• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef SANDBOX_H_
16 #define SANDBOX_H_
17 
18 #include <linux/futex.h>
19 #include <sys/mman.h>  // For mmap arguments
20 #include <syscall.h>
21 
22 #include <cstdlib>
23 
24 #include "curl_sapi.sapi.h"  // NOLINT(build/include)
25 #include "sandboxed_api/sandbox2/util/allow_unrestricted_networking.h"
26 #include "sandboxed_api/sandbox2/util/bpf_helper.h"
27 
28 namespace curl {
29 
30 class CurlSapiSandbox : public curl::CurlSandbox {
31  protected:
ModifyPolicy(sandbox2::PolicyBuilder *)32   std::unique_ptr<sandbox2::Policy> ModifyPolicy(
33       sandbox2::PolicyBuilder*) override {
34     // Return a new policy
35     return sandbox2::PolicyBuilder()
36         .AllowDynamicStartup()
37         .AllowExit()
38         .AllowFork()
39         .AllowFutexOp(FUTEX_WAIT_PRIVATE)
40         .AllowFutexOp(FUTEX_WAKE_PRIVATE)
41         .AllowFutexOp(FUTEX_REQUEUE_PRIVATE)
42         .AllowMmapWithoutExec()
43         .AllowOpen()
44         .AllowSafeFcntl()
45         .AllowWrite()
46         .AllowAccess()
47         .AllowSyscall(__NR_accept)
48         .AllowSyscall(__NR_bind)
49         .AllowSyscall(__NR_connect)
50         .AllowSyscall(__NR_getpeername)
51         .AllowSyscall(__NR_getsockname)
52         .AllowSyscall(__NR_getsockopt)
53         .AllowSyscall(__NR_ioctl)
54         .AllowSyscall(__NR_listen)
55         .AllowSyscall(__NR_madvise)
56         .AllowPoll()
57         .AllowSyscall(__NR_recvfrom)
58         .AllowSyscall(__NR_recvmsg)
59         .AllowSyscall(__NR_rt_sigaction)
60         .AllowSyscall(__NR_sendmmsg)
61         .AllowSyscall(__NR_sendto)
62         .AllowSyscall(__NR_setsockopt)
63         .AllowSyscall(__NR_socket)
64         .AllowSyscall(__NR_sysinfo)
65         .AddDirectory("/lib")
66         .Allow(sandbox2::UnrestrictedNetworking())
67         .BuildOrDie();
68   }
69 };
70 
71 }  // namespace curl
72 
73 #endif  // SANDBOX_H_
74