15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
* file.
*/
#import "OFObject.h"
OF_ASSUME_NONNULL_BEGIN
/** @file */
/**
* @brief An @ref OFPair for a path to unveil, with the first string being the
* path and the second the permissions.
*/
/**
* @class OFSandbox OFSandbox.h ObjFW/OFSandbox.h
*
* @brief A class which describes a sandbox for the application.
*/
|
<
<
<
<
<
<
<
<
<
<
<
|
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
* file.
*/
#import "OFObject.h"
OF_ASSUME_NONNULL_BEGIN
@class OFArray OF_GENERIC(ObjectType);
@class OFMutableArray OF_GENERIC(ObjectType);
@class OFPair OF_GENERIC(FirstType, SecondType);
typedef OFPair OF_GENERIC(OFString *, OFString *) *of_sandbox_unveil_path_t;
@interface OFSandbox: OFObject <OFCopying>
{
unsigned int _allowsStdIO: 1;
unsigned int _allowsReadingFiles: 1;
unsigned int _allowsWritingFiles: 1;
unsigned int _allowsCreatingFiles: 1;
unsigned int _allowsCreatingSpecialFiles: 1;
|
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
unsigned int _returnsErrors: 1;
OFMutableArray OF_GENERIC(of_sandbox_unveil_path_t) *_unveiledPaths;
@public
size_t _unveiledPathsIndex;
OF_RESERVE_IVARS(OFSandbox, 4)
}
/**
* @brief Allows IO operations on previously allocated file descriptors.
*/
/**
* @brief Allows read access to the file system.
*/
/**
* @brief Allows write access to the file system.
*/
/**
* @brief Allows creating files in the file system.
*/
/**
* @brief Allows creating special files in the file system.
*/
/**
* @brief Allows creating, reading and writing temporary files in `/tmp`.
*/
/**
* @brief Allows using IP sockets.
*/
/**
* @brief Allows multicast sockets.
*/
/**
* @brief Allows explicit changes to file attributes.
*/
/**
* @brief Allows changing ownership of files.
*/
/**
* @brief Allows file locks.
*/
/**
* @brief Allows UNIX sockets.
*/
/**
* @brief Allows syscalls necessary for DNS lookups.
*/
/**
* @brief Allows to look up users and groups.
*/
/**
* @brief Allows sending file descriptors via sendmsg().
*/
/**
* @brief Allows receiving file descriptors via recvmsg().
*/
/**
* @brief Allows MTIOCGET and MTIOCTOP operations on tape devices.
*/
/**
* @brief Allows read-write operations and ioctls on the TTY.
*/
/**
* @brief Allows various process relationshop operations.
*/
/**
* @brief Allows execve().
*/
/**
* @brief Allows PROT_EXEC for `mmap()` and `mprotect()`.
*/
/**
* @brief Allows `settime()`.
*/
/**
* @brief Allows introspection of processes on the system.
*/
/**
* @brief Allows introspection of the system's virtual memory.
*/
/**
* @brief Allows changing the rights of process, for example the UID.
*/
/**
* @brief Allows certain ioctls on the PF device.
*/
/**
* @brief Allows certain ioctls on audio devices.
*/
/**
* @brief Allows BIOCGSTATS to collect statistics from a BPF device.
*/
/**
* @brief Allows unveiling more paths.
*/
/**
* @brief Returns errors instead of killing the process.
*/
/**
* The string for OpenBSD's pledge() call.
*
* @warning Only available on systems with the pledge() call!
*/
/**
* @brief A list of unveiled paths.
*/
/**
* @brief Create a new, autorelease OFSandbox.
*/
/**
* @brief "Unveils" the specified path, meaning that it becomes visible from
* the sandbox with the specified permissions.
*
* @param path The path to unveil
* @param permissions The permissions for the path. The following permissions
* can be combined:
* Permission | Description
* -----------|--------------------
* r | Make the path available for reading, like
* | @ref allowsReadingFiles
* w | Make the path available for writing, like
* | @ref allowsWritingFiles
* x | Make the path available for executing, like
* | @ref allowsExec
* c | Make the path available for creation and
* | deletion, like @ref allowsCreatingFiles
*/
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
|
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
unsigned int _returnsErrors: 1;
OFMutableArray OF_GENERIC(of_sandbox_unveil_path_t) *_unveiledPaths;
@public
size_t _unveiledPathsIndex;
OF_RESERVE_IVARS(OFSandbox, 4)
}
@property (nonatomic) bool allowsStdIO;
@property (nonatomic) bool allowsReadingFiles;
@property (nonatomic) bool allowsWritingFiles;
@property (nonatomic) bool allowsCreatingFiles;
@property (nonatomic) bool allowsCreatingSpecialFiles;
@property (nonatomic) bool allowsTemporaryFiles;
@property (nonatomic) bool allowsIPSockets;
@property (nonatomic) bool allowsMulticastSockets;
@property (nonatomic) bool allowsChangingFileAttributes;
@property (nonatomic) bool allowsFileOwnerChanges;
@property (nonatomic) bool allowsFileLocks;
@property (nonatomic) bool allowsUNIXSockets;
@property (nonatomic) bool allowsDNS;
@property (nonatomic) bool allowsUserDatabaseReading;
@property (nonatomic) bool allowsFileDescriptorSending;
@property (nonatomic) bool allowsFileDescriptorReceiving;
@property (nonatomic) bool allowsTape;
@property (nonatomic) bool allowsTTY;
@property (nonatomic) bool allowsProcessOperations;
@property (nonatomic) bool allowsExec;
@property (nonatomic) bool allowsProtExec;
@property (nonatomic) bool allowsSetTime;
@property (nonatomic) bool allowsPS;
@property (nonatomic) bool allowsVMInfo;
@property (nonatomic) bool allowsChangingProcessRights;
@property (nonatomic) bool allowsPF;
@property (nonatomic) bool allowsAudio;
@property (nonatomic) bool allowsBPF;
@property (nonatomic) bool allowsUnveil;
@property (nonatomic) bool returnsErrors;
#ifdef OF_HAVE_PLEDGE
@property (readonly, nonatomic) OFString *pledgeString;
#endif
@property (readonly, nonatomic)
OFArray OF_GENERIC(of_sandbox_unveil_path_t) *unveiledPaths;
+ (instancetype)sandbox;
- (void)unveilPath: (OFString *)path
permissions: (OFString *)permissions;
@end
OF_ASSUME_NONNULL_END
|