Update PolicyBuilder to include wrappers for more syscall families that differ between platforms.

New wrappers: - `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`) - `AllowInotifyInit` (`inotify_init`, `inotify_init1`) - `AllowSelect` (`select`, `pselect6`) - `AllowDup` (`dup`, `dup2`, `dup3`) - `AllowPipe` (`pipe`, `pipe2`) - `AllowChmod` (`chmod`, `fchmod`, `fchmodat`) - `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`) - `AllowReadlink` (`readlink`, `readlinkat`) - `AllowLink` (`link`, `linkat`) - `AllowSymlink` (`symlink`, `symlinkat`) - `AllowMkdir` (`mkdir`, `mkdirat`) - `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`) - `AllowAlarm` (`alarm`, `setitimer`) - `AllowGetPGIDs` (`getpgid`, `getpgrp`) - `AllowPoll` (`poll`, `ppoll`) Updated wrappers: - `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms. - `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident. - `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms. PiperOrigin-RevId: 495045432 Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
2024-03-22 13:11:30 +08:00 · 2022-12-13 09:31:29 -08:00 · 2022-12-13 09:31:29 -08:00 · aff27f4559
commit aff27f4559
parent 5b3450ac8d
2 changed files with 276 additions and 11 deletions
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -133,8 +133,22 @@ PolicyBuilder& PolicyBuilder::OverridableBlockSyscallWithErrno(uint32_t num,
  return *this;
 }

-PolicyBuilder& PolicyBuilder::AllowEpoll() {
+PolicyBuilder& PolicyBuilder::AllowEpollWait() {
  return AllowSyscalls({
+#ifdef __NR_epoll_wait
+      __NR_epoll_wait,
+#endif
+#ifdef __NR_epoll_pwait
+      __NR_epoll_pwait,
+#endif
+#ifdef __NR_epoll_pwait2
+      __NR_epoll_pwait2,
+#endif
+  });
+}
+
+PolicyBuilder& PolicyBuilder::AllowEpoll() {
+  AllowSyscalls({
 #ifdef __NR_epoll_create
      __NR_epoll_create,
 #endif
@ -144,14 +158,29 @@ PolicyBuilder& PolicyBuilder::AllowEpoll() {
 #ifdef __NR_epoll_ctl
      __NR_epoll_ctl,
 #endif
-#ifdef __NR_epoll_wait
-      __NR_epoll_wait,
+  });
+
+  return AllowEpollWait();
+}
+
+PolicyBuilder& PolicyBuilder::AllowInotifyInit() {
+  return AllowSyscalls({
+#ifdef __NR_inotify_init
+      __NR_inotify_init,
 #endif
-#ifdef __NR_epoll_pwait
-      __NR_epoll_pwait,
+#ifdef __NR_inotify_init1
+      __NR_inotify_init1,
 #endif
-#ifdef __NR_epoll_pwait2
-      __NR_epoll_pwait2,
+  });
+}
+
+PolicyBuilder& PolicyBuilder::AllowSelect() {
+  return AllowSyscalls({
+#ifdef __NR_select
+      __NR_select,
+#endif
+#ifdef __NR_pselect6
+      __NR_pselect6,
 #endif
  });
 }
@ -313,6 +342,9 @@ PolicyBuilder& PolicyBuilder::AllowMmap() {
 }

 PolicyBuilder& PolicyBuilder::AllowOpen() {
+#ifdef __NR_creat
+  AllowSyscall(__NR_creat);
+#endif
 #ifdef __NR_open
  AllowSyscall(__NR_open);
 #endif
@ -335,6 +367,12 @@ PolicyBuilder& PolicyBuilder::AllowStat() {
 #ifdef __NR_fstatat64
  AllowSyscall(__NR_fstatat64);
 #endif
+#ifdef __NR_fstatfs
+  AllowSyscall(__NR_fstatfs);
+#endif
+#ifdef __NR_fstatfs64
+  AllowSyscall(__NR_fstatfs64);
+#endif
 #ifdef __NR_lstat
  AllowSyscall(__NR_lstat);
 #endif
@ -378,6 +416,44 @@ PolicyBuilder& PolicyBuilder::AllowAccess() {
  return *this;
 }

