From f708270f350ed1ba5c4a751abba6ff2d8e2442eb Mon Sep 17 00:00:00 2001
From: "A. Cody Schuffelen" <schuffelen@google.com>
Date: Fri, 2 Feb 2024 13:00:50 -0800
Subject: Add `DefaultAction(TraceAllSyscalls)` variant to `PolicyBuilder`

This helps write the kind of 'log, but allow' policy described in
[`notify.h`](https://github.com/google/sandboxed-api/blob/b9c84a1f75d282ff38ebed068bebe9960af9eb71/sandboxed_api/sandbox2/notify.h#L57) for all system calls not mentioned explicitly. One use case is writing a "permissive mode" runtime to give more information during development.

PiperOrigin-RevId: 603766051
Change-Id: I3c72f433a1e21c330b5dd9f1ede2faa570b75b09
---
 sandboxed_api/sandbox2/BUILD.bazel          | 19 +++++++++++++++++++
 sandboxed_api/sandbox2/CMakeLists.txt       | 10 ++++++++++
 sandboxed_api/sandbox2/notify_test.cc       | 17 +++++++++++++++++
 sandboxed_api/sandbox2/policybuilder.cc     |  6 ++++++
 sandboxed_api/sandbox2/policybuilder.h      |  7 +++++++
 sandboxed_api/sandbox2/trace_all_syscalls.h | 27 +++++++++++++++++++++++++++
 6 files changed, 86 insertions(+)
 create mode 100644 sandboxed_api/sandbox2/trace_all_syscalls.h

diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel
index 71d7994..3b08b55 100644
--- a/sandboxed_api/sandbox2/BUILD.bazel
+++ b/sandboxed_api/sandbox2/BUILD.bazel
@@ -40,6 +40,23 @@ cc_library(
     visibility = ["//visibility:public"],
 )
 
+cc_library(
+    name = "trace_all_syscalls",
+    hdrs = ["trace_all_syscalls.h"],
+    copts = sapi_platform_copts(),
+    visibility = [
+        "//sandboxed_api/sandbox2:__pkg__",
+    ],
+)
+
+cc_library(
+    name = "testonly_trace_all_syscalls",
+    testonly = True,
+    hdrs = ["trace_all_syscalls.h"],
+    copts = sapi_platform_copts(),
+    visibility = ["//visibility:public"],
+)
+
 cc_library(
     name = "allow_unrestricted_networking",
     hdrs = ["allow_unrestricted_networking.h"],
@@ -563,6 +580,7 @@ cc_library(
         ":namespace",
         ":policy",
         ":syscall",
+        ":trace_all_syscalls",
         ":violation_cc_proto",
         "//sandboxed_api:config",
         "//sandboxed_api/sandbox2/network_proxy:filtering",
@@ -924,6 +942,7 @@ cc_test(
     deps = [
         ":comms",
         ":sandbox2",
+        ":trace_all_syscalls",
         "//sandboxed_api:testing",
         "@com_google_absl//absl/log",
         "@com_google_absl//absl/strings",
diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt
index 88cc887..b01c4d9 100644
--- a/sandboxed_api/sandbox2/CMakeLists.txt
+++ b/sandboxed_api/sandbox2/CMakeLists.txt
@@ -26,6 +26,15 @@ target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
   sapi::base
 )
 
+# sandboxed_api/sandbox2:trace_all_syscalls
+add_library(sandbox2_trace_all_syscalls ${SAPI_LIB_TYPE}
+  trace_all_syscalls.h
+)
+add_library(sandbox2::trace_all_syscalls ALIAS sandbox2_trace_all_syscalls)
+target_link_libraries(sandbox2_trace_all_syscalls PRIVATE
+  sapi::base
+)
+
 # sandboxed_api/sandbox2:allow_unrestricted_networking
 add_library(sandbox2_allow_unrestricted_networking ${SAPI_LIB_TYPE}
   allow_unrestricted_networking.h
@@ -994,6 +1003,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     sandbox2::comms
     sandbox2::regs
     sandbox2::sandbox2
+    sandbox2::trace_all_syscalls
     sapi::testing
     sapi::test_main
   )
diff --git a/sandboxed_api/sandbox2/notify_test.cc b/sandboxed_api/sandbox2/notify_test.cc
index ad77dc8..6942f50 100644
--- a/sandboxed_api/sandbox2/notify_test.cc
+++ b/sandboxed_api/sandbox2/notify_test.cc
@@ -33,6 +33,7 @@
 #include "sandboxed_api/sandbox2/policybuilder.h"
 #include "sandboxed_api/sandbox2/sandbox2.h"
 #include "sandboxed_api/sandbox2/syscall.h"
+#include "sandboxed_api/sandbox2/trace_all_syscalls.h"
 #include "sandboxed_api/testing.h"
 
