mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
f708270f35
This helps write the kind of 'log, but allow' policy described in
[`notify.h`](b9c84a1f75/sandboxed_api/sandbox2/notify.h (L57)
) for all system calls not mentioned explicitly. One use case is writing a "permissive mode" runtime to give more information during development.
PiperOrigin-RevId: 603766051
Change-Id: I3c72f433a1e21c330b5dd9f1ede2faa570b75b09
148 lines
5.1 KiB
C++
148 lines
5.1 KiB
C++
// Copyright 2019 Google LLC
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// https://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
#include "sandboxed_api/sandbox2/notify.h"
|
|
|
|
#include <sys/types.h>
|
|
#include <syscall.h>
|
|
|
|
#include <memory>
|
|
#include <string>
|
|
#include <utility>
|
|
#include <vector>
|
|
|
|
#include "gmock/gmock.h"
|
|
#include "gtest/gtest.h"
|
|
#include "absl/log/log.h"
|
|
#include "absl/strings/str_join.h"
|
|
#include "absl/strings/string_view.h"
|
|
#include "sandboxed_api/sandbox2/comms.h"
|
|
#include "sandboxed_api/sandbox2/executor.h"
|
|
#include "sandboxed_api/sandbox2/policy.h"
|
|
#include "sandboxed_api/sandbox2/policybuilder.h"
|
|
#include "sandboxed_api/sandbox2/sandbox2.h"
|
|
#include "sandboxed_api/sandbox2/syscall.h"
|
|
#include "sandboxed_api/sandbox2/trace_all_syscalls.h"
|
|
#include "sandboxed_api/testing.h"
|
|
|
|
namespace sandbox2 {
|
|
namespace {
|
|
|
|
using ::sapi::CreateDefaultPermissiveTestPolicy;
|
|
using ::sapi::GetTestSourcePath;
|
|
using ::testing::Eq;
|
|
|
|
// Allow typical syscalls and call SECCOMP_RET_TRACE for personality syscall,
|
|
// chosen because unlikely to be called by a regular program.
|
|
std::unique_ptr<Policy> NotifyTestcasePolicy(absl::string_view path) {
|
|
return CreateDefaultPermissiveTestPolicy(path)
|
|
.AddPolicyOnSyscall(__NR_personality, {SANDBOX2_TRACE})
|
|
.BuildOrDie();
|
|
}
|
|
|
|
// If syscall and its arguments don't match the expected ones, return the
|
|
// opposite of the requested values (allow/disallow) to indicate an error.
|
|
class PersonalityNotify : public Notify {
|
|
public:
|
|
explicit PersonalityNotify(bool allow) : allow_(allow) {}
|
|
|
|
bool EventSyscallTrap(const Syscall& syscall) override {
|
|
if (syscall.nr() != __NR_personality) {
|
|
LOG(ERROR) << "kSyscall==" << syscall.nr();
|
|
return (!allow_);
|
|
}
|
|
Syscall::Args expected_args = {0x1, 0x2, 0x3, 0x4, 0x5, 0x6};
|
|
if (syscall.args() != expected_args) {
|
|
LOG(ERROR) << "args=={" << absl::StrJoin(syscall.args(), ", ") << "}";
|
|
return (!allow_);
|
|
}
|
|
return allow_;
|
|
}
|
|
|
|
private:
|
|
// The intended return value from EventSyscallTrap in case all registers
|
|
// match.
|
|
bool allow_;
|
|
};
|
|
|
|
// Print the newly created PID, and exchange data over Comms before sandboxing.
|
|
class PidCommsNotify : public Notify {
|
|
public:
|
|
bool EventStarted(pid_t pid, Comms* comms) final {
|
|
LOG(INFO) << "The newly created PID: " << pid;
|
|
bool v;
|
|
return comms->RecvBool(&v);
|
|
}
|
|
};
|
|
|
|
// Test EventSyscallTrap on personality syscall and allow it.
|
|
TEST(NotifyTest, AllowPersonality) {
|
|
const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
|
|
std::vector<std::string> args = {path};
|
|
Sandbox2 s2(std::make_unique<Executor>(path, args),
|
|
NotifyTestcasePolicy(path),
|
|
std::make_unique<PersonalityNotify>(/*allow=*/true));
|
|
auto result = s2.Run();
|
|
|
|
ASSERT_THAT(result.final_status(), Eq(Result::OK));
|
|
EXPECT_THAT(result.reason_code(), Eq(22));
|
|
}
|
|
|
|
// Test EventSyscallTrap on personality syscall and disallow it.
|
|
TEST(NotifyTest, DisallowPersonality) {
|
|
const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
|
|
std::vector<std::string> args = {path};
|
|
Sandbox2 s2(std::make_unique<Executor>(path, args),
|
|
NotifyTestcasePolicy(path),
|
|
std::make_unique<PersonalityNotify>(/*allow=*/false));
|
|
auto result = s2.Run();
|
|
|
|
ASSERT_THAT(result.final_status(), Eq(Result::VIOLATION));
|
|
EXPECT_THAT(result.reason_code(), Eq(__NR_personality));
|
|
}
|
|
|
|
// Test EventStarted by exchanging data after started but before sandboxed.
|
|
TEST(NotifyTest, PrintPidAndComms) {
|
|
const std::string path = GetTestSourcePath("sandbox2/testcases/pidcomms");
|
|
std::vector<std::string> args = {path};
|
|
auto executor = std::make_unique<Executor>(path, args);
|
|
executor->set_enable_sandbox_before_exec(false);
|
|
|
|
Sandbox2 s2(std::move(executor), NotifyTestcasePolicy(path),
|
|
std::make_unique<PidCommsNotify>());
|
|
auto result = s2.Run();
|
|
|
|
ASSERT_THAT(result.final_status(), Eq(Result::OK));
|
|
EXPECT_THAT(result.reason_code(), Eq(33));
|
|
}
|
|
|
|
// Test EventSyscallTrap on personality syscall through TraceAllSyscalls
|
|
TEST(NotifyTest, TraceAllAllowPersonality) {
|
|
const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
|
|
std::vector<std::string> args = {path};
|
|
auto policy = CreateDefaultPermissiveTestPolicy(path)
|
|
.DefaultAction(TraceAllSyscalls())
|
|
.BuildOrDie();
|
|
Sandbox2 s2(std::make_unique<Executor>(path, args),
|
|
NotifyTestcasePolicy(path),
|
|
std::make_unique<PersonalityNotify>(/*allow=*/true));
|
|
auto result = s2.Run();
|
|
|
|
ASSERT_THAT(result.final_status(), Eq(Result::OK));
|
|
EXPECT_THAT(result.reason_code(), Eq(22));
|
|
}
|
|
|
|
} // namespace
|
|
} // namespace sandbox2
|