diff options
Diffstat (limited to 'sandboxed_api/sandbox2/policybuilder.h')
-rw-r--r-- | sandboxed_api/sandbox2/policybuilder.h | 52 |
1 files changed, 32 insertions, 20 deletions
diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index c832d00..5485833 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -43,6 +43,7 @@ struct bpf_labels; namespace sandbox2 { class AllowAllSyscalls; +class TraceAllSyscalls; class UnrestrictedNetworking; // PolicyBuilder is a helper class to simplify creation of policies. The builder @@ -245,20 +246,25 @@ class PolicyBuilder final { // Appends code to allow mmap. Specifically this allows mmap and mmap2 syscall // on architectures where this syscalls exist. + // Prefer using AllowMmapWithoutExec as allowing mapping executable pages + // makes exploitation easier. PolicyBuilder& AllowMmap(); + // Appends code to allow mmap calls that don't specify PROT_EXEC. + PolicyBuilder& AllowMmapWithoutExec(); + // Appends code to allow calling futex with the given operation. PolicyBuilder& AllowFutexOp(int op); // Appends code to allow opening and possibly creating files or directories. - // Allows these sycalls: + // Allows these syscalls: // - creat // - open // - openat PolicyBuilder& AllowOpen(); // Appends code to allow calling stat, fstat and lstat. - // Allows these sycalls: + // Allows these syscalls: // - fstat // - fstat64 // - fstatat @@ -313,7 +319,7 @@ class PolicyBuilder final { PolicyBuilder& AllowChown(); // Appends code to the policy to allow reading from file descriptors. - // Allows these sycalls: + // Allows these syscalls: // - read // - readv // - preadv @@ -321,7 +327,7 @@ class PolicyBuilder final { PolicyBuilder& AllowRead(); // Appends code to the policy to allow writing to file descriptors. - // Allows these sycalls: + // Allows these syscalls: // - write // - writev // - pwritev @@ -329,37 +335,37 @@ class PolicyBuilder final { PolicyBuilder& AllowWrite(); // Appends code to allow reading directories. - // Allows these sycalls: + // Allows these syscalls: // - getdents // - getdents64 PolicyBuilder& AllowReaddir(); // Appends code to allow reading symbolic links. - // Allows these sycalls: + // Allows these syscalls: // - readlink // - readlinkat PolicyBuilder& AllowReadlink(); // Appends code to allow creating links. - // Allows these sycalls: + // Allows these syscalls: // - link // - linkat PolicyBuilder& AllowLink(); // Appends code to allow creating symbolic links. - // Allows these sycalls: + // Allows these syscalls: // - symlink // - symlinkat PolicyBuilder& AllowSymlink(); // Appends code to allow creating directories. - // Allows these sycalls: + // Allows these syscalls: // - mkdir // - mkdirat PolicyBuilder& AllowMkdir(); // Appends code to allow changing file timestamps. - // Allows these sycalls: + // Allows these syscalls: // - futimens // - utime // - utimensat @@ -367,7 +373,7 @@ class PolicyBuilder final { PolicyBuilder& AllowUtime(); // Appends code to allow safe calls to fcntl. - // Allows these sycalls: + // Allows these syscalls: // - fcntl // - fcntl64 (on architectures where it exists) // @@ -377,7 +383,7 @@ class PolicyBuilder final { PolicyBuilder& AllowSafeFcntl(); // Appends code to allow creating new processes. - // Allows these sycalls: + // Allows these syscalls: // - fork // - vfork // - clone @@ -388,19 +394,19 @@ class PolicyBuilder final { PolicyBuilder& AllowFork(); // Appends code to allow waiting for processes. - // Allows these sycalls: + // Allows these syscalls: // - waitpid (on architectures where it exists) // - wait4 PolicyBuilder& AllowWait(); // Appends code to allow setting alarms / interval timers. - // Allows these sycalls: + // Allows these syscalls: // - alarm (on architectures where it exists) // - setitimer PolicyBuilder& AllowAlarm(); // Appends code to allow setting up signal handlers, returning from them, etc. - // Allows these sycalls: + // Allows these syscalls: // - rt_sigaction // - rt_sigreturn // - rt_procmask @@ -411,12 +417,12 @@ class PolicyBuilder final { PolicyBuilder& AllowHandleSignals(); // Appends code to allow doing the TCGETS ioctl. - // Allows these sycalls: + // Allows these syscalls: // - ioctl (when the first argument is TCGETS) PolicyBuilder& AllowTCGETS(); // Appends code to allow to getting the current time. - // Allows these sycalls: + // Allows these syscalls: // - time // - gettimeofday // - clock_gettime @@ -450,19 +456,19 @@ class PolicyBuilder final { PolicyBuilder& AllowGetPGIDs(); // Appends code to allow getting the rlimits. - // Allows these sycalls: + // Allows these syscalls: // - getrlimit // - ugetrlimit (on architectures where it exist) PolicyBuilder& AllowGetRlimit(); // Appends code to allow setting the rlimits. - // Allows these sycalls: + // Allows these syscalls: // - setrlimit // - usetrlimit (on architectures where it exist) PolicyBuilder& AllowSetRlimit(); // Appends code to allow reading random bytes. - // Allows these sycalls: + // Allows these syscalls: // - getrandom (with no flags or GRND_NONBLOCK) // PolicyBuilder& AllowGetRandom(); @@ -707,6 +713,12 @@ class PolicyBuilder final { // sandbox-team@ first if unsure. PolicyBuilder& DefaultAction(AllowAllSyscalls); + // Changes the default action to SANDBOX2_TRACE. + // All syscalls not handled explicitly by the policy will be passed off to + // the `sandbox2::Notify` implementation given to the `sandbox2::Sandbox2` + // instance. + PolicyBuilder& DefaultAction(TraceAllSyscalls); + ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead") PolicyBuilder& DangerDefaultAllowAll(); |