StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity
1,272 Commits 1 Branch 3 Tags 144 MiB
3079d2b4e0
Commit Graph

103 Commits

Author SHA1 Message Date
Wiktor Garbacz
3079d2b4e0 Make Policy a simple copyable type 
PiperOrigin-RevId: 555146979
Change-Id: I83d7260d65d4291c418e6c8e80385cbdc8fbc758
 2023-08-09 06:44:22 -07:00
Wiktor Garbacz
48bbb06fe7 Move log warning about non-namespaced stacktraces 
PiperOrigin-RevId: 554493643
Change-Id: I27755322edcd7c0191cd125ec8ffdace18a6460c
 2023-08-07 09:07:06 -07:00
Sandboxed API Team
0a0ac6a66b Automated rollback of commit 4d625e521b. 
PiperOrigin-RevId: 553536999
Change-Id: If6ae319e54a3ea5eb88e00888044ba1088bd62d2
 2023-08-03 11:23:05 -07:00
Wiktor Garbacz
4d625e521b Move log warning about non-namespaced stacktraces 
PiperOrigin-RevId: 553472372
Change-Id: Iba43cba78edd1826afb29f49a7e08e919554ed80
 2023-08-03 07:37:54 -07:00
Oliver Kunz
04ed89906b Adding AllowOpen to AllowLlvmSanitizers to avoid having to add AllowOpen in addition when it's only needed for running under the sanitizers. 
In cases where SAPI users overwrite the default policy instead of extending it, the sandbox will fail with an `openat` violation. This is automatically inherited in the default policy.

The advantage with this implementation is that we don't expose the open* syscalls when not running under the sanitizers.

PiperOrigin-RevId: 550845188
Change-Id: I151d467848983b00b71ec8447d662394fa7176db
 2023-07-25 04:38:43 -07:00
Wiktor Garbacz
9d1d4b7fd3 Disallow AddPolicyForSyscalls with an empty list 
PiperOrigin-RevId: 549887306
Change-Id: I05a97b39a2c92ad5ab2002c7af7e83a8184392cf
 2023-07-21 02:24:44 -07:00
Chris Kennelly
4ba75ea0a2 Allow TCMalloc users access to the possible cpus list. 
This is to facilitate online/offline core counting for an accurate count of the
maximum CPU ID that may be seen.

PiperOrigin-RevId: 548715133
Change-Id: I159c0d51b9800fa633172986ba4f8eca352ae336
 2023-07-17 09:31:22 -07:00
Wiktor Garbacz
f0e85cea13 Introduce AddFile(At)IfNamespaced/AddDirectory(At)IfNamespaced 
Use the new interface in AllowRestartableSequences.

PiperOrigin-RevId: 548619728
Change-Id: I1f8aeb9a1cb412c50391d65a3cd148f77b46bd6f
 2023-07-17 01:58:46 -07:00
Sandboxed API Team
cf43c0f02c Allow prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...) with tcmalloc 
PiperOrigin-RevId: 540905937
Change-Id: I9275b193ff42b4741925c3cf825841ca9a4071db
 2023-06-16 09:34:07 -07:00
Oliver Kunz
9ab20c5411 Implements the ability to control who is allowed to enable unrestricted networking. 
PiperOrigin-RevId: 529309275
Change-Id: Icd88a4469b0c36af96638d44f9e909085c7120d5
 2023-05-03 23:29:34 -07:00
Sandboxed API Team
18894d57f9 Add a helper method to allow the eventfd* family of syscalls. 
PiperOrigin-RevId: 518565738
Change-Id: I2a3efe069ab1da65dd5f7cdcd3762637b7274b49
 2023-03-22 07:46:56 -07:00
Sandboxed API Team
80cc894c39 Allow sched_getaffinity with sanitizers 
PiperOrigin-RevId: 515024410
Change-Id: I7c48d701b0c3ecab41c3363f8cb46a1c8fa6d97e
 2023-03-08 06:51:19 -08:00
Wiktor Garbacz
550b26587f Implement DangerDefaultAllowAll using DefaultAction(AllowAllSyscalls()) 
PiperOrigin-RevId: 513861597
Change-Id: I6e4038648a005bbe57ca33a4c0466f5af2184da8
 2023-03-03 10:26:32 -08:00
Wiktor Garbacz
5a8a25e9ac Change the default action instead of appending ALLOW 
Also create a visibility restricted version of the function.

PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c
 2023-03-01 05:36:24 -08:00
Wiktor Garbacz
58c3f80d57 Allow MADV_HUGEPAGE used by tcmalloc 
PiperOrigin-RevId: 501815420
Change-Id: I22d6408e4e6ca375823b7b9448547cc082fe5421
 2023-01-13 04:41:22 -08:00
Sandboxed API Team
1871b173c4 Add __NR_faccessat2 to the list of syscalls allowed by AllowAccess(). 
PiperOrigin-RevId: 500105471
Change-Id: Ic43c608a511617ba9ca8c2cba440cd709ae80a19
 2023-01-06 00:16:46 -08:00
Wiktor Garbacz
2d52191c24 Define PR_SET_VMA* if undefined 
PiperOrigin-RevId: 497161397
Change-Id: I65fc11a7ccf34ffe225a03a0444275145fa43b4f
 2022-12-22 07:39:44 -08:00
Wiktor Garbacz
7625c3dd24 Use AllowDup helper in AddNetworkProxyPolicy 
PiperOrigin-RevId: 496898835
Change-Id: I76968c5c9b25a9e41865b3fad20463661195f581
 2022-12-21 05:36:28 -08:00
Sandboxed API Team
aff27f4559 Update PolicyBuilder to include wrappers for more syscall families that differ between platforms. 
New wrappers:

- `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`)
- `AllowInotifyInit` (`inotify_init`, `inotify_init1`)
- `AllowSelect` (`select`, `pselect6`)
- `AllowDup` (`dup`, `dup2`, `dup3`)
- `AllowPipe` (`pipe`, `pipe2`)
- `AllowChmod` (`chmod`, `fchmod`, `fchmodat`)
- `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`)
- `AllowReadlink` (`readlink`, `readlinkat`)
- `AllowLink` (`link`, `linkat`)
- `AllowSymlink` (`symlink`, `symlinkat`)
- `AllowMkdir` (`mkdir`, `mkdirat`)
- `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`)
- `AllowAlarm` (`alarm`, `setitimer`)
- `AllowGetPGIDs` (`getpgid`, `getpgrp`)
- `AllowPoll` (`poll`, `ppoll`)

Updated wrappers:

- `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms.
- `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident.
- `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms.

PiperOrigin-RevId: 495045432
Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
 2022-12-13 09:32:17 -08:00
Wiktor Garbacz
ee58a410d9 Handle S2 unwinding by trapping ptrace 
PiperOrigin-RevId: 491893277
Change-Id: I427a2e485173c73fffead43e29511460c58c4f04
 2022-11-30 06:00:29 -08:00
Christian Blichmann
6fbfb8f9bd Remove Tag constructor, add standard comment for absl::WrapUnique(new T) 
PiperOrigin-RevId: 483654433
Change-Id: I16b058a6b186f764f45bc5540f3f49d5a294ddeb
 2022-10-25 06:20:51 -07:00
Christian Blichmann
4c87556901 Use Abseil's log/flags instead of glog/gflags 
Follow-up changes might be required to fully fix up the contrib sandboxes.

PiperOrigin-RevId: 482475998
Change-Id: Iff631eb838a024b2f047a1be61bb27e35a8ff2f4
 2022-10-20 06:48:51 -07:00
Christian Blichmann
79b6784b82 #Cleanup: Consistently use std::make_unique 
PiperOrigin-RevId: 480597371
Change-Id: I145586382ad7a7694384cc672986132376a47465
 2022-10-12 05:23:42 -07:00
Christian Blichmann
8de530036f Internal change. 
Some includes may leak to OSS.

