mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Add DefaultAction(TraceAllSyscalls)
variant to PolicyBuilder
This helps write the kind of 'log, but allow' policy described in
[`notify.h`](b9c84a1f75/sandboxed_api/sandbox2/notify.h (L57)
) for all system calls not mentioned explicitly. One use case is writing a "permissive mode" runtime to give more information during development.
PiperOrigin-RevId: 603766051
Change-Id: I3c72f433a1e21c330b5dd9f1ede2faa570b75b09
This commit is contained in:
parent
044ba1cb90
commit
f708270f35
@ -40,6 +40,23 @@ cc_library(
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
||||
|
||||
cc_library(
|
||||
name = "trace_all_syscalls",
|
||||
hdrs = ["trace_all_syscalls.h"],
|
||||
copts = sapi_platform_copts(),
|
||||
visibility = [
|
||||
"//sandboxed_api/sandbox2:__pkg__",
|
||||
],
|
||||
)
|
||||
|
||||
cc_library(
|
||||
name = "testonly_trace_all_syscalls",
|
||||
testonly = True,
|
||||
hdrs = ["trace_all_syscalls.h"],
|
||||
copts = sapi_platform_copts(),
|
||||
visibility = ["//visibility:public"],
|
||||
)
|
||||
|
||||
cc_library(
|
||||
name = "allow_unrestricted_networking",
|
||||
hdrs = ["allow_unrestricted_networking.h"],
|
||||
@ -563,6 +580,7 @@ cc_library(
|
||||
":namespace",
|
||||
":policy",
|
||||
":syscall",
|
||||
":trace_all_syscalls",
|
||||
":violation_cc_proto",
|
||||
"//sandboxed_api:config",
|
||||
"//sandboxed_api/sandbox2/network_proxy:filtering",
|
||||
@ -924,6 +942,7 @@ cc_test(
|
||||
deps = [
|
||||
":comms",
|
||||
":sandbox2",
|
||||
":trace_all_syscalls",
|
||||
"//sandboxed_api:testing",
|
||||
"@com_google_absl//absl/log",
|
||||
"@com_google_absl//absl/strings",
|
||||
|
@ -26,6 +26,15 @@ target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
|
||||
sapi::base
|
||||
)
|
||||
|
||||
# sandboxed_api/sandbox2:trace_all_syscalls
|
||||
add_library(sandbox2_trace_all_syscalls ${SAPI_LIB_TYPE}
|
||||
trace_all_syscalls.h
|
||||
)
|
||||
add_library(sandbox2::trace_all_syscalls ALIAS sandbox2_trace_all_syscalls)
|
||||
target_link_libraries(sandbox2_trace_all_syscalls PRIVATE
|
||||
sapi::base
|
||||
)
|
||||
|
||||
# sandboxed_api/sandbox2:allow_unrestricted_networking
|
||||
add_library(sandbox2_allow_unrestricted_networking ${SAPI_LIB_TYPE}
|
||||
allow_unrestricted_networking.h
|
||||
@ -994,6 +1003,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
|
||||
sandbox2::comms
|
||||
sandbox2::regs
|
||||
sandbox2::sandbox2
|
||||
sandbox2::trace_all_syscalls
|
||||
sapi::testing
|
||||
sapi::test_main
|
||||
)
|
||||
|
@ -33,6 +33,7 @@
|
||||
#include "sandboxed_api/sandbox2/policybuilder.h"
|
||||
#include "sandboxed_api/sandbox2/sandbox2.h"
|
||||
#include "sandboxed_api/sandbox2/syscall.h"
|
||||
#include "sandboxed_api/sandbox2/trace_all_syscalls.h"
|
||||
#include "sandboxed_api/testing.h"
|
||||
|
||||
namespace sandbox2 {
|
||||
@ -126,5 +127,21 @@ TEST(NotifyTest, PrintPidAndComms) {
|
||||
EXPECT_THAT(result.reason_code(), Eq(33));
|
||||
}
|
||||
|
||||
// Test EventSyscallTrap on personality syscall through TraceAllSyscalls
