Commit Graph

71 Commits

Author SHA1 Message Date
Kevin Hamacher
180aa03603 Internal change
PiperOrigin-RevId: 611097384
Change-Id: Ib4189548bc08e12807e74143591c3ff341d105d4
2024-02-28 07:37:06 -08:00
Wiktor Garbacz
008b45c9b7 PolicyBuilder: ignore duplicate calls to more complex helpers
PiperOrigin-RevId: 608318563
Change-Id: I3db1dd4e4a8d83a8069b68f1e84a1a8b7277bcdc
2024-02-19 06:14:02 -08:00
A. Cody Schuffelen
f708270f35 Add DefaultAction(TraceAllSyscalls) variant to PolicyBuilder
This helps write the kind of 'log, but allow' policy described in
[`notify.h`](b9c84a1f75/sandboxed_api/sandbox2/notify.h (L57)) for all system calls not mentioned explicitly. One use case is writing a "permissive mode" runtime to give more information during development.

PiperOrigin-RevId: 603766051
Change-Id: I3c72f433a1e21c330b5dd9f1ede2faa570b75b09
2024-02-02 13:01:37 -08:00
Sandboxed API Team
e5370e93ca Minor cleanups, no functional change.
PiperOrigin-RevId: 594091580
Change-Id: Id870592374069840fedf51cd228c9ed2f84b7542
2023-12-27 13:39:58 -08:00
Wiktor Garbacz
36e4b80f9a Introduce and prefer AllowMmapWithoutExec
PiperOrigin-RevId: 593968486
Change-Id: I4f7d4d8a6f593d94c0a7e7672826074c4cefc230
2023-12-27 02:51:13 -08:00
Wiktor Garbacz
f715bd8ba9 Run more tests with coverage enabled
PiperOrigin-RevId: 561575508
Change-Id: Ifc9a678b6a6cbcd892a1f8710b941514eb1d9764
2023-08-31 00:44:23 -07:00
Wiktor Garbacz
127176d72f Bulk IWYU and build_cleaner fixes
PiperOrigin-RevId: 559733768
Change-Id: Ia38f4c176e9f0abbfdb3a8f1109f482d8870eb0f
2023-08-24 06:23:36 -07:00
Wiktor Garbacz
f0e85cea13 Introduce AddFile(At)IfNamespaced/AddDirectory(At)IfNamespaced
Use the new interface in AllowRestartableSequences.

PiperOrigin-RevId: 548619728
Change-Id: I1f8aeb9a1cb412c50391d65a3cd148f77b46bd6f
2023-07-17 01:58:46 -07:00
Sandboxed API Team
cf43c0f02c Allow prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...) with tcmalloc
PiperOrigin-RevId: 540905937
Change-Id: I9275b193ff42b4741925c3cf825841ca9a4071db
2023-06-16 09:34:07 -07:00
Oliver Kunz
9ab20c5411 Implements the ability to control who is allowed to enable unrestricted networking.
PiperOrigin-RevId: 529309275
Change-Id: Icd88a4469b0c36af96638d44f9e909085c7120d5
2023-05-03 23:29:34 -07:00
Sandboxed API Team
18894d57f9 Add a helper method to allow the eventfd* family of syscalls.
PiperOrigin-RevId: 518565738
Change-Id: I2a3efe069ab1da65dd5f7cdcd3762637b7274b49
2023-03-22 07:46:56 -07:00
Wiktor Garbacz
550b26587f Implement DangerDefaultAllowAll using DefaultAction(AllowAllSyscalls())
PiperOrigin-RevId: 513861597
Change-Id: I6e4038648a005bbe57ca33a4c0466f5af2184da8
2023-03-03 10:26:32 -08:00
Wiktor Garbacz
5a8a25e9ac Change the default action instead of appending ALLOW
Also create a visibility restricted version of the function.

PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c
2023-03-01 05:36:24 -08:00
Sandboxed API Team
aff27f4559 Update PolicyBuilder to include wrappers for more syscall families that differ between platforms.
New wrappers:

- `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`)
- `AllowInotifyInit` (`inotify_init`, `inotify_init1`)
- `AllowSelect` (`select`, `pselect6`)
- `AllowDup` (`dup`, `dup2`, `dup3`)
- `AllowPipe` (`pipe`, `pipe2`)
- `AllowChmod` (`chmod`, `fchmod`, `fchmodat`)
- `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`)
- `AllowReadlink` (`readlink`, `readlinkat`)
- `AllowLink` (`link`, `linkat`)
- `AllowSymlink` (`symlink`, `symlinkat`)
- `AllowMkdir` (`mkdir`, `mkdirat`)
- `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`)
- `AllowAlarm` (`alarm`, `setitimer`)
- `AllowGetPGIDs` (`getpgid`, `getpgrp`)
- `AllowPoll` (`poll`, `ppoll`)

Updated wrappers:

- `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms.
- `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident.
- `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms.

PiperOrigin-RevId: 495045432
Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
2022-12-13 09:32:17 -08:00
Wiktor Garbacz
ee58a410d9 Handle S2 unwinding by trapping ptrace
PiperOrigin-RevId: 491893277
Change-Id: I427a2e485173c73fffead43e29511460c58c4f04
2022-11-30 06:00:29 -08:00
Christian Blichmann
4c87556901 Use Abseil's log/flags instead of glog/gflags
Follow-up changes might be required to fully fix up the contrib sandboxes.

PiperOrigin-RevId: 482475998
Change-Id: Iff631eb838a024b2f047a1be61bb27e35a8ff2f4
2022-10-20 06:48:51 -07:00
Christian Blichmann
79b6784b82 #Cleanup: Consistently use std::make_unique
PiperOrigin-RevId: 480597371
Change-Id: I145586382ad7a7694384cc672986132376a47465
2022-10-12 05:23:42 -07:00
Oliver Kunz
546fda8f1e Internal change
PiperOrigin-RevId: 451384097
Change-Id: Ib1177bbb147074dfff8719a0733417f4f1afc9da
2022-05-27 06:45:58 -07:00
Sandboxed API Team
5513e560eb Add option to block the ptrace system call instead of denying it.
PiperOrigin-RevId: 451347905
Change-Id: Iaed0f6f116bca3be4e6e7009dddd4dd6267823bb
2022-05-27 02:57:37 -07:00
Sandboxed API Team
65487bca39 Fix typo.
PiperOrigin-RevId: 451345082
Change-Id: Id443348448fa4cb6e682d18be64d39e363e20e0c
2022-05-27 02:42:14 -07:00
Sandboxed API Team
1db315207a Allow access to /sys/devices/system/cpu/
PiperOrigin-RevId: 439506287
Change-Id: I5d41ed234860f02329c960144b1da725e24549dd
2022-04-05 00:29:08 -07:00
Oliver Kunz
ab9c4afb15 Create a convencience function to set the name of a thread/process
PiperOrigin-RevId: 436661002
Change-Id: Ia66cef2f3eda829c65bc07e2ac43a0b2c878eb7b
2022-03-22 23:39:06 -07:00
Sandboxed API Team
df8a2f77eb Automated rollback of commit 809fb49341.
PiperOrigin-RevId: 436285752
Change-Id: I0607d9db08343e23d22ba9cb945cb6ef74739a14
2022-03-21 13:09:36 -07:00
Oliver Kunz
809fb49341 Create a convencience function to set the name of a thread/process
PiperOrigin-RevId: 436215084
Change-Id: I17dc8930a117fe67bd1b87e2ae3d4652875780df
2022-03-21 08:36:01 -07:00
Wiktor Garbacz
20edaae54f Add an option to allow mount propagation
PiperOrigin-RevId: 433211924
Change-Id: I653f000d44de10b668b375fd2dfff3c668cbf673
2022-03-08 08:01:19 -08:00
Wiktor Garbacz
d1995bdca5 Add a helper for allowing epoll
PiperOrigin-RevId: 432879710
Change-Id: I7cc991358ce25729b002210a04bacb3ae91d8a1f
2022-03-07 00:54:21 -08:00
Sandboxed API Team
8e82b900f4 Automated rollback of commit 5f34d11e77.
PiperOrigin-RevId: 432491462
Change-Id: Id92eabbb140df85b7b48f6f107ef9f44c3c6dff5
2022-03-04 11:19:19 -08:00
Wiktor Garbacz
5f34d11e77 Add a helper for allowing epoll
PiperOrigin-RevId: 432387441
Change-Id: I52865ab4abd4ebaf9842859b5f2718b204f4c6ea
2022-03-04 01:24:55 -08:00
Wiktor Garbacz
1cf2d840dd Add PolicyBuilder::OverridableBlockSyscallWithErrno
PiperOrigin-RevId: 432201719
Change-Id: I5cac1a03a7ec95598bae87ff13d38e4bedf62beb
2022-03-03 08:37:04 -08:00
Christian Blichmann
d451478e26 Change license link to HTTPS URL
PiperOrigin-RevId: 424811734
Change-Id: If5ea692edc56ddc9c99fd478673df41c0246e9cc
2022-01-28 01:39:09 -08:00
Copybara-Service
cc6a1114d5 Merge pull request #84 from Vincenzo-Petrolo:main
PiperOrigin-RevId: 424301145
Change-Id: I0336c5ffc2eeefe0ccecb7595b0881df23390bf6
2022-01-26 03:00:06 -08:00
Christian Blichmann
11619a08f4 Remove SyscallInitializer
PiperOrigin-RevId: 416231431
Change-Id: I83575ee3a51c348912f3d13db600d104ee927265
2021-12-14 00:45:27 -08:00
Christian Blichmann
01ffc2a1c2 #Cleanup PolicyBuilder API using absl::Span
PiperOrigin-RevId: 415979969
Change-Id: I23e00a48ce9ba14c480f8d137c6ae3981a238e13
2021-12-13 01:31:59 -08:00
Christian Blichmann
354cbe89f9 Add more convenience functions to PolicyBuilder
- Allow to specify multiple syscalls with `BlockSyscallsWithErrno()`
- Add functions to allow `unlink()` and `rename()` in all their spellings

