Wiktor Garbacz
01e14e0bb7
Fix bypass for enabling ptrace
/bpf
...
PiperOrigin-RevId: 555847265
Change-Id: I671c0650caeefaac590d3d0030ff90e18fda6bbd
2023-08-11 01:34:27 -07:00
Wiktor Garbacz
3079d2b4e0
Make Policy a simple copyable type
...
PiperOrigin-RevId: 555146979
Change-Id: I83d7260d65d4291c418e6c8e80385cbdc8fbc758
2023-08-09 06:44:22 -07:00
Wiktor Garbacz
48bbb06fe7
Move log warning about non-namespaced stacktraces
...
PiperOrigin-RevId: 554493643
Change-Id: I27755322edcd7c0191cd125ec8ffdace18a6460c
2023-08-07 09:07:06 -07:00
Sandboxed API Team
0a0ac6a66b
Automated rollback of commit 4d625e521b
.
...
PiperOrigin-RevId: 553536999
Change-Id: If6ae319e54a3ea5eb88e00888044ba1088bd62d2
2023-08-03 11:23:05 -07:00
Wiktor Garbacz
4d625e521b
Move log warning about non-namespaced stacktraces
...
PiperOrigin-RevId: 553472372
Change-Id: Iba43cba78edd1826afb29f49a7e08e919554ed80
2023-08-03 07:37:54 -07:00
Oliver Kunz
04ed89906b
Adding AllowOpen to AllowLlvmSanitizers to avoid having to add AllowOpen in addition when it's only needed for running under the sanitizers.
...
In cases where SAPI users overwrite the default policy instead of extending it, the sandbox will fail with an `openat` violation. This is automatically inherited in the default policy.
The advantage with this implementation is that we don't expose the open* syscalls when not running under the sanitizers.
PiperOrigin-RevId: 550845188
Change-Id: I151d467848983b00b71ec8447d662394fa7176db
2023-07-25 04:38:43 -07:00
Wiktor Garbacz
9d1d4b7fd3
Disallow AddPolicyForSyscalls with an empty list
...
PiperOrigin-RevId: 549887306
Change-Id: I05a97b39a2c92ad5ab2002c7af7e83a8184392cf
2023-07-21 02:24:44 -07:00
Chris Kennelly
4ba75ea0a2
Allow TCMalloc users access to the possible cpus list.
...
This is to facilitate online/offline core counting for an accurate count of the
maximum CPU ID that may be seen.
PiperOrigin-RevId: 548715133
Change-Id: I159c0d51b9800fa633172986ba4f8eca352ae336
2023-07-17 09:31:22 -07:00
Wiktor Garbacz
f0e85cea13
Introduce AddFile(At)IfNamespaced/AddDirectory(At)IfNamespaced
...
Use the new interface in AllowRestartableSequences.
PiperOrigin-RevId: 548619728
Change-Id: I1f8aeb9a1cb412c50391d65a3cd148f77b46bd6f
2023-07-17 01:58:46 -07:00
Sandboxed API Team
cf43c0f02c
Allow prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...) with tcmalloc
...
PiperOrigin-RevId: 540905937
Change-Id: I9275b193ff42b4741925c3cf825841ca9a4071db
2023-06-16 09:34:07 -07:00
Oliver Kunz
9ab20c5411
Implements the ability to control who is allowed to enable unrestricted networking.
...
PiperOrigin-RevId: 529309275
Change-Id: Icd88a4469b0c36af96638d44f9e909085c7120d5
2023-05-03 23:29:34 -07:00
Sandboxed API Team
18894d57f9
Add a helper method to allow the eventfd* family of syscalls.
...
PiperOrigin-RevId: 518565738
Change-Id: I2a3efe069ab1da65dd5f7cdcd3762637b7274b49
2023-03-22 07:46:56 -07:00
Sandboxed API Team
80cc894c39
Allow sched_getaffinity with sanitizers
...
PiperOrigin-RevId: 515024410
Change-Id: I7c48d701b0c3ecab41c3363f8cb46a1c8fa6d97e
2023-03-08 06:51:19 -08:00
Wiktor Garbacz
550b26587f
Implement DangerDefaultAllowAll using DefaultAction(AllowAllSyscalls())
...
