diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index 0d9aed7..575c84a 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -133,8 +133,22 @@ PolicyBuilder& PolicyBuilder::OverridableBlockSyscallWithErrno(uint32_t num, return *this; } -PolicyBuilder& PolicyBuilder::AllowEpoll() { +PolicyBuilder& PolicyBuilder::AllowEpollWait() { return AllowSyscalls({ +#ifdef __NR_epoll_wait + __NR_epoll_wait, +#endif +#ifdef __NR_epoll_pwait + __NR_epoll_pwait, +#endif +#ifdef __NR_epoll_pwait2 + __NR_epoll_pwait2, +#endif + }); +} + +PolicyBuilder& PolicyBuilder::AllowEpoll() { + AllowSyscalls({ #ifdef __NR_epoll_create __NR_epoll_create, #endif @@ -144,14 +158,29 @@ PolicyBuilder& PolicyBuilder::AllowEpoll() { #ifdef __NR_epoll_ctl __NR_epoll_ctl, #endif -#ifdef __NR_epoll_wait - __NR_epoll_wait, + }); + + return AllowEpollWait(); +} + +PolicyBuilder& PolicyBuilder::AllowInotifyInit() { + return AllowSyscalls({ +#ifdef __NR_inotify_init + __NR_inotify_init, #endif -#ifdef __NR_epoll_pwait - __NR_epoll_pwait, +#ifdef __NR_inotify_init1 + __NR_inotify_init1, #endif -#ifdef __NR_epoll_pwait2 - __NR_epoll_pwait2, + }); +} + +PolicyBuilder& PolicyBuilder::AllowSelect() { + return AllowSyscalls({ +#ifdef __NR_select + __NR_select, +#endif +#ifdef __NR_pselect6 + __NR_pselect6, #endif }); } @@ -313,6 +342,9 @@ PolicyBuilder& PolicyBuilder::AllowMmap() { } PolicyBuilder& PolicyBuilder::AllowOpen() { +#ifdef __NR_creat + AllowSyscall(__NR_creat); +#endif #ifdef __NR_open AllowSyscall(__NR_open); #endif @@ -335,6 +367,12 @@ PolicyBuilder& PolicyBuilder::AllowStat() { #ifdef __NR_fstatat64 AllowSyscall(__NR_fstatat64); #endif +#ifdef __NR_fstatfs + AllowSyscall(__NR_fstatfs); +#endif +#ifdef __NR_fstatfs64 + AllowSyscall(__NR_fstatfs64); +#endif #ifdef __NR_lstat AllowSyscall(__NR_lstat); #endif @@ -378,6 +416,44 @@ PolicyBuilder& PolicyBuilder::AllowAccess() { return *this; } +PolicyBuilder& PolicyBuilder::AllowDup() { + AllowSyscall(__NR_dup); +#ifdef __NR_dup2 + AllowSyscall(__NR_dup2); +#endif + AllowSyscall(__NR_dup3); + return *this; +} + +PolicyBuilder& PolicyBuilder::AllowPipe() { +#ifdef __NR_pipe + AllowSyscall(__NR_pipe); +#endif + AllowSyscall(__NR_pipe2); + return *this; +} + +PolicyBuilder& PolicyBuilder::AllowChmod() { +#ifdef __NR_chmod + AllowSyscall(__NR_chmod); +#endif + AllowSyscall(__NR_fchmod); + AllowSyscall(__NR_fchmodat); + return *this; +} + +PolicyBuilder& PolicyBuilder::AllowChown() { +#ifdef __NR_chown + AllowSyscall(__NR_chown); +#endif +#ifdef __NR_lchown + AllowSyscall(__NR_lchown); +#endif + AllowSyscall(__NR_fchown); + AllowSyscall(__NR_fchownat); + return *this; +} + PolicyBuilder& PolicyBuilder::AllowRead() { return AllowSyscalls({ __NR_read, @@ -407,6 +483,67 @@ PolicyBuilder& PolicyBuilder::AllowReaddir() { }); } +PolicyBuilder& PolicyBuilder::AllowReadlink() { + return AllowSyscalls({ +#ifdef __NR_readlink + __NR_readlink, +#endif +#ifdef __NR_readlinkat + __NR_readlinkat, +#endif + }); +} + +PolicyBuilder& PolicyBuilder::AllowLink() { + return AllowSyscalls({ +#ifdef __NR_link + __NR_link, +#endif +#ifdef __NR_linkat + __NR_linkat, +#endif + }); +} + +PolicyBuilder& PolicyBuilder::AllowSymlink() { + return