1 /*
2  * Copyright (C) 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #include "host/commands/process_sandboxer/policies.h"
17 
18 #include <sys/mman.h>
19 #include <sys/prctl.h>
20 #include <sys/syscall.h>
21 #include <sys/un.h>
22 
23 #include <absl/log/log.h>
24 
25 #include <sandboxed_api/sandbox2/policybuilder.h>
26 #include <sandboxed_api/sandbox2/util/bpf_helper.h>
27 
28 namespace cuttlefish::process_sandboxer {
29 
CvdInternalStartPolicy(const HostInfo & host)30 sandbox2::PolicyBuilder CvdInternalStartPolicy(const HostInfo& host) {
31   std::string sandboxer_proxy = host.HostToolExe("sandboxer_proxy");
32   return BaselinePolicy(host, host.HostToolExe("cvd_internal_start"))
33       .AddDirectory(host.assembly_dir)
34       .AddDirectory(host.runtime_dir)
35       .AddFile("/dev/null")
36       .AddFileAt(sandboxer_proxy, host.HostToolExe("assemble_cvd"))
37       .AddFileAt(sandboxer_proxy, host.HostToolExe("run_cvd"))
38       .AddPolicyOnSyscall(__NR_madvise,
39                           {ARG_32(2), JEQ32(MADV_DONTNEED, ALLOW)})
40       .AddPolicyOnSyscall(__NR_prctl,
41                           {ARG_32(0), JEQ32(PR_SET_PDEATHSIG, ALLOW)})
42       .AllowDup()
43       .AllowPipe()
44       .AllowFork()
45       .AllowSafeFcntl()
46       .AllowSyscall(__NR_execve)
47       .AllowSyscall(__NR_getcwd)
48       .AllowSyscall(__NR_fchdir)
49       .AllowWait()
50       // sandboxer_proxy
51       .AddPolicyOnSyscall(__NR_socket, {ARG_32(0), JEQ32(AF_UNIX, ALLOW)})
52       .AllowSyscall(__NR_connect)
53       .AllowSyscall(__NR_recvmsg)
54       .AllowSyscall(__NR_sendmsg);
55 }
56 
57 }  // namespace cuttlefish::process_sandboxer
58