1*ec63e07aSXin Li // Copyright 2019 Google LLC 2*ec63e07aSXin Li // 3*ec63e07aSXin Li // Licensed under the Apache License, Version 2.0 (the "License"); 4*ec63e07aSXin Li // you may not use this file except in compliance with the License. 5*ec63e07aSXin Li // You may obtain a copy of the License at 6*ec63e07aSXin Li // 7*ec63e07aSXin Li // https://www.apache.org/licenses/LICENSE-2.0 8*ec63e07aSXin Li // 9*ec63e07aSXin Li // Unless required by applicable law or agreed to in writing, software 10*ec63e07aSXin Li // distributed under the License is distributed on an "AS IS" BASIS, 11*ec63e07aSXin Li // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*ec63e07aSXin Li // See the License for the specific language governing permissions and 13*ec63e07aSXin Li // limitations under the License. 14*ec63e07aSXin Li 15*ec63e07aSXin Li // The sandbox2::Policy class provides methods for manipulating seccomp-bpf 16*ec63e07aSXin Li // syscall policies. 17*ec63e07aSXin Li 18*ec63e07aSXin Li #ifndef SANDBOXED_API_SANDBOX2_POLICY_H_ 19*ec63e07aSXin Li #define SANDBOXED_API_SANDBOX2_POLICY_H_ 20*ec63e07aSXin Li 21*ec63e07aSXin Li #include <linux/bpf_common.h> 22*ec63e07aSXin Li #include <linux/filter.h> // IWYU pragma: export 23*ec63e07aSXin Li #include <linux/seccomp.h> // IWYU pragma: export 24*ec63e07aSXin Li 25*ec63e07aSXin Li #include <cstdint> 26*ec63e07aSXin Li #include <optional> 27*ec63e07aSXin Li #include <vector> 28*ec63e07aSXin Li 29*ec63e07aSXin Li #include "sandboxed_api/sandbox2/namespace.h" 30*ec63e07aSXin Li #include "sandboxed_api/sandbox2/network_proxy/filtering.h" 31*ec63e07aSXin Li #include "sandboxed_api/sandbox2/syscall.h" // IWYU pragma: export 32*ec63e07aSXin Li #include "sandboxed_api/sandbox2/violation.pb.h" 33*ec63e07aSXin Li 34*ec63e07aSXin Li #define SANDBOX2_TRACE \ 35*ec63e07aSXin Li BPF_STMT(BPF_RET + BPF_K, \ 36*ec63e07aSXin Li SECCOMP_RET_TRACE | \ 37*ec63e07aSXin Li (::sandbox2::Syscall::GetHostArch() & SECCOMP_RET_DATA)) 38*ec63e07aSXin Li 39*ec63e07aSXin Li namespace sandbox2 { 40*ec63e07aSXin Li 41*ec63e07aSXin Li namespace internal { 42*ec63e07aSXin Li // Magic values of registers when executing sys_execveat, so we can recognize 43*ec63e07aSXin Li // the pre-sandboxing state and notify the Monitor 44*ec63e07aSXin Li inline constexpr uintptr_t kExecveMagic = 0x921c2c34; 45*ec63e07aSXin Li } // namespace internal 46*ec63e07aSXin Li 47*ec63e07aSXin Li class Comms; 48*ec63e07aSXin Li class MonitorBase; 49*ec63e07aSXin Li class PolicyBuilder; 50*ec63e07aSXin Li 51*ec63e07aSXin Li class Policy final { 52*ec63e07aSXin Li public: 53*ec63e07aSXin Li Policy(const Policy&) = default; 54*ec63e07aSXin Li Policy& operator=(const Policy&) = default; 55*ec63e07aSXin Li 56*ec63e07aSXin Li Policy(Policy&&) = delete; 57*ec63e07aSXin Li Policy& operator=(Policy&&) = delete; 58*ec63e07aSXin Li 59*ec63e07aSXin Li // Stores information about the policy (and the policy builder if existing) 60*ec63e07aSXin Li // in the protobuf structure. 61*ec63e07aSXin Li void GetPolicyDescription(PolicyDescription* policy) const; 62*ec63e07aSXin Li 63*ec63e07aSXin Li // Sends the policy over the IPC channel. 