Implements the ability to control who is allowed to enable unrestricted networking.

PiperOrigin-RevId: 529309275
Change-Id: Icd88a4469b0c36af96638d44f9e909085c7120d5
This commit is contained in:
Oliver Kunz 2023-05-03 23:29:00 -07:00 committed by Copybara-Service
parent f6fd27618b
commit 9ab20c5411
5 changed files with 91 additions and 4 deletions

View File

@ -42,6 +42,27 @@ cc_library(
visibility = ["//visibility:public"], visibility = ["//visibility:public"],
) )
cc_library(
name = "allow_unrestricted_networking",
hdrs = [
"allow_unrestricted_networking.h",
],
copts = sapi_platform_copts(),
visibility = [
"//sandboxed_api/sandbox2:__pkg__",
"//sandboxed_api/sandbox2/examples/tool:__pkg__",
"//sandboxed_api/sandbox2/performance:__pkg__",
],
)
cc_library(
name = "testonly_allow_unrestricted_networking",
testonly = True,
hdrs = ["allow_unrestricted_networking.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
)
cc_library( cc_library(
name = "bpfdisassembler", name = "bpfdisassembler",
srcs = ["bpfdisassembler.cc"], srcs = ["bpfdisassembler.cc"],
@ -519,6 +540,7 @@ cc_library(
copts = sapi_platform_copts(), copts = sapi_platform_copts(),
deps = [ deps = [
":allow_all_syscalls", ":allow_all_syscalls",
":allow_unrestricted_networking",
":mounts", ":mounts",
":namespace", ":namespace",
":policy", ":policy",

View File

@ -26,6 +26,15 @@ target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
sapi::base sapi::base
) )
# sandboxed_api/sandbox2:allow_unrestricted_networking
add_library(sandbox2_allow_unrestricted_networking ${SAPI_LIB_TYPE}
allow_unrestricted_networking.h
)
add_library(sandbox2::allow_unrestricted_networking ALIAS sandbox2_allow_unrestricted_networking)
target_link_libraries(sandbox2_allow_unrestricted_networking PRIVATE
sapi::base
)
# sandboxed_api/sandbox2:bpfdisassembler # sandboxed_api/sandbox2:bpfdisassembler
add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE} add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE}
bpfdisassembler.cc bpfdisassembler.cc
@ -833,6 +842,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
target_link_libraries(sandbox2_namespace_test PRIVATE target_link_libraries(sandbox2_namespace_test PRIVATE
absl::strings absl::strings
sandbox2::allow_all_syscalls sandbox2::allow_all_syscalls
sandbox2::allow_unrestricted_networking
sapi::config sapi::config
sapi::fileops sapi::fileops
sandbox2::namespace sandbox2::namespace

View File

@ -0,0 +1,29 @@
// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SANDBOXED_API_SANDBOX2_ALLOW_UNRESTRICTED_NETWORKING_H_
#define SANDBOXED_API_SANDBOX2_ALLOW_UNRESTRICTED_NETWORKING_H_
// #include "sandboxed_api/sandbox2/policybuilder.h"
namespace sandbox2 {
class UnrestrictedNetworking {
public:
explicit UnrestrictedNetworking() = default;
};
} // namespace sandbox2
#endif // SANDBOXED_API_SANDBOX2_ALLOW_UNRESTRICTED_NETWORKING_H_

View File

@ -45,6 +45,7 @@
#include "absl/strings/string_view.h" #include "absl/strings/string_view.h"
#include "sandboxed_api/config.h" #include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/allow_unrestricted_networking.h"
#include "sandboxed_api/sandbox2/namespace.h" #include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h" #include "sandboxed_api/sandbox2/util/bpf_helper.h"
@ -99,6 +100,12 @@ bool IsOnReadOnlyDev(const std::string& path) {
} // namespace } // namespace
PolicyBuilder& PolicyBuilder::Allow(UnrestrictedNetworking tag) {
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations)
allow_unrestricted_networking_ = true;
return *this;
}
PolicyBuilder& PolicyBuilder::AllowSyscall(uint32_t num) { PolicyBuilder& PolicyBuilder::AllowSyscall(uint32_t num) {
if (handled_syscalls_.insert(num).second) { if (handled_syscalls_.insert(num).second) {
user_policy_.insert(user_policy_.end(), {SYSCALL(num, ALLOW)}); user_policy_.insert(user_policy_.end(), {SYSCALL(num, ALLOW)});
@ -1335,11 +1342,9 @@ PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) {
return *this; return *this;
} }
// Use Allow(UnrestrictedNetworking()) instead.
PolicyBuilder& PolicyBuilder::AllowUnrestrictedNetworking() { PolicyBuilder& PolicyBuilder::AllowUnrestrictedNetworking() {
EnableNamespaces(); // NOLINT(clang-diagnostic-deprecated-declarations) return Allow(UnrestrictedNetworking());
allow_unrestricted_networking_ = true;
return *this;
} }
PolicyBuilder& PolicyBuilder::SetHostname(absl::string_view hostname) { PolicyBuilder& PolicyBuilder::SetHostname(absl::string_view hostname) {

View File

@ -41,6 +41,7 @@ struct bpf_labels;
namespace sandbox2 { namespace sandbox2 {
class AllowAllSyscalls; class AllowAllSyscalls;
class UnrestrictedNetworking;
// PolicyBuilder is a helper class to simplify creation of policies. The builder // PolicyBuilder is a helper class to simplify creation of policies. The builder
// uses fluent interface for convenience and increased readability of policies. // uses fluent interface for convenience and increased readability of policies.
@ -108,6 +109,26 @@ class PolicyBuilder final {
using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&; using BpfFunc = const std::function<std::vector<sock_filter>(bpf_labels&)>&;
// Appends code to allow visibility restricted policy functionality.
//
// For example:
// Allow(sandbox2::UnrestrictedNetworking);
// This allows unrestricted network access by not creating a network
// namespace.
//
// Each type T is defined in an individual library and individually visibility
// restricted.
template <typename... T>
PolicyBuilder& Allow(T... tags) {
return (Allow(tags), ...);
}
// Allows unrestricted access to the network by *not* creating a network
// namespace. Note that this only disables the network namespace. To
// actually allow networking, you would also need to allow networking
// syscalls. Calling this function will enable use of namespaces
PolicyBuilder& Allow(UnrestrictedNetworking tag);
// Appends code to allow a specific syscall // Appends code to allow a specific syscall
PolicyBuilder& AllowSyscall(uint32_t num); PolicyBuilder& AllowSyscall(uint32_t num);