• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "host/commands/process_sandboxer/policies.h"
18 
19 #include <linux/filter.h>
20 #include <sys/mman.h>
21 #include <sys/socket.h>
22 #include <syscall.h>
23 
24 #include <cerrno>
25 #include <vector>
26 
27 #include <sandboxed_api/sandbox2/policybuilder.h>
28 #include <sandboxed_api/sandbox2/util/bpf_helper.h>
29 #include <sandboxed_api/util/path.h>
30 
31 namespace cuttlefish::process_sandboxer {
32 
33 using sapi::file::JoinPath;
34 
WmediumdPolicy(const HostInfo & host)35 sandbox2::PolicyBuilder WmediumdPolicy(const HostInfo& host) {
36   return BaselinePolicy(host, host.HostToolExe("wmediumd"))
37       .AddDirectory(host.EnvironmentsUdsDir(), /* is_ro= */ false)
38       .AddDirectory(host.InstanceUdsDir(), /* is_ro= */ false)
39       .AddDirectory(host.log_dir, /* is_ro= */ false)
40       .AddFile("/dev/urandom")  // For gRPC
41       .AddFile(JoinPath(host.environments_dir, "env-1", "wmediumd.cfg"),
42                /* is_ro= */ false)
43       .AddFile(host.cuttlefish_config_path)
44       // Shared memory with crosvm for wifi
45       .AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
46         return {
47             ARG_32(2),  // prot
48             JNE32(PROT_READ | PROT_WRITE, JUMP(&labels, cf_wmediumd_mmap_end)),
49             ARG_32(3),  // flags
50             JEQ32(MAP_SHARED, ALLOW),
51             LABEL(&labels, cf_wmediumd_mmap_end),
52         };
53       })
54       .AddPolicyOnSyscalls(
55           {__NR_getsockopt, __NR_setsockopt},
56           [](bpf_labels& labels) -> std::vector<sock_filter> {
57             return {
58                 ARG_32(1),  // level
59                 JNE32(SOL_SOCKET, JUMP(&labels, cf_wmediumd_getsockopt_end)),
60                 ARG_32(2),  // optname
61                 JEQ32(SO_REUSEPORT, ALLOW),
62                 LABEL(&labels, cf_wmediumd_getsockopt_end),
63             };
64           })
65       .AddPolicyOnSyscall(__NR_madvise,
66                           {ARG_32(2), JEQ32(MADV_DONTNEED, ALLOW)})
67       // Unclear what's creating the INET and INET6 sockets
68       .AddPolicyOnSyscall(__NR_socket, {ARG_32(0), JEQ32(AF_UNIX, ALLOW),
69                                         JEQ32(AF_INET, ERRNO(EACCES)),
70                                         JEQ32(AF_INET6, ERRNO(EACCES))})
71       .AllowEventFd()
72       .AllowHandleSignals()
73       .AllowSafeFcntl()
74       .AllowSelect()
75       .AllowSleep()
76       .AllowSyscall(__NR_accept)
77       .AllowSyscall(__NR_bind)
78       .AllowSyscall(__NR_clone)  // Multithreading
79       .AllowSyscall(__NR_getpeername)
80       .AllowSyscall(__NR_getsockname)
81       .AllowSyscall(__NR_listen)
82       .AllowSyscall(__NR_msgget)
83       .AllowSyscall(__NR_msgsnd)
84       .AllowSyscall(__NR_msgrcv)
85       .AllowSyscall(__NR_recvmsg)
86       .AllowSyscall(__NR_sched_getparam)
87       .AllowSyscall(__NR_sched_getscheduler)
88       .AllowSyscall(__NR_sched_yield)
89       .AllowSyscall(__NR_sendmsg)
90       .AllowSyscall(__NR_shutdown)
91       .AllowSyscall(__NR_timerfd_create)
92       .AllowSyscall(__NR_timerfd_settime);
93 }
94 
95 }  // namespace cuttlefish::process_sandboxer
96