64*ec63e07aSXin Li bool SendPolicy(Comms* comms, bool user_notif) const; 65*ec63e07aSXin Li 66*ec63e07aSXin Li // Returns the policy, but modifies it according to FLAGS and internal 67*ec63e07aSXin Li // requirements (message passing via Comms, Executor::WaitForExecve etc.). 68*ec63e07aSXin Li std::vector<sock_filter> GetPolicy(bool user_notif) const; 69*ec63e07aSXin Li GetNamespace()70*ec63e07aSXin Li const std::optional<Namespace>& GetNamespace() const { return namespace_; } GetNamespaceOrNull()71*ec63e07aSXin Li const Namespace* GetNamespaceOrNull() const { 72*ec63e07aSXin Li return namespace_ ? &namespace_.value() : nullptr; 73*ec63e07aSXin Li } 74*ec63e07aSXin Li 75*ec63e07aSXin Li // Returns the default policy, which blocks certain dangerous syscalls and 76*ec63e07aSXin Li // mismatched syscall tables. 77*ec63e07aSXin Li std::vector<sock_filter> GetDefaultPolicy(bool user_notif) const; 78*ec63e07aSXin Li // Returns a policy allowing the Monitor module to track all syscalls. 79*ec63e07aSXin Li std::vector<sock_filter> GetTrackingPolicy() const; 80*ec63e07aSXin Li collect_stacktrace_on_signal()81*ec63e07aSXin Li bool collect_stacktrace_on_signal() const { 82*ec63e07aSXin Li return collect_stacktrace_on_signal_; 83*ec63e07aSXin Li } 84*ec63e07aSXin Li collect_stacktrace_on_exit()85*ec63e07aSXin Li bool collect_stacktrace_on_exit() const { 86*ec63e07aSXin Li return collect_stacktrace_on_exit_; 87*ec63e07aSXin Li } 88*ec63e07aSXin Li 89*ec63e07aSXin Li private: 90*ec63e07aSXin Li friend class PolicyBuilder; 91*ec63e07aSXin Li friend class MonitorBase; 92*ec63e07aSXin Li 93*ec63e07aSXin Li // Private constructor only called by the PolicyBuilder. 94*ec63e07aSXin Li Policy() = default; 95*ec63e07aSXin Li 96*ec63e07aSXin Li // The Namespace object, defines ways of putting sandboxee into namespaces. 97*ec63e07aSXin Li std::optional<Namespace> namespace_; 98*ec63e07aSXin Li 99*ec63e07aSXin Li // Gather stack traces on violations, signals, timeouts or when getting 100*ec63e07aSXin Li // killed. See policybuilder.h for more information. 101*ec63e07aSXin Li bool collect_stacktrace_on_violation_ = true; 102*ec63e07aSXin Li bool collect_stacktrace_on_signal_ = true; 103*ec63e07aSXin Li bool collect_stacktrace_on_timeout_ = true; 104*ec63e07aSXin Li bool collect_stacktrace_on_kill_ = true; 105*ec63e07aSXin Li bool collect_stacktrace_on_exit_ = false; 106*ec63e07aSXin Li 107*ec63e07aSXin Li // Optional pointer to a PolicyBuilder description pb object. 108*ec63e07aSXin Li std::optional<PolicyBuilderDescription> policy_builder_description_; 109*ec63e07aSXin Li 110*ec63e07aSXin Li // The policy set by the user. 111*ec63e07aSXin Li std::vector<sock_filter> user_policy_; 112*ec63e07aSXin Li bool user_policy_handles_bpf_ = false; 113*ec63e07aSXin Li bool user_policy_handles_ptrace_ = false; 114*ec63e07aSXin Li 115*ec63e07aSXin Li // Contains a list of hosts the sandboxee is allowed to connect to. 116*ec63e07aSXin Li std::optional<AllowedHosts> allowed_hosts_; 117*ec63e07aSXin Li }; 118*ec63e07aSXin Li 119*ec63e07aSXin Li } // namespace sandbox2 120*ec63e07aSXin Li 121*ec63e07aSXin Li #endif // SANDBOXED_API_SANDBOX2_POLICY_H_ 122