") .AddFileAt(path, "/binary_path")
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(2)); EXPECT_THAT(reason_code, Eq(2));
@ -90,7 +91,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "0", "/temp_file"}, path, {path, "0", "/temp_file"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(name, "/temp_file") .AddFileAt(name, "/temp_file")
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(0)); EXPECT_THAT(reason_code, Eq(0));
@ -100,7 +101,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "1", "/temp_file"}, path, {path, "1", "/temp_file"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(name, "/temp_file") .AddFileAt(name, "/temp_file")
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(1)); EXPECT_THAT(reason_code, Eq(1));
@ -115,7 +116,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "2"}, path, {path, "2"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(0)); EXPECT_THAT(reason_code, Eq(0));
} }
@ -126,7 +127,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
path, {path, "2"}, path, {path, "2"},
PolicyBuilder() PolicyBuilder()
.DisableNamespaces() .DisableNamespaces()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Ne(0)); EXPECT_THAT(reason_code, Ne(0));
} }
@ -140,7 +141,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "3", "1000", "1000"}, path, {path, "3", "1000", "1000"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(0)); EXPECT_THAT(reason_code, Eq(0));
} }
@ -151,7 +152,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
path, {path, "3", absl::StrCat(getuid()), absl::StrCat(getgid())}, path, {path, "3", absl::StrCat(getuid()), absl::StrCat(getgid())},
PolicyBuilder() PolicyBuilder()
.DisableNamespaces() .DisableNamespaces()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(0)); EXPECT_THAT(reason_code, Eq(0));
} }
@ -164,7 +165,7 @@ TEST(NamespaceTest, RootReadOnly) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "4", "/tmp/testfile", "/testfile"}, path, {path, "4", "/tmp/testfile", "/testfile"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */) .AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */)
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(2)); EXPECT_THAT(reason_code, Eq(2));
@ -176,7 +177,7 @@ TEST(NamespaceTest, RootWritable) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "4", "/testfile"}, path, {path, "4", "/testfile"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.SetRootWritable() .SetRootWritable()
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(0)); EXPECT_THAT(reason_code, Eq(0));
@ -188,7 +189,7 @@ TEST(HostnameTest, None) {
path, {path, "sandbox2"}, path, {path, "sandbox2"},
PolicyBuilder() PolicyBuilder()
.DisableNamespaces() .DisableNamespaces()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(1)); EXPECT_THAT(reason_code, Eq(1));
} }
@ -198,7 +199,7 @@ TEST(HostnameTest, Default) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "sandbox2"}, path, {path, "sandbox2"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(0)); EXPECT_THAT(reason_code, Eq(0));
} }
@ -208,7 +209,7 @@ TEST(HostnameTest, Configured) {
int reason_code = RunSandboxeeWithArgsAndPolicy( int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "configured"}, path, {path, "configured"},
PolicyBuilder() PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.SetHostname("configured") .SetHostname("configured")
.BuildOrDie()); .BuildOrDie());
EXPECT_THAT(reason_code, Eq(0)); EXPECT_THAT(reason_code, Eq(0));

View File

@ -44,6 +44,7 @@
#include "absl/strings/match.h" #include "absl/strings/match.h"
#include "absl/strings/string_view.h" #include "absl/strings/string_view.h"
#include "sandboxed_api/config.h" #include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/namespace.h" #include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h" #include "sandboxed_api/sandbox2/util/bpf_helper.h"
@ -1112,7 +1113,12 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) {
} }
PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() { PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() {
user_policy_.push_back(ALLOW); default_action_ = ALLOW;
return *this;
}
PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) {
default_action_ = ALLOW;
return *this; return *this;
} }
@ -1185,6 +1191,9 @@ absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
output->collect_stacktrace_on_kill_ = collect_stacktrace_on_kill_; output->collect_stacktrace_on_kill_ = collect_stacktrace_on_kill_;
output->collect_stacktrace_on_exit_ = collect_stacktrace_on_exit_; output->collect_stacktrace_on_exit_ = collect_stacktrace_on_exit_;
output->user_policy_ = std::move(user_policy_); output->user_policy_ = std::move(user_policy_);
if (default_action_) {
output->user_policy_.push_back(*default_action_);
}
output->user_policy_.insert(output->user_policy_.end(), output->user_policy_.insert(output->user_policy_.end(),
overridable_policy_.begin(), overridable_policy_.begin(),
overridable_policy_.end()); overridable_policy_.end());

View File

@ -40,6 +40,8 @@ struct bpf_labels;
namespace sandbox2 { namespace sandbox2 {
class AllowAllSyscalls;
// PolicyBuilder is a helper class to simplify creation of policies. The builder // PolicyBuilder is a helper class to simplify creation of policies. The builder
// uses fluent interface for convenience and increased readability of policies. // uses fluent interface for convenience and increased readability of policies.
// //
@ -666,10 +668,13 @@ class PolicyBuilder final {
// Enables/disables stack trace collection on normal process exit. // Enables/disables stack trace collection on normal process exit.
PolicyBuilder& CollectStacktracesOnExit(bool enable); PolicyBuilder& CollectStacktracesOnExit(bool enable);
// Appends an unconditional ALLOW action for all syscalls. // Changes the default action to ALLOW.
// All syscalls not handled explicitly by the policy will thus be allowed.
// Do not use in environment with untrusted code and/or data, ask // Do not use in environment with untrusted code and/or data, ask
// sandbox-team@ first if unsure. // sandbox-team@ first if unsure.
ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead")
PolicyBuilder& DangerDefaultAllowAll(); PolicyBuilder& DangerDefaultAllowAll();
PolicyBuilder& DefaultAction(AllowAllSyscalls);
// Allows syscalls that are necessary for the NetworkProxyClient // Allows syscalls that are necessary for the NetworkProxyClient
PolicyBuilder& AddNetworkProxyPolicy(); PolicyBuilder& AddNetworkProxyPolicy();
@ -739,6 +744,7 @@ class PolicyBuilder final {
// Seccomp fields // Seccomp fields
std::vector<sock_filter> user_policy_; std::vector<sock_filter> user_policy_;
std::vector<sock_filter> overridable_policy_; std::vector<sock_filter> overridable_policy_;
std::optional<sock_filter> default_action_;
bool user_policy_handles_bpf_ = false; bool user_policy_handles_bpf_ = false;
bool user_policy_handles_ptrace_ = false; bool user_policy_handles_ptrace_ = false;
absl::flat_hash_set<uint32_t> handled_syscalls_; absl::flat_hash_set<uint32_t> handled_syscalls_;