AllowSyscalls({ +#ifdef __NR_symlink + __NR_symlink, +#endif +#ifdef __NR_symlinkat + __NR_symlinkat, +#endif + }); +} + +PolicyBuilder& PolicyBuilder::AllowMkdir() { + return AllowSyscalls({ +#ifdef __NR_mkdir + __NR_mkdir, +#endif +#ifdef __NR_mkdirat + __NR_mkdirat, +#endif + }); +} + +PolicyBuilder& PolicyBuilder::AllowUtime() { + return AllowSyscalls({ +#ifdef __NR_futimens + __NR_futimens, +#endif +#ifdef __NR_utime + __NR_utime, +#endif +#ifdef __NR_utimes + __NR_utimes, +#endif +#ifdef __NR_utimensat + __NR_utimensat, +#endif + }); +} + PolicyBuilder& PolicyBuilder::AllowSafeFcntl() { return AddPolicyOnSyscalls({__NR_fcntl, #ifdef __NR_fcntl64 @@ -446,6 +583,14 @@ PolicyBuilder& PolicyBuilder::AllowWait() { __NR_wait4}); } +PolicyBuilder& PolicyBuilder::AllowAlarm() { + return AllowSyscalls({ +#ifdef __NR_alarm + __NR_alarm, +#endif + __NR_setitimer}); +} + PolicyBuilder& PolicyBuilder::AllowHandleSignals() { return AllowSyscalls({ __NR_rt_sigaction, @@ -563,6 +708,15 @@ PolicyBuilder& PolicyBuilder::AllowGetPIDs() { }); } +PolicyBuilder& PolicyBuilder::AllowGetPGIDs() { + return AllowSyscalls({ + __NR_getpgid, +#ifdef __NR_getpgrp + __NR_getpgrp, +#endif + }); +} + PolicyBuilder& PolicyBuilder::AllowGetRlimit() { return AllowSyscalls({ #ifdef __NR_getrlimit @@ -641,6 +795,9 @@ PolicyBuilder& PolicyBuilder::AllowLogForwarding() { PolicyBuilder& PolicyBuilder::AllowUnlink() { AllowSyscalls({ +#ifdef __NR_rmdir + __NR_rmdir, +#endif #ifdef __NR_unlink __NR_unlink, #endif @@ -649,6 +806,16 @@ PolicyBuilder& PolicyBuilder::AllowUnlink() { return *this; } +PolicyBuilder& PolicyBuilder::AllowPoll() { + AllowSyscalls({ +#ifdef __NR_poll + __NR_poll, +#endif + __NR_ppoll, + }); + return *this; +} + PolicyBuilder& PolicyBuilder::AllowRename() { AllowSyscalls({ #ifdef __NR_rename diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 118d2e7..c38e20e 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -119,6 +119,13 @@ class PolicyBuilder final { // Appends code to block a specific syscall and setting errno. PolicyBuilder& BlockSyscallWithErrno(uint32_t num, int error); + // Appends code to allow waiting for events on epoll file descriptors. + // Allows these syscalls: + // - epoll_wait + // - epoll_pwait + // - epoll_pwait2 + PolicyBuilder& AllowEpollWait(); + // Appends code to allow using epoll. // Allows these syscalls: // - epoll_create @@ -129,6 +136,18 @@ class PolicyBuilder final { // - epoll_pwait2 PolicyBuilder& AllowEpoll(); + // Appends code to allow initializing an inotify instance. + // Allows these syscalls: + // - inotify_init + // - inotify_init1 + PolicyBuilder& AllowInotifyInit(); + + // Appends code to allow synchronous I/O multiplexing. + // Allows these syscalls: + // - pselect6 + // - select + PolicyBuilder& AllowSelect(); + // Appends code to allow exiting. // Allows these syscalls: // - exit @@ -207,9 +226,9 @@ class PolicyBuilder final { // Appends code to allow calling futex with the given operation. PolicyBuilder& AllowFutexOp(int op); - // Appends code to allow opening files or directories. Specifically it allows - // these sycalls: - // + // Appends code to allow opening and possibly creating files or