diff options
| author | A. Cody Schuffelen <schuffelen@google.com> | 2024-02-02 13:00:50 -0800 |
|---|---|---|
| committer | Copybara-Service <copybara-worker@google.com> | 2024-02-02 13:01:37 -0800 |
| commit | f708270f350ed1ba5c4a751abba6ff2d8e2442eb (patch) | |
| tree | 1421d0c4873c9f6614e57ea4284f643969612de4 | |
| parent | 044ba1cb90cd9947141f87225a02a3cfd7e868f8 (diff) | |
| download | sandboxed-api-f708270f350ed1ba5c4a751abba6ff2d8e2442eb.tar.gz | |
Add `DefaultAction(TraceAllSyscalls)` variant to `PolicyBuilder`
This helps write the kind of 'log, but allow' policy described in
[`notify.h`](https://github.com/google/sandboxed-api/blob/b9c84a1f75d282ff38ebed068bebe9960af9eb71/sandboxed_api/sandbox2/notify.h#L57) for all system calls not mentioned explicitly. One use case is writing a "permissive mode" runtime to give more information during development.
PiperOrigin-RevId: 603766051
Change-Id: I3c72f433a1e21c330b5dd9f1ede2faa570b75b09
| -rw-r--r-- | sandboxed_api/sandbox2/BUILD.bazel | 19 | ||||
| -rw-r--r-- | sandboxed_api/sandbox2/CMakeLists.txt | 10 | ||||
| -rw-r--r-- | sandboxed_api/sandbox2/notify_test.cc | 17 | ||||
| -rw-r--r-- | sandboxed_api/sandbox2/policybuilder.cc | 6 | ||||
| -rw-r--r-- | sandboxed_api/sandbox2/policybuilder.h | 7 | ||||
| -rw-r--r-- | sandboxed_api/sandbox2/trace_all_syscalls.h | 27 |
6 files changed, 86 insertions, 0 deletions
diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel index 71d7994..3b08b55 100644 --- a/sandboxed_api/sandbox2/BUILD.bazel +++ b/sandboxed_api/sandbox2/BUILD.bazel @@ -41,6 +41,23 @@ cc_library( ) cc_library( + name = "trace_all_syscalls", + hdrs = ["trace_all_syscalls.h"], + copts = sapi_platform_copts(), + visibility = [ + "//sandboxed_api/sandbox2:__pkg__", + ], +) + +cc_library( + name = "testonly_trace_all_syscalls", + testonly = True, + hdrs = ["trace_all_syscalls.h"], + copts = sapi_platform_copts(), + visibility = ["//visibility:public"], +) + +cc_library( name = "allow_unrestricted_networking", hdrs = ["allow_unrestricted_networking.h"], copts = sapi_platform_copts(), @@ -563,6 +580,7 @@ cc_library( ":namespace", ":policy", ":syscall", + ":trace_all_syscalls", ":violation_cc_proto", "//sandboxed_api:config", "//sandboxed_api/sandbox2/network_proxy:filtering", @@ -924,6 +942,7 @@ cc_test( deps = [ ":comms", ":sandbox2", + ":trace_all_syscalls", "//sandboxed_api:testing", "@com_google_absl//absl/log", "@com_google_absl//absl/strings", diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt index 88cc887..b01c4d9 100644 --- a/sandboxed_api/sandbox2/CMakeLists.txt +++ b/sandboxed_api/sandbox2/CMakeLists.txt @@ -26,6 +26,15 @@ target_link_libraries(sandbox2_allow_all_syscalls PRIVATE sapi::base ) +# sandboxed_api/sandbox2:trace_all_syscalls +add_library(sandbox2_trace_all_syscalls ${SAPI_LIB_TYPE} + trace_all_syscalls.h +) +add_library(sandbox2::trace_all_syscalls ALIAS sandbox2_trace_all_syscalls) +target_link_libraries(sandbox2_trace_all_syscalls PRIVATE + sapi::base +) + # sandboxed_api/sandbox2:allow_unrestricted_networking add_library(sandbox2_allow_unrestricted_networking ${SAPI_LIB_TYPE} allow_unrestricted_networking.h @@ -994,6 +1003,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING) sandbox2::comms sandbox2::regs sandbox2::sandbox2 + sandbox2::trace_all_syscalls sapi::testing sapi::test_main ) diff --git a/sandboxed_api/sandbox2/notify_test.cc