PiperOrigin-RevId: 513861597
Change-Id: I6e4038648a005bbe57ca33a4c0466f5af2184da8
2023-03-03 10:26:32 -08:00
Wiktor Garbacz
5a8a25e9ac
Change the default action instead of appending ALLOW
...
Also create a visibility restricted version of the function.
PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c
2023-03-01 05:36:24 -08:00
Wiktor Garbacz
58c3f80d57
Allow MADV_HUGEPAGE used by tcmalloc
...
PiperOrigin-RevId: 501815420
Change-Id: I22d6408e4e6ca375823b7b9448547cc082fe5421
2023-01-13 04:41:22 -08:00
Sandboxed API Team
1871b173c4
Add __NR_faccessat2 to the list of syscalls allowed by AllowAccess().
...
PiperOrigin-RevId: 500105471
Change-Id: Ic43c608a511617ba9ca8c2cba440cd709ae80a19
2023-01-06 00:16:46 -08:00
Wiktor Garbacz
2d52191c24
Define PR_SET_VMA* if undefined
...
PiperOrigin-RevId: 497161397
Change-Id: I65fc11a7ccf34ffe225a03a0444275145fa43b4f
2022-12-22 07:39:44 -08:00
Wiktor Garbacz
7625c3dd24
Use AllowDup helper in AddNetworkProxyPolicy
...
PiperOrigin-RevId: 496898835
Change-Id: I76968c5c9b25a9e41865b3fad20463661195f581
2022-12-21 05:36:28 -08:00
Sandboxed API Team
aff27f4559
Update PolicyBuilder to include wrappers for more syscall families that differ between platforms.
...
New wrappers:
- `AllowEpollWait` (`epoll_wait`, `epoll_pwait`, `epoll_pwait2`)
- `AllowInotifyInit` (`inotify_init`, `inotify_init1`)
- `AllowSelect` (`select`, `pselect6`)
- `AllowDup` (`dup`, `dup2`, `dup3`)
- `AllowPipe` (`pipe`, `pipe2`)
- `AllowChmod` (`chmod`, `fchmod`, `fchmodat`)
- `AllowChown` (`chown`, `lchown`, `fchown`, `fchownat`)
- `AllowReadlink` (`readlink`, `readlinkat`)
- `AllowLink` (`link`, `linkat`)
- `AllowSymlink` (`symlink`, `symlinkat`)
- `AllowMkdir` (`mkdir`, `mkdirat`)
- `AllowUtime` (`utime`, `utimes`, `futimens`, `utimensat`)
- `AllowAlarm` (`alarm`, `setitimer`)
- `AllowGetPGIDs` (`getpgid`, `getpgrp`)
- `AllowPoll` (`poll`, `ppoll`)
Updated wrappers:
- `AllowOpen` now includes `creat`. `openat` already grants the ability to create files, and is the designated replacement for `creat` on newer platforms.
- `AllowStat` now includes `fstatfs` and `fstatfs64`. The comment already claimed that these syscalls were included; I believe they were omitted by accident.
- `AllowUnlink` now includes `rmdir`. `unlinkat` already grants the ability to remove empty directories, and is the designated replacement for `rmdir` on newer platforms.
PiperOrigin-RevId: 495045432
Change-Id: I41eccb74fda250b27586b6b7fe4c480332e48846
2022-12-13 09:32:17 -08:00
Wiktor Garbacz
ee58a410d9
Handle S2 unwinding by trapping ptrace
...
PiperOrigin-RevId: 491893277
Change-Id: I427a2e485173c73fffead43e29511460c58c4f04
2022-11-30 06:00:29 -08:00
Christian Blichmann
6fbfb8f9bd
Remove Tag
constructor, add standard comment for absl::WrapUnique(new T)
...
PiperOrigin-RevId: 483654433
Change-Id: I16b058a6b186f764f45bc5540f3f49d5a294ddeb
2022-10-25 06:20:51 -07:00
Christian Blichmann
4c87556901
Use Abseil's log/flags instead of glog/gflags
...