+PolicyBuilder& PolicyBuilder::AllowDup() {
+  AllowSyscall(__NR_dup);
+#ifdef __NR_dup2
+  AllowSyscall(__NR_dup2);
+#endif
+  AllowSyscall(__NR_dup3);
+  return *this;
+}
+
+PolicyBuilder& PolicyBuilder::AllowPipe() {
+#ifdef __NR_pipe
+  AllowSyscall(__NR_pipe);
+#endif
+  AllowSyscall(__NR_pipe2);
+  return *this;
+}
+
+PolicyBuilder& PolicyBuilder::AllowChmod() {
+#ifdef __NR_chmod
+  AllowSyscall(__NR_chmod);
+#endif
+  AllowSyscall(__NR_fchmod);
+  AllowSyscall(__NR_fchmodat);
+  return *this;
+}
+
+PolicyBuilder& PolicyBuilder::AllowChown() {
+#ifdef __NR_chown
+  AllowSyscall(__NR_chown);
+#endif
+#ifdef __NR_lchown
+  AllowSyscall(__NR_lchown);
+#endif
+  AllowSyscall(__NR_fchown);
+  AllowSyscall(__NR_fchownat);
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowRead() {
  return AllowSyscalls({
      __NR_read,
@ -407,6 +483,67 @@ PolicyBuilder& PolicyBuilder::AllowReaddir() {
  });
 }

+PolicyBuilder& PolicyBuilder::AllowReadlink() {
+  return AllowSyscalls({
+#ifdef __NR_readlink
+      __NR_readlink,
+#endif
+#ifdef __NR_readlinkat
+      __NR_readlinkat,
+#endif
+  });
+}
+
+PolicyBuilder& PolicyBuilder::AllowLink() {
+  return AllowSyscalls({
+#ifdef __NR_link
+      __NR_link,
+#endif
+#ifdef __NR_linkat
+      __NR_linkat,
+#endif
+  });
+}
+
+PolicyBuilder& PolicyBuilder::AllowSymlink() {
+  return AllowSyscalls({
+#ifdef __NR_symlink
+      __NR_symlink,
+#endif
+#ifdef __NR_symlinkat
+      __NR_symlinkat,
+#endif
+  });
+}
+
+PolicyBuilder& PolicyBuilder::AllowMkdir() {
+  return AllowSyscalls({
+#ifdef __NR_mkdir
+      __NR_mkdir,
+#endif
+#ifdef __NR_mkdirat
+      __NR_mkdirat,
+#endif
+  });
+}
+
+PolicyBuilder& PolicyBuilder::AllowUtime() {
+  return AllowSyscalls({
+#ifdef __NR_futimens
+      __NR_futimens,
+#endif
+#ifdef __NR_utime
+      __NR_utime,
+#endif
+#ifdef __NR_utimes
+      __NR_utimes,
+#endif
+#ifdef __NR_utimensat
+      __NR_utimensat,
+#endif
+  });
+}
+
 PolicyBuilder& PolicyBuilder::AllowSafeFcntl() {
  return AddPolicyOnSyscalls({__NR_fcntl,
 #ifdef __NR_fcntl64
@ -446,6 +583,14 @@ PolicyBuilder& PolicyBuilder::AllowWait() {
      __NR_wait4});
 }

+PolicyBuilder& PolicyBuilder::AllowAlarm() {
+  return AllowSyscalls({
+#ifdef __NR_alarm
+      __NR_alarm,
+#endif
+      __NR_setitimer});
+}
+
 PolicyBuilder& PolicyBuilder::AllowHandleSignals() {
  return AllowSyscalls({
      __NR_rt_sigaction,
@ -563,6 +708,15 @@ PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
  });
 }

+PolicyBuilder& PolicyBuilder::AllowGetPGIDs() {
+  return AllowSyscalls({
+      __NR_getpgid,
+#ifdef __NR_getpgrp
+      __NR_getpgrp,
+#endif
+  });
+}
+
 PolicyBuilder& PolicyBuilder::AllowGetRlimit() {
  return AllowSyscalls({
 #ifdef __NR_getrlimit
@ -641,6 +795,9 @@ PolicyBuilder& PolicyBuilder::AllowLogForwarding() {

 PolicyBuilder& PolicyBuilder::AllowUnlink() {
  AllowSyscalls({
+#ifdef __NR_rmdir
+      __NR_rmdir,
+#endif
 #ifdef __NR_unlink
      __NR_unlink,
 #endif
@ -649,6 +806,16 @@ PolicyBuilder& PolicyBuilder::AllowUnlink() {
  return *this;
 }

+PolicyBuilder& PolicyBuilder::AllowPoll() {
+  AllowSyscalls({
+#ifdef __NR_poll
+      __NR_poll,
+#endif
+      __NR_ppoll,
+  });
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowRename() {
  AllowSyscalls({
 #ifdef __NR_rename
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -119,6 +119,13 @@ class PolicyBuilder final {
  // Appends code to block a specific syscall and setting errno.
  PolicyBuilder& BlockSyscallWithErrno(uint32_t num, int error);

+  // Appends code to allow waiting for events on epoll file descriptors.
+  // Allows these syscalls:
+  // - epoll_wait
+  // - epoll_pwait
+  // - epoll_pwait2
+  PolicyBuilder& AllowEpollWait();
+
  // Appends code to allow using epoll.
  // Allows these syscalls:
  // - epoll_create
@ -129,6 +136,18 @@ class PolicyBuilder final {
  // - epoll_pwait2
  PolicyBuilder& AllowEpoll();

