• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef SANDBOXED_API_SANDBOX2_NETWORK_PROXY_SERVER_H_
16 #define SANDBOXED_API_SANDBOX2_NETWORK_PROXY_SERVER_H_
17 
18 #include <atomic>
19 #include <memory>
20 #include <string>
21 
22 #include "absl/functional/any_invocable.h"
23 #include "sandboxed_api/sandbox2/comms.h"
24 #include "sandboxed_api/sandbox2/network_proxy/filtering.h"
25 
26 namespace sandbox2 {
27 
28 // This is a proxy server that spawns connected sockets on requests.
29 // Then it sends the file descriptor to the requestor. It is used to get around
30 // limitations created by network namespaces. It also contains a set of rules
31 // of allowed hosts.
32 class NetworkProxyServer {
33  public:
34   NetworkProxyServer(int fd, AllowedHosts* allowed_hosts,
35                      absl::AnyInvocable<void()> notify_violation);
36 
37   NetworkProxyServer(const NetworkProxyServer&) = delete;
38   NetworkProxyServer& operator=(const NetworkProxyServer&) = delete;
39 
40   // Starts handling incoming connection requests.
41   void Run();
42 
43   // When the network rules were violated violation_occurred_ is set and
44   // violation_msg_ contains details about the host.
45   std::atomic<bool> violation_occurred_;
46   std::string violation_msg_;
47 
48  private:
49   // Notifies the network proxy client about the error and sends its code.
50   void SendError(int saved_errno);
51 
52   // Notifies the network proxy client that no error occurred.
53   void NotifySuccess();
54 
55   // Serves connection requests from the network proxy client.
56   void ProcessConnectRequest();
57 
58   // Throw a violation when the network rules are subverted.
59   void NotifyViolation(const struct sockaddr* saddr);
60 
61   std::unique_ptr<Comms> comms_;
62   bool fatal_error_;
63   absl::AnyInvocable<void()> notify_violation_fn_;
64 
65   // Contains list of allowed to connect hosts.
66   AllowedHosts* allowed_hosts_;
67 };
68 
69 }  // namespace sandbox2
70 
71 #endif  // SANDBOXED_API_SANDBOX2_NETWORK_PROXY_SERVER_H_
72