Follow-up changes might be required to fully fix up the contrib sandboxes.
PiperOrigin-RevId: 482475998
Change-Id: Iff631eb838a024b2f047a1be61bb27e35a8ff2f4
2022-10-20 06:48:51 -07:00
Christian Blichmann
79b6784b82
#Cleanup: Consistently use std::make_unique
...
PiperOrigin-RevId: 480597371
Change-Id: I145586382ad7a7694384cc672986132376a47465
2022-10-12 05:23:42 -07:00
Christian Blichmann
8de530036f
Internal change.
...
Some includes may leak to OSS.
PiperOrigin-RevId: 474748898
Change-Id: Iff9dc4f91af211572ff4bbcf57330b36d7a957ab
2022-09-16 00:37:02 -07:00
Oliver Kunz
598b00103a
This change introduces internal experimental support for Android.
...
PiperOrigin-RevId: 453669315
Change-Id: I6c3278804071caa2bb347cfeb584975339cb50d5
2022-06-08 06:51:41 -07:00
Oliver Kunz
546fda8f1e
Internal change
...
PiperOrigin-RevId: 451384097
Change-Id: Ib1177bbb147074dfff8719a0733417f4f1afc9da
2022-05-27 06:45:58 -07:00
Sandboxed API Team
5513e560eb
Add option to block the ptrace system call instead of denying it.
...
PiperOrigin-RevId: 451347905
Change-Id: Iaed0f6f116bca3be4e6e7009dddd4dd6267823bb
2022-05-27 02:57:37 -07:00
Sandboxed API Team
84673bbe3e
Allow readlinkat with sanitizers
...
Required after https://reviews.llvm.org/D124212
PiperOrigin-RevId: 445551132
Change-Id: I140c67544d0cf18ee6c75aa9407777bd3414d929
2022-04-29 18:23:59 -07:00
Sandboxed API Team
1db315207a
Allow access to /sys/devices/system/cpu/
...
PiperOrigin-RevId: 439506287
Change-Id: I5d41ed234860f02329c960144b1da725e24549dd
2022-04-05 00:29:08 -07:00
Oliver Kunz
ab9c4afb15
Create a convencience function to set the name of a thread/process
...
PiperOrigin-RevId: 436661002
Change-Id: Ia66cef2f3eda829c65bc07e2ac43a0b2c878eb7b
2022-03-22 23:39:06 -07:00
Sandboxed API Team
df8a2f77eb
Automated rollback of commit 809fb49341
.
...
PiperOrigin-RevId: 436285752
Change-Id: I0607d9db08343e23d22ba9cb945cb6ef74739a14
2022-03-21 13:09:36 -07:00
Oliver Kunz
809fb49341
Create a convencience function to set the name of a thread/process
...
PiperOrigin-RevId: 436215084
Change-Id: I17dc8930a117fe67bd1b87e2ae3d4652875780df
2022-03-21 08:36:01 -07:00
Wiktor Garbacz
20edaae54f
Add an option to allow mount propagation
...
PiperOrigin-RevId: 433211924
Change-Id: I653f000d44de10b668b375fd2dfff3c668cbf673
2022-03-08 08:01:19 -08:00
Wiktor Garbacz
8a5740fbb1
Better handle invalid read-write mounts
...
PiperOrigin-RevId: 433136095
Change-Id: I17eb347c0a5cfef5e05c3717dfdd83055d967e35
2022-03-07 23:57:57 -08:00
Wiktor Garbacz
d1995bdca5
Add a helper for allowing epoll
...
PiperOrigin-RevId: 432879710
Change-Id: I7cc991358ce25729b002210a04bacb3ae91d8a1f
2022-03-07 00:54:21 -08:00
Sandboxed API Team
8e82b900f4
Automated rollback of commit 5f34d11e77
.
...
PiperOrigin-RevId: 432491462
Change-Id: Id92eabbb140df85b7b48f6f107ef9f44c3c6dff5
2022-03-04 11:19:19 -08:00
Wiktor Garbacz
5f34d11e77
Add a helper for allowing epoll
...