b/sandboxed_api/sandbox2/notify_test.cc index ad77dc8..6942f50 100644 --- a/sandboxed_api/sandbox2/notify_test.cc +++ b/sandboxed_api/sandbox2/notify_test.cc @@ -33,6 +33,7 @@ #include "sandboxed_api/sandbox2/policybuilder.h" #include "sandboxed_api/sandbox2/sandbox2.h" #include "sandboxed_api/sandbox2/syscall.h" +#include "sandboxed_api/sandbox2/trace_all_syscalls.h" #include "sandboxed_api/testing.h" namespace sandbox2 { @@ -126,5 +127,21 @@ TEST(NotifyTest, PrintPidAndComms) { EXPECT_THAT(result.reason_code(), Eq(33)); } +// Test EventSyscallTrap on personality syscall through TraceAllSyscalls +TEST(NotifyTest, TraceAllAllowPersonality) { + const std::string path = GetTestSourcePath("sandbox2/testcases/personality"); + std::vector<std::string> args = {path}; + auto policy = CreateDefaultPermissiveTestPolicy(path) + .DefaultAction(TraceAllSyscalls()) + .BuildOrDie(); + Sandbox2 s2(std::make_unique<Executor>(path, args), + NotifyTestcasePolicy(path), + std::make_unique<PersonalityNotify>(/*allow=*/true)); + auto result = s2.Run(); + + ASSERT_THAT(result.final_status(), Eq(Result::OK)); + EXPECT_THAT(result.reason_code(), Eq(22)); +} + } // namespace } // namespace sandbox2 diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index a76bb18..6fbda54 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -60,6 +60,7 @@ #include "sandboxed_api/sandbox2/namespace.h" #include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/syscall.h" +#include "sandboxed_api/sandbox2/trace_all_syscalls.h" #include "sandboxed_api/sandbox2/util/bpf_helper.h" #include "sandboxed_api/sandbox2/violation.pb.h" #include "sandboxed_api/util/path.h" @@ -1244,6 +1245,11 @@ PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) { return *this; } +PolicyBuilder& PolicyBuilder::DefaultAction(TraceAllSyscalls) { + default_action_ = SANDBOX2_TRACE; + return *this; +} + absl::StatusOr<std::string> PolicyBuilder::ValidateAbsolutePath( absl::string_view path) { if (!file::IsAbsolutePath(path)) { diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 913c449..5485833 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -43,6 +43,7 @@ struct bpf_labels; namespace sandbox2 { class AllowAllSyscalls; +class TraceAllSyscalls; class UnrestrictedNetworking; // PolicyBuilder is a helper class to simplify creation of policies. The builder @@ -712,6 +713,12 @@ class PolicyBuilder final { // sandbox-team@ first if unsure. PolicyBuilder& DefaultAction(AllowAllSyscalls); + // Changes the default action to SANDBOX2_TRACE. + // All syscalls not handled explicitly by the policy will be passed off to + // the `sandbox2::Notify` implementation given to the `sandbox2::Sandbox2` + // instance. + PolicyBuilder& DefaultAction(TraceAllSyscalls); + ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead") PolicyBuilder& DangerDefaultAllowAll(); diff --git a/sandboxed_api/sandbox2/trace_all_syscalls.h b/sandboxed_api/sandbox2/trace_all_syscalls.h new file mode 100644 index 0000000..d387cc3 --- /dev/null +++ b/sandboxed_api/sandbox2/trace_all_syscalls.h @@ -0,0 +1,27 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef SANDBOXED_API_SANDBOX2_TRACE_ALL_SYSCALLS_H_ +#define SANDBOXED_API_SANDBOX2_TRACE_ALL_SYSCALLS_H_ + +namespace sandbox2 { + +class TraceAllSyscalls { + public: + explicit TraceAllSyscalls() = default; +}; + +} // namespace sandbox2 + +#endif // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_ |