PiperOrigin-RevId: 414987303
Change-Id: Ic0e680b785e8e3a3498f20e6a7403737e63fe876
2021-12-08 06:41:21 -08:00
Wiktor Garbacz
245a8c7650 Remove deprecated AddTmpfs
PiperOrigin-RevId: 414387983
Change-Id: I872c2f3bc1ccaf7a20d7ab97a5cb104d4f096a3f
2021-12-06 02:36:02 -08:00
Wiktor Garbacz
c95837a6c1 Check and limit seccomp policy length.
PiperOrigin-RevId: 409129756
Change-Id: Ib9937495966f545fb980eba04393db640af2325f
2021-11-11 06:10:40 -08:00
Christian Blichmann
289adcff06 Internal change.
For OSS, this change should be mostly a no-op. Visible edits are due to
changed order of code and/or includes.

PiperOrigin-RevId: 394177395
Change-Id: I1d32f9fd175579e8f05c051b1307953b249d139d
2021-09-01 01:28:19 -07:00
Wiktor Garbacz
59f5fa8042 Allow collecting stacktraces on normal process exit
This mainly a debugging facility.
It makes diagnosing problems where sandboxed process just randomly exits whereas unsandboxed one runs to completion due to differences in the setup/environment much easier.

PiperOrigin-RevId: 391005548
Change-Id: Ia19fe6632748da93c1f4291bb55e895f50a4e2b0
2021-08-16 03:13:15 -07:00
Christian Blichmann
f14aeee0ad Internal change.
PiperOrigin-RevId: 387565158
Change-Id: I7b5293b614fae74abae1f9a347b0ef414028b8ea
2021-07-29 05:52:19 -07:00
Paul Wankadia
bb6ae1d4ab Introduce AllowRestartableSequencesWithProcFiles() and tidy up.
1. In many cases, sandboxes need to allow /proc/stat and /proc/cpuinfo so that
get_nprocs(3) will work; otherwise, per-CPU logic can't determine how many CPUs
there are. Unfortunately, some of those sandboxes also disable namespaces. The
solution is to provide two functions: AllowRestartableSequencesWithProcFiles(),
which allows syscalls and files; and AllowRestartableSequences(), which allows
syscalls only. Sandboxes should usually call the former; sandboxes that disable
namespaces should instead call the latter and are responsible for allowing the
files via the deprecated Fs mechanism.

