mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Implements the ability to control who is allowed to enable unrestricted networking.
PiperOrigin-RevId: 529309275 Change-Id: Icd88a4469b0c36af96638d44f9e909085c7120d5
This commit is contained in:
parent
f6fd27618b
commit
9ab20c5411
|
@ -42,6 +42,27 @@ cc_library(
|
||||||
visibility = ["//visibility:public"],
|
visibility = ["//visibility:public"],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
cc_library(
|
||||||
|
name = "allow_unrestricted_networking",
|
||||||
|
hdrs = [
|
||||||
|
"allow_unrestricted_networking.h",
|
||||||
|
],
|
||||||
|
copts = sapi_platform_copts(),
|
||||||
|
visibility = [
|
||||||
|
"//sandboxed_api/sandbox2:__pkg__",
|
||||||
|
"//sandboxed_api/sandbox2/examples/tool:__pkg__",
|
||||||
|
"//sandboxed_api/sandbox2/performance:__pkg__",
|
||||||
|
],
|
||||||
|
)
|
||||||
|
|
||||||
|
cc_library(
|
||||||
|
name = "testonly_allow_unrestricted_networking",
|
||||||
|
testonly = True,
|
||||||
|
hdrs = ["allow_unrestricted_networking.h"],
|
||||||
|
copts = sapi_platform_copts(),
|
||||||
|
visibility = ["//visibility:public"],
|
||||||
|
)
|
||||||
|
|
||||||
cc_library(
|
cc_library(
|
||||||
name = "bpfdisassembler",
|
name = "bpfdisassembler",
|
||||||
srcs = ["bpfdisassembler.cc"],
|
srcs = ["bpfdisassembler.cc"],
|
||||||
|
@ -519,6 +540,7 @@ cc_library(
|
||||||
copts = sapi_platform_copts(),
|
copts = sapi_platform_copts(),
|
||||||
deps = [
|
deps = [
|
||||||
":allow_all_syscalls",
|
":allow_all_syscalls",
|
||||||
|
":allow_unrestricted_networking",
|
||||||
":mounts",
|
":mounts",
|
||||||
":namespace",
|
":namespace",
|
||||||
":policy",
|
":policy",
|
||||||
|
|
|
@ -26,6 +26,15 @@ target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
|
||||||
sapi::base
|
sapi::base
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# sandboxed_api/sandbox2:allow_unrestricted_networking
|
||||||
|
add_library(sandbox2_allow_unrestricted_networking ${SAPI_LIB_TYPE}
|
||||||
|
allow_unrestricted_networking.h
|
||||||
|
)
|
||||||
|
add_library(sandbox2::allow_unrestricted_networking ALIAS sandbox2_allow_unrestricted_networking)
|
||||||
|
target_link_libraries(sandbox2_allow_unrestricted_networking PRIVATE
|
||||||
|
sapi::base
|
||||||
|
)
|
||||||
|
|
||||||
# sandboxed_api/sandbox2:bpfdisassembler
|
# sandboxed_api/sandbox2:bpfdisassembler
|
||||||
add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE}
|
add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE}
|
||||||
bpfdisassembler.cc
|
bpfdisassembler.cc
|
||||||
|
@ -833,6 +842,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
||||||
target_link_libraries(sandbox2_namespace_test PRIVATE
|
target_link_libraries(sandbox2_namespace_test PRIVATE
|
||||||
absl::strings
|
absl::strings
|
||||||
sandbox2::allow_all_syscalls
|
sandbox2::allow_all_syscalls
|
||||||
|
sandbox2::allow_unrestricted_networking
|
||||||
sapi::config
|
sapi::config
|
||||||
sapi::fileops
|
sapi::fileops
|
||||||
sandbox2::namespace
|
sandbox2::namespace
|
||||||
|
|
29
sandboxed_api/sandbox2/allow_unrestricted_networking.h
Normal file
29
sandboxed_api/sandbox2/allow_unrestricted_networking.h
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
// Copyright 2023 Google LLC
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
#ifndef SANDBOXED_API_SANDBOX2_ALLOW_UNRESTRICTED_NETWORKING_H_
|
||||||
|
#define SANDBOXED_API_SANDBOX2_ALLOW_UNRESTRICTED_NETWORKING_H_
|
||||||
|
|
||||||
|
// #include "sandboxed_api/sandbox2/policybuilder.h"
|
||||||
|
|
||||||
|
namespace sandbox2 {
|
||||||
|
|
||||||
|
class UnrestrictedNetworking {
|
||||||
|
public:
|
||||||
|
explicit UnrestrictedNetworking() = default;
|
||||||
|
};
|
||||||
|
|
||||||
|
} // namespace sandbox2
|
||||||
|
|
||||||
|
#endif // SANDBOXED_API_SANDBOX2_ALLOW_UNRESTRICTED_NETWORKING_H_
|
|
@ -45,6 +45,7 @@
|
||||||
#include "absl/strings/string_view.h"
|
#include "absl/strings/string_view.h"
