xref: /aosp_15_r20/external/sandboxed-api/sandboxed_api/sandbox2/policy.h (revision ec63e07ab9515d95e79c211197c445ef84cefa6a) 
1 // Copyright 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 // The sandbox2::Policy class provides methods for manipulating seccomp-bpf
16 // syscall policies.
17 
18 #ifndef SANDBOXED_API_SANDBOX2_POLICY_H_
19 #define SANDBOXED_API_SANDBOX2_POLICY_H_
20 
21 #include <linux/bpf_common.h>
22 #include <linux/filter.h>   // IWYU pragma: export
23 #include <linux/seccomp.h>  // IWYU pragma: export
24 
25 #include <cstdint>
26 #include <optional>
27 #include <vector>
28 
29 #include "sandboxed_api/sandbox2/namespace.h"
30 #include "sandboxed_api/sandbox2/network_proxy/filtering.h"
31 #include "sandboxed_api/sandbox2/syscall.h"  // IWYU pragma: export
32 #include "sandboxed_api/sandbox2/violation.pb.h"
33 
34 #define SANDBOX2_TRACE         \
35   BPF_STMT(BPF_RET + BPF_K,    \
36            SECCOMP_RET_TRACE | \
37                (::sandbox2::Syscall::GetHostArch() & SECCOMP_RET_DATA))
38 
39 namespace sandbox2 {
40 
41 namespace internal {
42 // Magic values of registers when executing sys_execveat, so we can recognize
43 // the pre-sandboxing state and notify the Monitor
44 inline constexpr uintptr_t kExecveMagic = 0x921c2c34;
45 }  // namespace internal
46 
47 class Comms;
48 class MonitorBase;
49 class PolicyBuilder;
50 
51 class Policy final {
52  public:
53   Policy(const Policy&) = default;
54   Policy& operator=(const Policy&) = default;
55 
56   Policy(Policy&&) = delete;
57   Policy& operator=(Policy&&) = delete;
58 
59   // Stores information about the policy (and the policy builder if existing)
60   // in the protobuf structure.
61   void GetPolicyDescription(PolicyDescription* policy) const;
62 
63   // Sends the policy over the IPC channel.
64   bool SendPolicy(Comms* comms, bool user_notif) const;
65 
66   // Returns the policy, but modifies it according to FLAGS and internal
67   // requirements (message passing via Comms, Executor::WaitForExecve etc.).
68   std::vector<sock_filter> GetPolicy(bool user_notif) const;
69 
GetNamespace()70   const std::optional<Namespace>& GetNamespace() const { return namespace_; }
GetNamespaceOrNull()71   const Namespace* GetNamespaceOrNull() const {
72     return namespace_ ? &namespace_.value() : nullptr;
73   }
74 
75   // Returns the default policy, which blocks certain dangerous syscalls and
76   // mismatched syscall tables.
77   std::vector<sock_filter> GetDefaultPolicy(bool user_notif) const;
78   // Returns a policy allowing the Monitor module to track all syscalls.
79   std::vector<sock_filter> GetTrackingPolicy() const;
80 
collect_stacktrace_on_signal()81   bool collect_stacktrace_on_signal() const {
82     return collect_stacktrace_on_signal_;
83   }
84 
collect_stacktrace_on_exit()85   bool collect_stacktrace_on_exit() const {
86     return collect_stacktrace_on_exit_;
87   }
88 
89  private:
90   friend class PolicyBuilder;
91   friend class MonitorBase;
92 
93   // Private constructor only called by the PolicyBuilder.
94   Policy() = default;
95 
96   // The Namespace object, defines ways of putting sandboxee into namespaces.
97   std::optional<Namespace> namespace_;
98 
99   // Gather stack traces on violations, signals, timeouts or when getting
100   // killed. See policybuilder.h for more information.
101   bool collect_stacktrace_on_violation_ = true;
102   bool collect_stacktrace_on_signal_ = true;
103   bool collect_stacktrace_on_timeout_ = true;
104   bool collect_stacktrace_on_kill_ = true;
105   bool collect_stacktrace_on_exit_ = false;
106 
107   // Optional pointer to a PolicyBuilder description pb object.
108   std::optional<PolicyBuilderDescription> policy_builder_description_;
109 
110   // The policy set by the user.
111   std::vector<sock_filter> user_policy_;
112   bool user_policy_handles_bpf_ = false;
113   bool user_policy_handles_ptrace_ = false;
114 
115   // Contains a list of hosts the sandboxee is allowed to connect to.
116   std::optional<AllowedHosts> allowed_hosts_;
117 };
118 
119 }  // namespace sandbox2
120 
121 #endif  // SANDBOXED_API_SANDBOX2_POLICY_H_
122