2. Make the mmap(2) policy evaluate prot AND flags, not prot OR flags.

3. Order the code and the comments identically for better readability.

PiperOrigin-RevId: 386414028
Change-Id: I016b1854ed1da9c9bcff7b351c5e0041093b8193
2021-07-23 02:23:22 -07:00
Christian Blichmann
ab469deac3 Internal change
PiperOrigin-RevId: 374874118
Change-Id: Id669e3f099e058ada3effa62f9569daaf5b36f63
2021-05-20 08:17:10 -07:00
Martijn Vels
2efaa463c9 Implement enabling RSEQ inside AllowTcMalloc in terms of AllowRestartableSequences()
PiperOrigin-RevId: 368208391
Change-Id: Ie1204cb3a0824ebe54b770e2669ae31f7932ed51
2021-04-13 07:14:55 -07:00
Vincenzo Petrolo
34dcd72d7d
fix typo
Signed-off-by: Vincenzo Petrolo <vincenzo@kernel-space.org>
2021-03-22 13:08:58 +01:00
Martijn Vels
753eacd314 Reduce requirements for restartable sequences
PiperOrigin-RevId: 361780465
Change-Id: I299bc55c94d60575e16f0ea6b5f82b8b793af1cb
2021-03-09 04:33:29 -08:00
Martijn Vels
b30d56e871 Add policy helper to allow restartable sequences
PiperOrigin-RevId: 360266444
Change-Id: I0a3d2d071972bf7d6e7114a428c6954ed4bcef5c
2021-03-01 13:39:42 -08:00
Sandboxed API Team
3323ddc129 Permit sandboxee's bpf() to fail
The default policy causes immediate termination of a sandboxee that
calls `bpf`(2).

This does not allow for try-call use of `bpf()` to test for optional
features.

To support such try-call use cases, sandboxes would like to say:

```
  sandbox2::PolicyBuilder builder;
  builder.BlockSyscallWithErrno(__NR_bpf, EPERM);
```

but this doesn't work because the default policy unconditionally treats
`bpf()` as a sandbox violation.

Remove the bpf violation check from the policy if `bpf()` is explicitly
blocked with an errno.

PiperOrigin-RevId: 345239389
Change-Id: I7fcfd3a938c610c8679edf8e1fa0238b32cc9db4
2020-12-02 08:38:32 -08:00
Wiktor Garbacz
5fb18d3c9d Add policy on both mmap & mmap2
PiperOrigin-RevId: 341007959
Change-Id: I3c2e74cc973d2603cf7b3a858fa8aabd05c41137
2020-11-06 01:30:18 -08:00
Christian Blichmann
2acec65a58 Add an AllowAccess() convenience function to PolicyBuilder
Drive-by: Apply convenience functions in policies.
PiperOrigin-RevId: 340404977
Change-Id: I906106b61c1837d23ddaff15d8792ec79d3d3189
2020-11-03 02:21:21 -08:00
Christian Blichmann
6a1e4b881c Introduce config header to centralize CPU architecture checks
This allows us to remove some uses of macros.

Related changes:
- Make it clear that we support hosting sandboxed binaries from 64-bit
  processes only. CPU architectures are x86-64 and POWER64 (little endian).
- Introduced CPU architecture macros, abstracting away compiler specifics

PiperOrigin-RevId: 330918134
Change-Id: Ife7ad5f14723eec9f68055127b0583b8aecd38dd
2020-09-10 05:48:00 -07:00
Sandboxed API Team
23da55c19a Internal BUILD refactoring
PiperOrigin-RevId: 329720214
Change-Id: I25fbb94dea17db3bdca6438d17508fa304d9706f
2020-09-03 07:40:33 -07:00