|
||||
TEST(NotifyTest, TraceAllAllowPersonality) {
|
||||
const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
|
||||
std::vector<std::string> args = {path};
|
||||
auto policy = CreateDefaultPermissiveTestPolicy(path)
|
||||
.DefaultAction(TraceAllSyscalls())
|
||||
.BuildOrDie();
|
||||
Sandbox2 s2(std::make_unique<Executor>(path, args),
|
||||
NotifyTestcasePolicy(path),
|
||||
std::make_unique<PersonalityNotify>(/*allow=*/true));
|
||||
auto result = s2.Run();
|
||||
|
||||
ASSERT_THAT(result.final_status(), Eq(Result::OK));
|
||||
EXPECT_THAT(result.reason_code(), Eq(22));
|
||||
}
|
||||
|
||||
} // namespace
|
||||
} // namespace sandbox2
|
||||
|
@ -60,6 +60,7 @@
|
||||
#include "sandboxed_api/sandbox2/namespace.h"
|
||||
#include "sandboxed_api/sandbox2/policy.h"
|
||||
#include "sandboxed_api/sandbox2/syscall.h"
|
||||
#include "sandboxed_api/sandbox2/trace_all_syscalls.h"
|
||||
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
||||
#include "sandboxed_api/sandbox2/violation.pb.h"
|
||||
#include "sandboxed_api/util/path.h"
|
||||
@ -1244,6 +1245,11 @@ PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) {
|
||||
return *this;
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::DefaultAction(TraceAllSyscalls) {
|
||||
default_action_ = SANDBOX2_TRACE;
|
||||
return *this;
|
||||
}
|
||||
|
||||
absl::StatusOr<std::string> PolicyBuilder::ValidateAbsolutePath(
|
||||
absl::string_view path) {
|
||||
if (!file::IsAbsolutePath(path)) {
|
||||
|
@ -43,6 +43,7 @@ struct bpf_labels;
|
||||
namespace sandbox2 {
|
||||
|
||||
class AllowAllSyscalls;
|
||||
class TraceAllSyscalls;
|
||||
class UnrestrictedNetworking;
|
||||
|
||||
// PolicyBuilder is a helper class to simplify creation of policies. The builder
|
||||
@ -712,6 +713,12 @@ class PolicyBuilder final {
|
||||
// sandbox-team@ first if unsure.
|
||||
PolicyBuilder& DefaultAction(AllowAllSyscalls);
|
||||
|
||||
// Changes the default action to SANDBOX2_TRACE.
|
||||
// All syscalls not handled explicitly by the policy will be passed off to
|
||||
// the `sandbox2::Notify` implementation given to the `sandbox2::Sandbox2`
|
||||
// instance.
|
||||
PolicyBuilder& DefaultAction(TraceAllSyscalls);
|
||||
|
||||
ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead")
|
||||
PolicyBuilder& DangerDefaultAllowAll();
|
||||
|
||||
|
27
sandboxed_api/sandbox2/trace_all_syscalls.h
Normal file
27
sandboxed_api/sandbox2/trace_all_syscalls.h
Normal file
@ -0,0 +1,27 @@
|
||||
// Copyright 2024 Google LLC
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// https://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
#ifndef SANDBOXED_API_SANDBOX2_TRACE_ALL_SYSCALLS_H_
|
||||
#define SANDBOXED_API_SANDBOX2_TRACE_ALL_SYSCALLS_H_
|
||||
|
||||
namespace sandbox2 {
|
||||
|
||||
class TraceAllSyscalls {
|
||||
public:
|
||||
explicit TraceAllSyscalls() = default;
|
||||
};
|
||||
|
||||
} // namespace sandbox2
|
||||
|
||||
#endif // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
|
Loading…
x
Reference in New Issue
Block a user