 namespace sandbox2 {
@@ -126,5 +127,21 @@ TEST(NotifyTest, PrintPidAndComms) {
   EXPECT_THAT(result.reason_code(), Eq(33));
 }
 
+// Test EventSyscallTrap on personality syscall through TraceAllSyscalls
+TEST(NotifyTest, TraceAllAllowPersonality) {
+  const std::string path = GetTestSourcePath("sandbox2/testcases/personality");
+  std::vector<std::string> args = {path};
+  auto policy = CreateDefaultPermissiveTestPolicy(path)
+                    .DefaultAction(TraceAllSyscalls())
+                    .BuildOrDie();
+  Sandbox2 s2(std::make_unique<Executor>(path, args),
+              NotifyTestcasePolicy(path),
+              std::make_unique<PersonalityNotify>(/*allow=*/true));
+  auto result = s2.Run();
+
+  ASSERT_THAT(result.final_status(), Eq(Result::OK));
+  EXPECT_THAT(result.reason_code(), Eq(22));
+}
+
 }  // namespace
 }  // namespace sandbox2
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index a76bb18..6fbda54 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -60,6 +60,7 @@
 #include "sandboxed_api/sandbox2/namespace.h"
 #include "sandboxed_api/sandbox2/policy.h"
 #include "sandboxed_api/sandbox2/syscall.h"
+#include "sandboxed_api/sandbox2/trace_all_syscalls.h"
 #include "sandboxed_api/sandbox2/util/bpf_helper.h"
 #include "sandboxed_api/sandbox2/violation.pb.h"
 #include "sandboxed_api/util/path.h"
@@ -1244,6 +1245,11 @@ PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) {
   return *this;
 }
 
+PolicyBuilder& PolicyBuilder::DefaultAction(TraceAllSyscalls) {
+  default_action_ = SANDBOX2_TRACE;
+  return *this;
+}
+
 absl::StatusOr<std::string> PolicyBuilder::ValidateAbsolutePath(
     absl::string_view path) {
   if (!file::IsAbsolutePath(path)) {
diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h
index 913c449..5485833 100644
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@@ -43,6 +43,7 @@ struct bpf_labels;
 namespace sandbox2 {
 
 class AllowAllSyscalls;
+class TraceAllSyscalls;
 class UnrestrictedNetworking;
 
 // PolicyBuilder is a helper class to simplify creation of policies. The builder
@@ -712,6 +713,12 @@ class PolicyBuilder final {
   // sandbox-team@ first if unsure.
   PolicyBuilder& DefaultAction(AllowAllSyscalls);
 
+  // Changes the default action to SANDBOX2_TRACE.
+  // All syscalls not handled explicitly by the policy will be passed off to
+  // the `sandbox2::Notify` implementation given to the `sandbox2::Sandbox2`
+  // instance.
+  PolicyBuilder& DefaultAction(TraceAllSyscalls);
+
   ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead")
   PolicyBuilder& DangerDefaultAllowAll();
 
diff --git a/sandboxed_api/sandbox2/trace_all_syscalls.h b/sandboxed_api/sandbox2/trace_all_syscalls.h
new file mode 100644
index 0000000..d387cc3
--- /dev/null
+++ b/sandboxed_api/sandbox2/trace_all_syscalls.h
@@ -0,0 +1,27 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef SANDBOXED_API_SANDBOX2_TRACE_ALL_SYSCALLS_H_
+#define SANDBOXED_API_SANDBOX2_TRACE_ALL_SYSCALLS_H_
+
+namespace sandbox2 {
+
+class TraceAllSyscalls {
+ public:
+  explicit TraceAllSyscalls() = default;
+};
+
+}  // namespace sandbox2
+
+#endif  // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
-- 
cgit v1.2.3