xref: /aosp_15_r20/external/sandboxed-api/oss-internship-2020/curl/sandbox.h (revision ec63e07ab9515d95e79c211197c445ef84cefa6a) 
1 // Copyright 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef SANDBOX_H_
16 #define SANDBOX_H_
17 
18 #include <linux/futex.h>
19 #include <sys/mman.h>  // For mmap arguments
20 #include <syscall.h>
21 
22 #include <cstdlib>
23 
24 #include "curl_sapi.sapi.h"  // NOLINT(build/include)
25 #include "sandboxed_api/sandbox2/util/bpf_helper.h"
26 
27 namespace curl {
28 
29 class CurlSapiSandbox : public curl::CurlSandbox {
30  protected:
ModifyPolicy(sandbox2::PolicyBuilder *)31   std::unique_ptr<sandbox2::Policy> ModifyPolicy(
32       sandbox2::PolicyBuilder*) override {
33     // Return a new policy
34     return sandbox2::PolicyBuilder()
35         .AllowDynamicStartup()
36         .AllowExit()
37         .AllowFork()
38         .AllowFutexOp(FUTEX_WAIT_PRIVATE)
39         .AllowFutexOp(FUTEX_WAKE_PRIVATE)
40         .AllowFutexOp(FUTEX_REQUEUE_PRIVATE)
41         .AllowMmapWithoutExec()
42         .AllowOpen()
43         .AllowSafeFcntl()
44         .AllowWrite()
45         .AllowAccess()
46         .AllowSyscall(__NR_accept)
47         .AllowSyscall(__NR_bind)
48         .AllowSyscall(__NR_connect)
49         .AllowSyscall(__NR_getpeername)
50         .AllowSyscall(__NR_getsockname)
51         .AllowSyscall(__NR_getsockopt)
52         .AllowSyscall(__NR_ioctl)
53         .AllowSyscall(__NR_listen)
54         .AllowSyscall(__NR_madvise)
55         .AllowPoll()
56         .AllowSyscall(__NR_recvfrom)
57         .AllowSyscall(__NR_recvmsg)
58         .AllowSyscall(__NR_rt_sigaction)
59         .AllowSyscall(__NR_sendmmsg)
60         .AllowSyscall(__NR_sendto)
61         .AllowSyscall(__NR_setsockopt)
62         .AllowSyscall(__NR_socket)
63         .AllowSyscall(__NR_sysinfo)
64         .AddDirectory("/lib")
65         .AllowUnrestrictedNetworking()
66         .BuildOrDie();
67   }
68 };
69 
70 }  // namespace curl
71 
72 #endif  // SANDBOX_H_
73