1 /*
2 * Copyright (C) 2024 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #include "host/commands/process_sandboxer/policies.h"
17
18 #include <linux/prctl.h>
19 #include <sys/mman.h>
20 #include <sys/socket.h>
21 #include <sys/syscall.h>
22
23 #include <cerrno>
24 #include <string>
25
26 #include <sandboxed_api/sandbox2/policybuilder.h>
27 #include <sandboxed_api/sandbox2/util/bpf_helper.h>
28 #include <sandboxed_api/util/path.h>
29
30 namespace cuttlefish::process_sandboxer {
31
32 using sapi::file::JoinPath;
33
AssembleCvdPolicy(const HostInfo & host)34 sandbox2::PolicyBuilder AssembleCvdPolicy(const HostInfo& host) {
35 std::string sandboxer_proxy = host.HostToolExe("sandboxer_proxy");
36 return BaselinePolicy(host, host.HostToolExe("assemble_cvd"))
37 .AddDirectory(host.assembly_dir, /* is_ro= */ false)
38 // TODO(schuffelen): Don't resize vbmeta in-place
39 .AddDirectory(host.guest_image_path, /* is_ro= */ false)
40 .AddDirectory(
41 JoinPath(host.host_artifacts_path, "etc", "bootloader_x86_64"))
42 .AddDirectory(JoinPath(host.host_artifacts_path, "etc", "cvd_config"))
43 // TODO(schuffelen): Copy these files before modifying them
44 .AddDirectory(JoinPath(host.host_artifacts_path, "etc", "openwrt"),
45 /* is_ro= */ false)
46 .AddDirectory(host.environments_dir, /* is_ro= */ false)
47 .AddDirectory(host.EnvironmentsUdsDir(), /* is_ro= */ false)
48 .AddDirectory(host.InstanceUdsDir(), /* is_ro= */ false)
49 .AddDirectory("/tmp/cf_avd_1000", /* is_ro= */ false)
50 .AddDirectory(host.runtime_dir, /* is_ro= */ false)
51 .AddDirectory(host.tmp_dir, /* is_ro= */ false)
52 .AddDirectory(host.VsockDeviceDir(), /* is_ro= */ false)
53 // `webRTC` actually uses this file, but `assemble_cvd` first checks
54 // whether it exists in order to decide whether to connect to it.
55 .AddFile("/run/cuttlefish/operator")
56 .AddFileAt(sandboxer_proxy, host.HostToolExe("avbtool"))
57 .AddFileAt(sandboxer_proxy, host.HostToolExe("crosvm"))
58 .AddFileAt(sandboxer_proxy, host.HostToolExe("mkenvimage_slim"))
59 .AddFileAt(sandboxer_proxy, host.HostToolExe("newfs_msdos"))
60 .AddFileAt(sandboxer_proxy, host.HostToolExe("simg2img"))
61 .AddPolicyOnSyscall(__NR_madvise,
62 {ARG_32(2), JEQ32(MADV_DONTNEED, ALLOW)})
63 .AddPolicyOnSyscall(__NR_prctl,
64 {ARG_32(0), JEQ32(PR_SET_PDEATHSIG, ALLOW)})
65 /* sandboxer_proxy needs AF_UNIX. `assemble_cvd/network_flags.cpp` calls
66 * `getifaddrs` which won't give any interesting output in the network
67 * namespace anyway. */
68 .AddPolicyOnSyscall(__NR_socket, {ARG_32(0), JEQ32(AF_UNIX, ALLOW),
69 JEQ32(AF_INET, ERRNO(EACCES)),
70 JEQ32(AF_NETLINK, ERRNO(EACCES))})
71 .AllowDup()
72 .AllowFork()
73 .AllowGetIDs()
74 .AllowLink()
75 .AllowMkdir()
76 .AllowPipe()
77 .AllowReaddir()
78 .AllowRename()
79 .AllowSafeFcntl()
80 .AllowSymlink()
81 .AllowUnlink()
82 .AllowSyscall(__NR_execve)
83 .AllowSyscall(__NR_flock)
84 .AllowSyscall(__NR_ftruncate)
85 .AllowSyscall(__NR_fsync)
86 .AllowSyscall(__NR_umask)
87 .AllowTCGETS()
88 .AllowWait()
89 // For sandboxer_proxy
90 .AllowExit()
91 .AllowSyscall(SYS_connect)
92 .AllowSyscall(SYS_recvmsg)
93 .AllowSyscall(SYS_sendmsg);
94 }
95
96 } // namespace cuttlefish::process_sandboxer
97