1 // Copyright 2019 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // The sandbox2::Notify class handless exceptional situations in the sandbox 16 17 #ifndef SANDBOXED_API_SANDBOX2_NOTIFY_H_ 18 #define SANDBOXED_API_SANDBOX2_NOTIFY_H_ 19 20 #include <sys/types.h> 21 22 #include "absl/base/attributes.h" 23 #include "absl/log/log.h" 24 #include "sandboxed_api/sandbox2/comms.h" 25 #include "sandboxed_api/sandbox2/result.h" 26 #include "sandboxed_api/sandbox2/syscall.h" 27 #include "sandboxed_api/sandbox2/util.h" 28 29 namespace sandbox2 { 30 31 enum ViolationType { 32 // A syscall disallowed by the policy was invoked. 33 kSyscallViolation, 34 // A syscall with cpu architecture not covered by the policy was invoked. 35 kArchitectureSwitchViolation, 36 }; 37 38 class Notify { 39 public: 40 virtual ~Notify() = default; 41 42 // Called when a process has been created and executed, but not yet sandboxed. 43 // Using comms only makes sense if the client is sandboxed in the 44 // Executor::set_enable_sandbox_before_exec(false) mode. 45 // Returns a success indicator: false will cause the Sandbox Monitor to return 46 // sandbox2::Result::SETUP_ERROR for Run()/RunAsync(). EventStarted(pid_t pid,Comms * comms)47 virtual bool EventStarted(pid_t pid, Comms* comms) { return true; } 48 49 // Called when all sandboxed processes finished. EventFinished(const Result & result)50 virtual void EventFinished(const Result& result) {} 51 52 // Called when a process exited with a syscall violation. EventSyscallViolation(const Syscall & syscall,ViolationType type)53 virtual void EventSyscallViolation(const Syscall& syscall, 54 ViolationType type) {} 55 56 // Called when a policy called TRACE. The syscall is allowed and logged if 57 // this method returns true. This allows for implementing 'log, but allow' 58 // policies. 59 ABSL_DEPRECATED("Override EventSyscallTrace() instead") EventSyscallTrap(const Syscall & syscall)60 virtual bool EventSyscallTrap(const Syscall& syscall) { return false; } 61 62 // Actions to perform after calling EventSyscallTrace. 63 enum class TraceAction { 64 // Deny the syscall. 65 kDeny, 66 // Allow the syscall. 67 kAllow, 68 // Allow the syscall so its return value can be inspected through a 69 // subsequent call to EventSyscallReturn. 70 // Requires Linux kernel 4.8 or later. 71 kInspectAfterReturn 72 }; 73 74 // Called when a policy called TRACE. The syscall is allowed or denied 75 // depending on the return value of this function. EventSyscallTrace(const Syscall & syscall)76 virtual TraceAction EventSyscallTrace(const Syscall& syscall) { 77 if (EventSyscallTrap(syscall)) { 78 LOG(WARNING) << "[PERMITTED]: SYSCALL ::: PID: " << syscall.pid() 79 << ", PROG: '" << util::GetProgName(syscall.pid()) 80 << "' : " << syscall.GetDescription(); 81 return TraceAction::kAllow; 82 } 83 return TraceAction::kDeny; 84 } 85 86 // Called when a policy called TRACE and EventSyscallTrace returned 87 // kInspectAfterReturn. EventSyscallReturn(const Syscall & syscall,int64_t return_value)88 virtual void EventSyscallReturn(const Syscall& syscall, 89 int64_t return_value) {} 90 91 // Called when a process received a signal. EventSignal(pid_t pid,int sig_no)92 virtual void EventSignal(pid_t pid, int sig_no) {} 93 }; 94 95 } // namespace sandbox2 96 97 #endif // SANDBOXED_API_SANDBOX2_NOTIFY_H_ 98