PiperOrigin-RevId: 474748898
Change-Id: Iff9dc4f91af211572ff4bbcf57330b36d7a957ab
 2022-09-16 00:37:02 -07:00
Oliver Kunz
598b00103a This change introduces internal experimental support for Android. 
PiperOrigin-RevId: 453669315
Change-Id: I6c3278804071caa2bb347cfeb584975339cb50d5
 2022-06-08 06:51:41 -07:00
Oliver Kunz
546fda8f1e Internal change 
PiperOrigin-RevId: 451384097
Change-Id: Ib1177bbb147074dfff8719a0733417f4f1afc9da
 2022-05-27 06:45:58 -07:00
Sandboxed API Team
5513e560eb Add option to block the ptrace system call instead of denying it. 
PiperOrigin-RevId: 451347905
Change-Id: Iaed0f6f116bca3be4e6e7009dddd4dd6267823bb
 2022-05-27 02:57:37 -07:00
Sandboxed API Team
84673bbe3e Allow readlinkat with sanitizers 
Required after https://reviews.llvm.org/D124212

PiperOrigin-RevId: 445551132
Change-Id: I140c67544d0cf18ee6c75aa9407777bd3414d929
 2022-04-29 18:23:59 -07:00
Sandboxed API Team
1db315207a Allow access to /sys/devices/system/cpu/ 
PiperOrigin-RevId: 439506287
Change-Id: I5d41ed234860f02329c960144b1da725e24549dd
 2022-04-05 00:29:08 -07:00
Oliver Kunz
ab9c4afb15 Create a convencience function to set the name of a thread/process 
PiperOrigin-RevId: 436661002
Change-Id: Ia66cef2f3eda829c65bc07e2ac43a0b2c878eb7b
 2022-03-22 23:39:06 -07:00
Sandboxed API Team
df8a2f77eb Automated rollback of commit 809fb49341. 
PiperOrigin-RevId: 436285752
Change-Id: I0607d9db08343e23d22ba9cb945cb6ef74739a14
 2022-03-21 13:09:36 -07:00
Oliver Kunz
809fb49341 Create a convencience function to set the name of a thread/process 
PiperOrigin-RevId: 436215084
Change-Id: I17dc8930a117fe67bd1b87e2ae3d4652875780df
 2022-03-21 08:36:01 -07:00
Wiktor Garbacz
20edaae54f Add an option to allow mount propagation 
PiperOrigin-RevId: 433211924
Change-Id: I653f000d44de10b668b375fd2dfff3c668cbf673
 2022-03-08 08:01:19 -08:00
Wiktor Garbacz
8a5740fbb1 Better handle invalid read-write mounts 
PiperOrigin-RevId: 433136095
Change-Id: I17eb347c0a5cfef5e05c3717dfdd83055d967e35
 2022-03-07 23:57:57 -08:00
Wiktor Garbacz
d1995bdca5 Add a helper for allowing epoll 
PiperOrigin-RevId: 432879710
Change-Id: I7cc991358ce25729b002210a04bacb3ae91d8a1f
 2022-03-07 00:54:21 -08:00
Sandboxed API Team
8e82b900f4 Automated rollback of commit 5f34d11e77. 
PiperOrigin-RevId: 432491462
Change-Id: Id92eabbb140df85b7b48f6f107ef9f44c3c6dff5
 2022-03-04 11:19:19 -08:00
Wiktor Garbacz
5f34d11e77 Add a helper for allowing epoll 
PiperOrigin-RevId: 432387441
Change-Id: I52865ab4abd4ebaf9842859b5f2718b204f4c6ea
 2022-03-04 01:24:55 -08:00
Wiktor Garbacz
1cf2d840dd Add PolicyBuilder::OverridableBlockSyscallWithErrno 
PiperOrigin-RevId: 432201719
Change-Id: I5cac1a03a7ec95598bae87ff13d38e4bedf62beb
 2022-03-03 08:37:04 -08:00
Sandboxed API Team
e1a9513783 Move few policies from tsan to All section. 
munmap is widely used by sanitizer, but it
probably works for Asan/Msan because it's enabled
by unrelated Allow* call.