PiperOrigin-RevId: 432387441
Change-Id: I52865ab4abd4ebaf9842859b5f2718b204f4c6ea
2022-03-04 01:24:55 -08:00
Wiktor Garbacz
1cf2d840dd
Add PolicyBuilder::OverridableBlockSyscallWithErrno
...
PiperOrigin-RevId: 432201719
Change-Id: I5cac1a03a7ec95598bae87ff13d38e4bedf62beb
2022-03-03 08:37:04 -08:00
Sandboxed API Team
e1a9513783
Move few policies from tsan to All section.
...
munmap is widely used by sanitizer, but it
probably works for Asan/Msan because it's enabled
by unrelated Allow* call.
Move mprotect to shared part as well. It will be
needed for compress_stack_depot.
PiperOrigin-RevId: 431989551
Change-Id: I7695a2de81d8d0b2112d3308778b2e9a9c7cb596
2022-03-02 11:38:35 -08:00
Sandboxed API Team
9a7ba28ea7
Allow sanitizer to print reports
...
PiperOrigin-RevId: 430271415
Change-Id: Ieb23663aa6ff5997ce0a6b1e81dcb2385ac4b509
2022-02-22 12:33:55 -08:00
Wiktor Garbacz
a2daa0a275
Fix BlockSyscallsWithErrno
...
PiperOrigin-RevId: 429982218
Change-Id: I42b187e678542b295542ca44882945c7695178e1
2022-02-21 00:46:50 -08:00
Christian Blichmann
e8cadf8f7d
Allow mprotect(_, _, PROT_READ)
for all static binaries
...
Newer toolchains/libcs will use this syscall on x86-64 as well.
PiperOrigin-RevId: 428705078
Change-Id: I705efe37db9ebdd922036b39e4fb3c22dc749a1a
2022-02-15 00:14:25 -08:00
Christian Blichmann
d451478e26
Change license link to HTTPS URL
...
PiperOrigin-RevId: 424811734
Change-Id: If5ea692edc56ddc9c99fd478673df41c0246e9cc
2022-01-28 01:39:09 -08:00
Christian Blichmann
01ffc2a1c2
#Cleanup PolicyBuilder API using absl::Span
...
PiperOrigin-RevId: 415979969
Change-Id: I23e00a48ce9ba14c480f8d137c6ae3981a238e13
2021-12-13 01:31:59 -08:00
Christian Blichmann
354cbe89f9
Add more convenience functions to PolicyBuilder
...
- Allow to specify multiple syscalls with `BlockSyscallsWithErrno()`
- Add functions to allow `unlink()` and `rename()` in all their spellings
PiperOrigin-RevId: 414987303
Change-Id: Ic0e680b785e8e3a3498f20e6a7403737e63fe876
2021-12-08 06:41:21 -08:00
Wiktor Garbacz
8979b47d7f
Remove arg filter on rt_sigprocmask
in AllowStaticStartup
...
PiperOrigin-RevId: 414692179
Change-Id: If2a5f741ad38f626287988911b85bef7a711f80a
2021-12-07 05:04:01 -08:00
Christian Blichmann
60eb52c17f
Explicitly narrow size argument for BPF
...
This fixes a build error introduced in 26da6e6b0a
.
PiperOrigin-RevId: 414408033
Change-Id: Ic34d5eeba3bb34f9a5ce46a05547129fbab8bce0
2021-12-06 04:51:28 -08:00
Wiktor Garbacz
2a67805a13
Add prlimit64 to AllowLogForwarding
...
PiperOrigin-RevId: 414385430
Change-Id: I4e70d25f886f1ef65fab1b62c67e80eb45407bc7
2021-12-06 02:19:03 -08:00
Wiktor Garbacz
26da6e6b0a
Safer and more efficient custom syscall policies
...
Generate syscall jump table without using bpf_helper.
Check that any jump in the user provided policy is within the provided policy.
PiperOrigin-RevId: 409362089
Change-Id: I31493e52cf868e4b184ff79fcb26beeb75f49773
2021-11-12 02:44:41 -08:00