+  // Appends code to allow initializing an inotify instance.
+  // Allows these syscalls:
+  // - inotify_init
+  // - inotify_init1
+  PolicyBuilder& AllowInotifyInit();
+
+  // Appends code to allow synchronous I/O multiplexing.
+  // Allows these syscalls:
+  // - pselect6
+  // - select
+  PolicyBuilder& AllowSelect();
+
  // Appends code to allow exiting.
  // Allows these syscalls:
  // - exit
@ -207,9 +226,9 @@ class PolicyBuilder final {
  // Appends code to allow calling futex with the given operation.
  PolicyBuilder& AllowFutexOp(int op);

-  // Appends code to allow opening files or directories. Specifically it allows
-  // these sycalls:
-  //
+  // Appends code to allow opening and possibly creating files or directories.
+  // Allows these sycalls:
+  // - creat
  // - open
  // - openat
  PolicyBuilder& AllowOpen();
@ -241,6 +260,34 @@ class PolicyBuilder final {
  // - faccessat
  PolicyBuilder& AllowAccess();

+  // Appends code to allow duplicating file descriptors.
+  // Allows these syscalls:
+  // - dup
+  // - dup2
+  // - dup3
+  PolicyBuilder& AllowDup();
+
+  // Appends code to allow creating pipes.
+  // Allows these syscalls:
+  // - pipe
+  // - pipe2
+  PolicyBuilder& AllowPipe();
+
+  // Appends code to allow changing file permissions.
+  // Allows these syscalls:
+  // - chmod
+  // - fchmod
+  // - fchmodat
+  PolicyBuilder& AllowChmod();
+
+  // Appends code to allow changing file ownership.
+  // Allows these syscalls:
+  // - chown
+  // - lchown
+  // - fchown
+  // - fchownat
+  PolicyBuilder& AllowChown();
+
  // Appends code to the policy to allow reading from file descriptors.
  // Allows these sycalls:
  // - read
@ -263,6 +310,38 @@ class PolicyBuilder final {
  // - getdents64
  PolicyBuilder& AllowReaddir();

+  // Appends code to allow reading symbolic links.
+  // Allows these sycalls:
+  // - readlink
+  // - readlinkat
+  PolicyBuilder& AllowReadlink();
+
+  // Appends code to allow creating links.
+  // Allows these sycalls:
+  // - link
+  // - linkat
+  PolicyBuilder& AllowLink();
+
+  // Appends code to allow creating symbolic links.
+  // Allows these sycalls:
+  // - symlink
+  // - symlinkat
+  PolicyBuilder& AllowSymlink();
+
+  // Appends code to allow creating directories.
+  // Allows these sycalls:
+  // - mkdir
+  // - mkdirat
+  PolicyBuilder& AllowMkdir();
+
+  // Appends code to allow changing file timestamps.
+  // Allows these sycalls:
+  // - futimens
+  // - utime
+  // - utimensat
+  // - utimes
+  PolicyBuilder& AllowUtime();
+
  // Appends code to allow safe calls to fcntl.
  // Allows these sycalls:
  // - fcntl
@ -290,6 +369,12 @@ class PolicyBuilder final {
  // - wait4
  PolicyBuilder& AllowWait();

+  // Appends code to allow setting alarms / interval timers.
+  // Allows these sycalls:
+  // - alarm (on architectures where it exists)
+  // - setitimer
+  PolicyBuilder& AllowAlarm();
+
  // Appends code to allow setting up signal handlers, returning from them, etc.
  // Allows these sycalls:
  // - rt_sigaction
@ -334,6 +419,12 @@ class PolicyBuilder final {
  // - gettid
  PolicyBuilder& AllowGetPIDs();

+  // Appends code to allow getting process groups.
+  // Allows these syscalls:
+  // - getpgid
+  // - getpgrp
+  PolicyBuilder& AllowGetPGIDs();
+
  // Appends code to allow getting the rlimits.
  // Allows these sycalls:
  // - getrlimit
@ -367,8 +458,9 @@ class PolicyBuilder final {
  // - close
  PolicyBuilder& AllowLogForwarding();

-  // Appends code to allow deleting files
+  // Appends code to allow deleting files and directories.
  // Allows these syscalls:
+  // - rmdir (if available)
  // - unlink (if available)
  // - unlinkat
  PolicyBuilder& AllowUnlink();
@ -380,6 +472,12 @@ class PolicyBuilder final {
  // - renameat2
  PolicyBuilder& AllowRename();

+  // Appends code to allow polling files.
+  // Allows these syscalls:
+  // - poll (if available)
+  // - ppoll
+  PolicyBuilder& AllowPoll();
+
  // Appends code to allow setting the name of a thread
  // Allows the following
  // - prctl(PR_SET_NAME, ...)