1 // Copyright 2019 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // The sandbox2::Policy class provides methods for manipulating seccomp-bpf 16 // syscall policies. 17 18 #ifndef SANDBOXED_API_SANDBOX2_POLICY_H_ 19 #define SANDBOXED_API_SANDBOX2_POLICY_H_ 20 21 #include <linux/bpf_common.h> 22 #include <linux/filter.h> // IWYU pragma: export 23 #include <linux/seccomp.h> // IWYU pragma: export 24 25 #include <cstdint> 26 #include <optional> 27 #include <vector> 28 29 #include "sandboxed_api/sandbox2/namespace.h" 30 #include "sandboxed_api/sandbox2/network_proxy/filtering.h" 31 #include "sandboxed_api/sandbox2/syscall.h" // IWYU pragma: export 32 33 #define SANDBOX2_TRACE \ 34 BPF_STMT(BPF_RET + BPF_K, \ 35 SECCOMP_RET_TRACE | \ 36 (::sandbox2::Syscall::GetHostArch() & SECCOMP_RET_DATA)) 37 38 namespace sandbox2 { 39 40 namespace internal { 41 // Magic values of registers when executing sys_execveat, so we can recognize 42 // the pre-sandboxing state and notify the Monitor 43 inline constexpr uintptr_t kExecveMagic = 0x921c2c34; 44 } // namespace internal 45 46 class MonitorBase; 47 class PolicyBuilder; 48 49 class Policy final { 50 public: 51 Policy(const Policy&) = default; 52 Policy& operator=(const Policy&) = default; 53 54 Policy(Policy&&) = delete; 55 Policy& operator=(Policy&&) = delete; 56 57 // Returns the policy, but modifies it according to FLAGS and internal 58 // requirements (message passing via Comms, Executor::WaitForExecve etc.). 59 std::vector<sock_filter> GetPolicy(bool user_notif) const; 60 GetNamespace()61 const std::optional<Namespace>& GetNamespace() const { return namespace_; } GetNamespaceOrNull()62 const Namespace* GetNamespaceOrNull() const { 63 return namespace_ ? &namespace_.value() : nullptr; 64 } 65 66 // Returns the default policy, which blocks certain dangerous syscalls and 67 // mismatched syscall tables. 68 std::vector<sock_filter> GetDefaultPolicy(bool user_notif) const; 69 // Returns a policy allowing the Monitor module to track all syscalls. 70 std::vector<sock_filter> GetTrackingPolicy() const; 71 collect_stacktrace_on_signal()72 bool collect_stacktrace_on_signal() const { 73 return collect_stacktrace_on_signal_; 74 } 75 collect_stacktrace_on_exit()76 bool collect_stacktrace_on_exit() const { 77 return collect_stacktrace_on_exit_; 78 } 79 80 private: 81 friend class PolicyBuilder; 82 friend class MonitorBase; 83 84 // Private constructor only called by the PolicyBuilder. 85 Policy() = default; 86 87 // The Namespace object, defines ways of putting sandboxee into namespaces. 88 std::optional<Namespace> namespace_; 89 90 // Gather stack traces on violations, signals, timeouts or when getting 91 // killed. See policybuilder.h for more information. 92 bool collect_stacktrace_on_violation_ = true; 93 bool collect_stacktrace_on_signal_ = true; 94 bool collect_stacktrace_on_timeout_ = true; 95 bool collect_stacktrace_on_kill_ = true; 96 bool collect_stacktrace_on_exit_ = false; 97 98 bool allow_map_exec_ = false; 99 bool allow_speculation_ = false; 100 101 // The policy set by the user. 102 std::vector<sock_filter> user_policy_; 103 bool user_policy_handles_bpf_ = false; 104 bool user_policy_handles_ptrace_ = false; 105 106 // Contains a list of hosts the sandboxee is allowed to connect to. 107 std::optional<AllowedHosts> allowed_hosts_; 108 }; 109 110 } // namespace sandbox2 111 112 #endif // SANDBOXED_API_SANDBOX2_POLICY_H_ 113