Move mprotect to shared part as well. It will be
needed for compress_stack_depot.

PiperOrigin-RevId: 431989551
Change-Id: I7695a2de81d8d0b2112d3308778b2e9a9c7cb596
 2022-03-02 11:38:35 -08:00
Sandboxed API Team
9a7ba28ea7 Allow sanitizer to print reports 
PiperOrigin-RevId: 430271415
Change-Id: Ieb23663aa6ff5997ce0a6b1e81dcb2385ac4b509
 2022-02-22 12:33:55 -08:00
Wiktor Garbacz
a2daa0a275 Fix BlockSyscallsWithErrno 
PiperOrigin-RevId: 429982218
Change-Id: I42b187e678542b295542ca44882945c7695178e1
 2022-02-21 00:46:50 -08:00
Christian Blichmann
e8cadf8f7d Allow mprotect(_, _, PROT_READ) for all static binaries 
Newer toolchains/libcs will use this syscall on x86-64 as well.

PiperOrigin-RevId: 428705078
Change-Id: I705efe37db9ebdd922036b39e4fb3c22dc749a1a
 2022-02-15 00:14:25 -08:00
Christian Blichmann
d451478e26 Change license link to HTTPS URL 
PiperOrigin-RevId: 424811734
Change-Id: If5ea692edc56ddc9c99fd478673df41c0246e9cc
 2022-01-28 01:39:09 -08:00
Christian Blichmann
01ffc2a1c2 #Cleanup PolicyBuilder API using absl::Span 
PiperOrigin-RevId: 415979969
Change-Id: I23e00a48ce9ba14c480f8d137c6ae3981a238e13
 2021-12-13 01:31:59 -08:00
Christian Blichmann
354cbe89f9 Add more convenience functions to PolicyBuilder 
- Allow to specify multiple syscalls with `BlockSyscallsWithErrno()`
- Add functions to allow `unlink()` and `rename()` in all their spellings

PiperOrigin-RevId: 414987303
Change-Id: Ic0e680b785e8e3a3498f20e6a7403737e63fe876
 2021-12-08 06:41:21 -08:00
Wiktor Garbacz
8979b47d7f Remove arg filter on rt_sigprocmask in AllowStaticStartup 
PiperOrigin-RevId: 414692179
Change-Id: If2a5f741ad38f626287988911b85bef7a711f80a
 2021-12-07 05:04:01 -08:00
Christian Blichmann
60eb52c17f Explicitly narrow size argument for BPF 
This fixes a build error introduced in 26da6e6b0a.

PiperOrigin-RevId: 414408033
Change-Id: Ic34d5eeba3bb34f9a5ce46a05547129fbab8bce0
 2021-12-06 04:51:28 -08:00
Wiktor Garbacz
2a67805a13 Add prlimit64 to AllowLogForwarding 
PiperOrigin-RevId: 414385430
Change-Id: I4e70d25f886f1ef65fab1b62c67e80eb45407bc7
 2021-12-06 02:19:03 -08:00
Wiktor Garbacz
26da6e6b0a Safer and more efficient custom syscall policies 
Generate syscall jump table without using bpf_helper.
Check that any jump in the user provided policy is within the provided policy.

PiperOrigin-RevId: 409362089
Change-Id: I31493e52cf868e4b184ff79fcb26beeb75f49773
 2021-11-12 02:44:41 -08:00
Wiktor Garbacz
c95837a6c1 Check and limit seccomp policy length. 
PiperOrigin-RevId: 409129756
Change-Id: Ib9937495966f545fb980eba04393db640af2325f
 2021-11-11 06:10:40 -08:00