directories. + // Allows these sycalls: + // - creat // - open // - openat PolicyBuilder& AllowOpen(); @@ -241,6 +260,34 @@ class PolicyBuilder final { // - faccessat PolicyBuilder& AllowAccess(); + // Appends code to allow duplicating file descriptors. + // Allows these syscalls: + // - dup + // - dup2 + // - dup3 + PolicyBuilder& AllowDup(); + + // Appends code to allow creating pipes. + // Allows these syscalls: + // - pipe + // - pipe2 + PolicyBuilder& AllowPipe(); + + // Appends code to allow changing file permissions. + // Allows these syscalls: + // - chmod + // - fchmod + // - fchmodat + PolicyBuilder& AllowChmod(); + + // Appends code to allow changing file ownership. + // Allows these syscalls: + // - chown + // - lchown + // - fchown + // - fchownat + PolicyBuilder& AllowChown(); + // Appends code to the policy to allow reading from file descriptors. // Allows these sycalls: // - read @@ -263,6 +310,38 @@ class PolicyBuilder final { // - getdents64 PolicyBuilder& AllowReaddir(); + // Appends code to allow reading symbolic links. + // Allows these sycalls: + // - readlink + // - readlinkat + PolicyBuilder& AllowReadlink(); + + // Appends code to allow creating links. + // Allows these sycalls: + // - link + // - linkat + PolicyBuilder& AllowLink(); + + // Appends code to allow creating symbolic links. + // Allows these sycalls: + // - symlink + // - symlinkat + PolicyBuilder& AllowSymlink(); + + // Appends code to allow creating directories. + // Allows these sycalls: + // - mkdir + // - mkdirat + PolicyBuilder& AllowMkdir(); + + // Appends code to allow changing file timestamps. + // Allows these sycalls: + // - futimens + // - utime + // - utimensat + // - utimes + PolicyBuilder& AllowUtime(); + // Appends code to allow safe calls to fcntl. // Allows these sycalls: // - fcntl @@ -290,6 +369,12 @@ class PolicyBuilder final { // - wait4 PolicyBuilder& AllowWait(); + // Appends code to allow setting alarms / interval timers. + // Allows these sycalls: + // - alarm (on architectures where it exists) + // - setitimer + PolicyBuilder& AllowAlarm(); + // Appends code to allow setting up signal handlers, returning from them, etc. // Allows these sycalls: // - rt_sigaction @@ -334,6 +419,12 @@ class PolicyBuilder final { // - gettid PolicyBuilder& AllowGetPIDs(); + // Appends code to allow getting process groups. + // Allows these syscalls: + // - getpgid + // - getpgrp + PolicyBuilder& AllowGetPGIDs(); + // Appends code to allow getting the rlimits. // Allows these sycalls: // - getrlimit @@ -367,8 +458,9 @@ class PolicyBuilder final { // - close PolicyBuilder& AllowLogForwarding(); - // Appends code to allow deleting files + // Appends code to allow deleting files and directories. // Allows these syscalls: + // - rmdir (if available) // - unlink (if available) // - unlinkat PolicyBuilder& AllowUnlink(); @@ -380,6 +472,12 @@ class PolicyBuilder final { // - renameat2 PolicyBuilder& AllowRename(); + // Appends code to allow polling files. + // Allows these syscalls: + // - poll (if available) + // - ppoll + PolicyBuilder& AllowPoll(); + // Appends code to allow setting the name of a thread // Allows the following // - prctl(PR_SET_NAME, ...)