View File

@ -30,6 +30,7 @@
#include "absl/strings/str_cat.h" #include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h" #include "absl/strings/str_split.h"
#include "sandboxed_api/config.h" #include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/ipc.h" #include "sandboxed_api/sandbox2/ipc.h"
@ -109,8 +110,6 @@ TEST_F(PolicyBuilderTest, Testpolicy_size) {
builder.AllowTCGETS(); assert_increased(); builder.AllowTCGETS(); assert_increased();
builder.AllowTCGETS(); assert_increased(); builder.AllowTCGETS(); assert_increased();
builder.DangerDefaultAllowAll(); assert_increased();
builder.DangerDefaultAllowAll(); assert_increased();
builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased(); builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased();
builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased(); builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased();
@ -160,7 +159,7 @@ std::string PolicyBuilderTest::Run(const std::vector<std::string>& args,
bool network) { bool network) {
PolicyBuilder builder; PolicyBuilder builder;
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
builder.DangerDefaultAllowAll(); builder.DefaultAction(AllowAllSyscalls());
if constexpr (sapi::host_os::IsAndroid()) { if constexpr (sapi::host_os::IsAndroid()) {
builder.DisableNamespaces(); builder.DisableNamespaces();
@ -206,14 +205,15 @@ TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) {
TEST_F(PolicyBuilderTest, TestIsCopyable) { TEST_F(PolicyBuilderTest, TestIsCopyable) {
PolicyBuilder builder; PolicyBuilder builder;
builder.DangerDefaultAllowAll(); builder.AllowSyscall(__NR_getpid);
PolicyBuilder copy = builder; PolicyBuilder copy = builder;
ASSERT_EQ(PolicyBuilderPeer(&copy).policy_size(), 1); ASSERT_EQ(PolicyBuilderPeer(&copy).policy_size(),
PolicyBuilderPeer(&builder).policy_size());
// Building both does not crash. // Both can be built.
builder.BuildOrDie(); EXPECT_THAT(builder.TryBuild(), IsOk());
copy.BuildOrDie(); EXPECT_THAT(copy.TryBuild(), IsOk());
} }
TEST_F(PolicyBuilderTest, TestEcho) { TEST_F(PolicyBuilderTest, TestEcho) {

View File

@ -27,6 +27,7 @@
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include "absl/strings/str_cat.h" #include "absl/strings/str_cat.h"
#include "sandboxed_api/config.h" #include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h" #include "sandboxed_api/sandbox2/policybuilder.h"
@ -40,7 +41,7 @@ namespace {
PolicyBuilder CreateDefaultPolicyBuilder(absl::string_view path) { PolicyBuilder CreateDefaultPolicyBuilder(absl::string_view path) {
PolicyBuilder builder; PolicyBuilder builder;
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
builder.DangerDefaultAllowAll(); builder.DefaultAction(AllowAllSyscalls());
if constexpr (sapi::sanitizers::IsAny()) { if constexpr (sapi::sanitizers::IsAny()) {
builder.AddLibrariesForBinary(path); builder.AddLibrariesForBinary(path);
} }

View File

@ -29,6 +29,7 @@
#include "absl/container/flat_hash_set.h" #include "absl/container/flat_hash_set.h"
#include "absl/log/log.h" #include "absl/log/log.h"
#include "absl/strings/str_cat.h" #include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
@ -119,7 +120,7 @@ TEST(SanitizerTest, TestSandboxedBinary) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder() PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.TryBuild()); .TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy)); Sandbox2 s2(std::move(executor), std::move(policy));

View File

@ -30,6 +30,7 @@
#include "absl/flags/reflection.h" #include "absl/flags/reflection.h"
#include "absl/strings/match.h" #include "absl/strings/match.h"
#include "absl/strings/str_cat.h" #include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/global_forkclient.h" #include "sandboxed_api/sandbox2/global_forkclient.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
@ -74,7 +75,7 @@ void SymbolizationWorksCommon(
auto policybuilder = PolicyBuilder() auto policybuilder = PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.AddFile(path) .AddFile(path)
.AddLibrariesForBinary(path) .AddLibrariesForBinary(path)
.AddFileAt(temp_filename, "/proc/cpuinfo"); .AddFileAt(temp_filename, "/proc/cpuinfo");
@ -186,7 +187,7 @@ TEST(StackTraceTest, SymbolizationTrustedFilesOnly) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder() PolicyBuilder()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DefaultAction(AllowAllSyscalls())
.AddFile(path) .AddFile(path)
.AddLibrariesForBinary(path) .AddLibrariesForBinary(path)
.TryBuild()); .TryBuild());