Add DefaultAction(TraceAllSyscalls) variant to PolicyBuilder

This helps write the kind of 'log, but allow' policy described in
[`notify.h`](b9c84a1f75/sandboxed_api/sandbox2/notify.h (L57)) for all system calls not mentioned explicitly. One use case is writing a "permissive mode" runtime to give more information during development.

PiperOrigin-RevId: 603766051
Change-Id: I3c72f433a1e21c330b5dd9f1ede2faa570b75b09
This commit is contained in:
A. Cody Schuffelen 2024-02-02 13:00:50 -08:00 committed by Copybara-Service
parent 044ba1cb90
commit f708270f35
6 changed files with 86 additions and 0 deletions

View File

@ -40,6 +40,23 @@ cc_library(
visibility = ["//visibility:public"],
)
cc_library(
name = "trace_all_syscalls",
hdrs = ["trace_all_syscalls.h"],
copts = sapi_platform_copts(),
visibility = [
"//sandboxed_api/sandbox2:__pkg__",
],
)
cc_library(
name = "testonly_trace_all_syscalls",
testonly = True,
hdrs = ["trace_all_syscalls.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
)
cc_library(
name = "allow_unrestricted_networking",
hdrs = ["allow_unrestricted_networking.h"],
@ -563,6 +580,7 @@ cc_library(
":namespace",
":policy",
":syscall",
":trace_all_syscalls",
":violation_cc_proto",
"//sandboxed_api:config",
"//sandboxed_api/sandbox2/network_proxy:filtering",
@ -924,6 +942,7 @@ cc_test(
deps = [
":comms",
":sandbox2",
":trace_all_syscalls",
"//sandboxed_api:testing",
"@com_google_absl//absl/log",
"@com_google_absl//absl/strings",

View File

@ -26,6 +26,15 @@ target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
sapi::base
)
# sandboxed_api/sandbox2:trace_all_syscalls
add_library(sandbox2_trace_all_syscalls ${SAPI_LIB_TYPE}
trace_all_syscalls.h
)
add_library(sandbox2::trace_all_syscalls ALIAS sandbox2_trace_all_syscalls)
target_link_libraries(sandbox2_trace_all_syscalls PRIVATE
sapi::base
)
# sandboxed_api/sandbox2:allow_unrestricted_networking
add_library(sandbox2_allow_unrestricted_networking ${SAPI_LIB_TYPE}
allow_unrestricted_networking.h
@ -994,6 +1003,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
sandbox2::comms
sandbox2::regs
sandbox2::sandbox2
sandbox2::trace_all_syscalls
sapi::testing
sapi::test_main
)

View File

@ -33,6 +33,7 @@
#include "sandboxed_api/sandbox2/policybuilder.h"
#include "sandboxed_api/sandbox2/sandbox2.h"
#include "sandboxed_api/sandbox2/syscall.h"
#include "sandboxed_api/sandbox2/trace_all_syscalls.h"
#include "sandboxed_api/testing.h"
namespace sandbox2 {
@ -126,5 +127,21 @@ TEST(NotifyTest, PrintPidAndComms) {
EXPECT_THAT(result.reason_code(), Eq(33));
}
// Test EventSyscallTrap on personality syscall through TraceAllSyscalls
TEST(NotifyTest, TraceAllAllowPersonality) {
const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
std::vector<std::string> args = {path};
auto policy = CreateDefaultPermissiveTestPolicy(path)
.DefaultAction(TraceAllSyscalls())
.BuildOrDie();
Sandbox2 s2(std::make_unique<Executor>(path, args),
NotifyTestcasePolicy(path),
std::make_unique<PersonalityNotify>(/*allow=*/true));
auto result = s2.Run();
ASSERT_THAT(result.final_status(), Eq(Result::OK));
EXPECT_THAT(result.reason_code(), Eq(22));
}
} // namespace
} // namespace sandbox2

View File

@ -60,6 +60,7 @@
#include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/syscall.h"
#include "sandboxed_api/sandbox2/trace_all_syscalls.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
#include "sandboxed_api/sandbox2/violation.pb.h"
#include "sandboxed_api/util/path.h"
@ -1244,6 +1245,11 @@ PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) {
return *this;
}
PolicyBuilder& PolicyBuilder::DefaultAction(TraceAllSyscalls) {
default_action_ = SANDBOX2_TRACE;
return *this;
}
absl::StatusOr<std::string> PolicyBuilder::ValidateAbsolutePath(
absl::string_view path) {
if (!file::IsAbsolutePath(path)) {

View File

@ -43,6 +43,7 @@ struct bpf_labels;
namespace sandbox2 {
class AllowAllSyscalls;
class TraceAllSyscalls;
class UnrestrictedNetworking;
// PolicyBuilder is a helper class to simplify creation of policies. The builder
@ -712,6 +713,12 @@ class PolicyBuilder final {
// sandbox-team@ first if unsure.
PolicyBuilder& DefaultAction(AllowAllSyscalls);
// Changes the default action to SANDBOX2_TRACE.
// All syscalls not handled explicitly by the policy will be passed off to
// the `sandbox2::Notify` implementation given to the `sandbox2::Sandbox2`
// instance.
PolicyBuilder& DefaultAction(TraceAllSyscalls);
ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead")
PolicyBuilder& DangerDefaultAllowAll();

View File

@ -0,0 +1,27 @@
// Copyright 2024 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SANDBOXED_API_SANDBOX2_TRACE_ALL_SYSCALLS_H_
#define SANDBOXED_API_SANDBOX2_TRACE_ALL_SYSCALLS_H_
namespace sandbox2 {
class TraceAllSyscalls {
public:
explicit TraceAllSyscalls() = default;
};
} // namespace sandbox2
#endif // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_