• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 // The sandbox2::Policy class provides methods for manipulating seccomp-bpf
16 // syscall policies.
17 
18 #ifndef SANDBOXED_API_SANDBOX2_POLICY_H_
19 #define SANDBOXED_API_SANDBOX2_POLICY_H_
20 
21 #include <linux/bpf_common.h>
22 #include <linux/filter.h>   // IWYU pragma: export
23 #include <linux/seccomp.h>  // IWYU pragma: export
24 
25 #include <cstdint>
26 #include <optional>
27 #include <vector>
28 
29 #include "sandboxed_api/sandbox2/namespace.h"
30 #include "sandboxed_api/sandbox2/network_proxy/filtering.h"
31 #include "sandboxed_api/sandbox2/syscall.h"  // IWYU pragma: export
32 
33 #define SANDBOX2_TRACE         \
34   BPF_STMT(BPF_RET + BPF_K,    \
35            SECCOMP_RET_TRACE | \
36                (::sandbox2::Syscall::GetHostArch() & SECCOMP_RET_DATA))
37 
38 namespace sandbox2 {
39 
40 namespace internal {
41 // Magic values of registers when executing sys_execveat, so we can recognize
42 // the pre-sandboxing state and notify the Monitor
43 inline constexpr uintptr_t kExecveMagic = 0x921c2c34;
44 }  // namespace internal
45 
46 class MonitorBase;
47 class PolicyBuilder;
48 
49 class Policy final {
50  public:
51   Policy(const Policy&) = default;
52   Policy& operator=(const Policy&) = default;
53 
54   Policy(Policy&&) = delete;
55   Policy& operator=(Policy&&) = delete;
56 
57   // Returns the policy, but modifies it according to FLAGS and internal
58   // requirements (message passing via Comms, Executor::WaitForExecve etc.).
59   std::vector<sock_filter> GetPolicy(bool user_notif) const;
60 
GetNamespace()61   const std::optional<Namespace>& GetNamespace() const { return namespace_; }
GetNamespaceOrNull()62   const Namespace* GetNamespaceOrNull() const {
63     return namespace_ ? &namespace_.value() : nullptr;
64   }
65 
66   // Returns the default policy, which blocks certain dangerous syscalls and
67   // mismatched syscall tables.
68   std::vector<sock_filter> GetDefaultPolicy(bool user_notif) const;
69   // Returns a policy allowing the Monitor module to track all syscalls.
70   std::vector<sock_filter> GetTrackingPolicy() const;
71 
collect_stacktrace_on_signal()72   bool collect_stacktrace_on_signal() const {
73     return collect_stacktrace_on_signal_;
74   }
75 
collect_stacktrace_on_exit()76   bool collect_stacktrace_on_exit() const {
77     return collect_stacktrace_on_exit_;
78   }
79 
80  private:
81   friend class PolicyBuilder;
82   friend class MonitorBase;
83 
84   // Private constructor only called by the PolicyBuilder.
85   Policy() = default;
86 
87   // The Namespace object, defines ways of putting sandboxee into namespaces.
88   std::optional<Namespace> namespace_;
89 
90   // Gather stack traces on violations, signals, timeouts or when getting
91   // killed. See policybuilder.h for more information.
92   bool collect_stacktrace_on_violation_ = true;
93   bool collect_stacktrace_on_signal_ = true;
94   bool collect_stacktrace_on_timeout_ = true;
95   bool collect_stacktrace_on_kill_ = true;
96   bool collect_stacktrace_on_exit_ = false;
97 
98   bool allow_map_exec_ = false;
99   bool allow_speculation_ = false;
100 
101   // The policy set by the user.
102   std::vector<sock_filter> user_policy_;
103   bool user_policy_handles_bpf_ = false;
104   bool user_policy_handles_ptrace_ = false;
105 
106   // Contains a list of hosts the sandboxee is allowed to connect to.
107   std::optional<AllowedHosts> allowed_hosts_;
108 };
109 
110 }  // namespace sandbox2
111 
112 #endif  // SANDBOXED_API_SANDBOX2_POLICY_H_
113