|
||||||
#include "sandboxed_api/config.h"
|
#include "sandboxed_api/config.h"
|
||||||
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
|
||||||
|
#include "sandboxed_api/sandbox2/allow_unrestricted_networking.h"
|
||||||
#include "sandboxed_api/sandbox2/namespace.h"
|
#include "sandboxed_api/sandbox2/namespace.h"
|
||||||
#include "sandboxed_api/sandbox2/policy.h"
|
#include "sandboxed_api/sandbox2/policy.h"
|
||||||
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
||||||
|
@ -99,6 +100,12 @@ bool IsOnReadOnlyDev(const std::string& path) {
|
||||||
|
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
|
PolicyBuilder& PolicyBuilder::Allow(UnrestrictedNetworking tag) {
|
||||||
|
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
||||||
|
allow_unrestricted_networking_ = true;
|
||||||
|
return *this;
|
||||||
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowSyscall(uint32_t num) {
|
PolicyBuilder& PolicyBuilder::AllowSyscall(uint32_t num) {
|
||||||
if (handled_syscalls_.insert(num).second) {
|
if (handled_syscalls_.insert(num).second) {
|
||||||
user_policy_.insert(user_policy_.end(), {SYSCALL(num, ALLOW)});
|
user_policy_.insert(user_policy_.end(), {SYSCALL(num, ALLOW)});
|
||||||
|
@ -1335,11 +1342,9 @@ PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) {
|
||||||
return *this;
|
return *this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Use Allow(UnrestrictedNetworking()) instead.
|
||||||
PolicyBuilder& PolicyBuilder::AllowUnrestrictedNetworking() {
|
PolicyBuilder& PolicyBuilder::AllowUnrestrictedNetworking() {
|
||||||
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
|
return Allow(UnrestrictedNetworking());
|
||||||
allow_unrestricted_networking_ = true;
|
|
||||||
|
|
||||||
return *this;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::SetHostname(absl::string_view hostname) {
|
PolicyBuilder& PolicyBuilder::SetHostname(absl::string_view hostname) {
|
||||||
|
|
|
@ -41,6 +41,7 @@ struct bpf_labels;
|
||||||
namespace sandbox2 {
|
namespace sandbox2 {
|
||||||
|
|
||||||
class AllowAllSyscalls;
|
class AllowAllSyscalls;
|
||||||
|
class UnrestrictedNetworking;
|
||||||
|
|
||||||
// PolicyBuilder is a helper class to simplify creation of policies. The builder
|
// PolicyBuilder is a helper class to simplify creation of policies. The builder
|
||||||
// uses fluent interface for convenience and increased readability of policies.
|
// uses fluent interface for convenience and increased readability of policies.
|
||||||
|
@ -108,6 +109,26 @@ class PolicyBuilder final {
|
||||||
|
|
||||||
using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&;
|
using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&;
|
||||||
|
|
||||||
|
// Appends code to allow visibility restricted policy functionality.
|
||||||
|
//
|
||||||
|
// For example:
|
||||||
|
// Allow(sandbox2::UnrestrictedNetworking);
|
||||||
|
// This allows unrestricted network access by not creating a network
|
||||||
|
// namespace.
|
||||||
|
//
|
||||||
|
// Each type T is defined in an individual library and individually visibility
|
||||||
|
// restricted.
|
||||||
|
template <typename... T>
|
||||||
|
PolicyBuilder& Allow(T... tags) {
|
||||||
|
return (Allow(tags), ...);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Allows unrestricted access to the network by *not* creating a network
|
||||||
|
// namespace. Note that this only disables the network namespace. To
|
||||||
|
// actually allow networking, you would also need to allow networking
|
||||||
|
// syscalls. Calling this function will enable use of namespaces
|
||||||
|
PolicyBuilder& Allow(UnrestrictedNetworking tag);
|
||||||
|
|
||||||
// Appends code to allow a specific syscall
|
// Appends code to allow a specific syscall
|
||||||
PolicyBuilder& AllowSyscall(uint32_t num);
|
PolicyBuilder& AllowSyscall(uint32_t num);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user