• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "host/commands/process_sandboxer/policies.h"
18 
19 #include <stdlib.h>
20 #include <sys/ioctl.h>
21 #include <sys/socket.h>
22 #include <syscall.h>
23 #include <unistd.h>
24 
25 #include <string>
26 
27 #include <absl/log/check.h>
28 #include <sandboxed_api/sandbox2/policybuilder.h>
29 #include <sandboxed_api/sandbox2/util/bpf_helper.h>
30 #include <sandboxed_api/util/path.h>
31 
32 namespace cuttlefish::process_sandboxer {
33 
34 using sapi::file::JoinPath;
35 
36 /*
37  * This executable is built as a `python_binary_host`:
38  * https://cs.android.com/android/platform/superproject/main/+/main:external/avb/Android.bp;l=136;drc=1bbcd661f0afe4ab56c7031f57d518a19015805e
39  *
40  * A `python_binary_host` executable is a python interpreter concatenated with a
41  * zip file of the python code for this executable and the python standard
42  * library.
43  * https://cs.android.com/android/platform/superproject/main/+/main:build/soong/python/python.go;l=416;drc=4ce4f8893e5c5ee9b9b2669ceb36a01d85ea39f4
44  *
45  * Concatenation works because the interpreter is a ELF executable, identified
46  * by an ELF prefix header, while zip files are identifier by a table added to
47  * the file as a suffix.
48  *
49  * The python interpreter is an executable built out of the Android build system
50  * with some custom code.
51  * https://cs.android.com/android/platform/superproject/main/+/main:external/python/cpython3/android/launcher_main.cpp;drc=02afc01277f68e081dad208f2d660fc74d67be88
52  */
AvbToolPolicy(const HostInfo & host)53 sandbox2::PolicyBuilder AvbToolPolicy(const HostInfo& host) {
54   /*
55    * `launcher_main.cpp` relies on `android::base::GetExecutablePath()` which
56    * tries to `readlink("/proc/self/exe")`. Sandbox2 doesn't mount a procfs at
57    * /proc in the mount namespace, so we can do this mount ourselves.  However,
58    * this specifically needs to appear inside the mount namespace as a symlink
59    * so that `readlink` works correctly. Bind-mounting the file with `AddFileAt`
60    * or even bind-mounting a symlink directly doesn't appear to work correctly
61    * with `readlink`, so we have to bind-mount a parent directory into
62    * /proc/self and create an `exe` symlink.
63    *
64    * https://cs.android.com/android/platform/superproject/main/+/main:system/libbase/file.cpp;l=491;drc=a4ac93b700ed623bdb333ccb2ac567b8a33081a7
65    */
66   std::string executable = host.HostToolExe("avbtool");
67 
68   char fake_proc_self[] = "/tmp/avbtool_XXXXXX";
69   PCHECK(mkdtemp(fake_proc_self)) << "Failed to create fake /proc/self dir";
70   PCHECK(symlink(executable.c_str(), JoinPath(fake_proc_self, "exe").c_str()) >=
71          0)
72       << "Failed to create 'exe' symlink for avbtool";
73   return BaselinePolicy(host, executable)
74       .AddDirectory(host.host_artifacts_path)
75       .AddDirectory(host.guest_image_path)
76       .AddDirectory(host.runtime_dir, /* is_ro= */ false)
77       .AddDirectoryAt(fake_proc_self, "/proc/self")
78       .AddFile("/dev/urandom")  // For Python
79       .AddFileAt(host.HostToolExe("sandboxer_proxy"), "/usr/bin/openssl")
80       // The executable `open`s itself to load the python files.
81       .AddFile(executable)
82       .AddLibrariesForBinary(host.HostToolExe("sandboxer_proxy"),
83                              JoinPath(host.host_artifacts_path, "lib64"))
84       .AddPolicyOnSyscall(__NR_ioctl, {ARG_32(1), JEQ32(TIOCGWINSZ, ALLOW)})
85       .AddPolicyOnSyscall(__NR_socket, {ARG_32(0), JEQ32(AF_UNIX, ALLOW)})
86       .AllowDup()
87       .AllowEpoll()
88       .AllowFork()
89       .AllowHandleSignals()
90       .AllowPipe()
91       .AllowSafeFcntl()
92       .AllowSyscall(__NR_connect)
93       .AllowSyscall(__NR_mremap)
94       .AllowSyscall(__NR_execve)
95       .AllowSyscall(__NR_ftruncate)
96       .AllowSyscall(__NR_recvmsg)
97       .AllowSyscall(__NR_sendmsg)
98       .AllowSyscall(__NR_sysinfo)
99       .AllowTCGETS()
100       .AllowWait();
101 }
102 
103 }  // namespace cuttlefish::process_sandboxer
104