sandboxed_api/sandbox2/violation.proto - platform/external/sandboxed-api - Git at Google

 // Copyright 2019 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     https://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 syntax = "proto3";

 package sandbox2;

 import "sandboxed_api/sandbox2/mount_tree.proto";

 enum PBViolationType {
   VIOLATION_TYPE_UNSPECIFIED = 0;
   DISALLOWED_SYSCALL = 1;
   RESOURCE_LIMIT_EXCEEDED = 2;
   SYSCALL_ARCHITECTURE_MISMATCH = 3;
 }

 message RegisterX8664 {
   uint64 r15 = 1;
   uint64 r14 = 2;
   uint64 r13 = 3;
   uint64 r12 = 4;
   uint64 rbp = 5;
   uint64 rbx = 6;
   uint64 r11 = 7;
   uint64 r10 = 8;
   uint64 r9 = 9;
   uint64 r8 = 10;
   uint64 rax = 11;
   uint64 rcx = 12;
   uint64 rdx = 13;
   uint64 rsi = 14;
   uint64 rdi = 15;
   uint64 orig_rax = 16;
   uint64 rip = 17;
   uint64 cs = 18;
   uint64 eflags = 19;
   uint64 rsp = 20;
   uint64 ss = 21;
   uint64 fs_base = 22;
   uint64 gs_base = 23;
   uint64 ds = 24;
   uint64 es = 25;
   uint64 fs = 26;
   uint64 gs = 27;
 }

 message RegisterPowerpc64 {
   repeated uint64 gpr = 1;
   uint64 nip = 2;
   uint64 msr = 3;
   uint64 orig_gpr3 = 4;
   uint64 ctr = 5;
   uint64 link = 6;
   uint64 xer = 7;
   uint64 ccr = 8;
   uint64 softe = 9;
   uint64 trap = 10;
   uint64 dar = 11;
   uint64 dsisr = 12;
   uint64 result = 13;

   uint64 zero0 = 14;
   uint64 zero1 = 15;
   uint64 zero2 = 16;
   uint64 zero3 = 17;
 }

 message RegisterAarch64 {
   repeated uint64 regs = 1;
   uint64 sp = 2;
   uint64 pc = 3;
   uint64 pstate = 4;
 }

 message RegisterArm {
   repeated uint32 regs = 1;
   uint32 pc = 2;
   uint32 cpsr = 3;
   uint32 orig_x0 = 4;
 }

 message RegisterValues {
   // Architecture architecture = 1;
   oneof register_values {
     RegisterX8664 register_x86_64 = 2;
     RegisterPowerpc64 register_powerpc64 = 3;
     RegisterAarch64 register_aarch64 = 4;
     RegisterArm register_arm = 5;
   }
 }

 message SyscallDescription {
   int32 syscall = 1;
   // Should we have a second one with the raw value?
   // This would be redundant (We dump all registers) + should not be as useful
   // for debugging as the decoded values.
   repeated string argument = 2;
   // Store the architecture of the desired syscall in here as well? Might be
   // useful when the violation type was a change in syscall architecture.
 }

 message PolicyBuilderDescription {
   repeated int32 handled_syscalls = 1;
   repeated string bind_mounts = 2;
   string built_at_sloc = 3;
 }

 message NamespaceDescription {
   int32 clone_flags = 1;
   // Do we want to have the mount tree in here?
   MountTree mount_tree_mounts = 2;
 }

 message PolicyDescription {
   bytes user_bpf_policy = 1;
   reserved 2 to 5;
   // This requires additional fields. (e.g. allowed syscall numbers)
   PolicyBuilderDescription policy_builder_description = 6;

   // namespace
   NamespaceDescription namespace_description = 7;

   repeated int32 capabilities = 8;
 }

 message Violation {
   string legacy_fatal_message = 1;
   PBViolationType violation_type = 2;
   int32 pid = 3;
   string prog_name = 4;
   PolicyDescription policy = 5;
   string stack_trace = 6;
   SyscallDescription syscall_information = 7;
   RegisterValues register_values = 8;
   reserved 9;
   string proc_maps = 10;
   // Contains the received signal that caused the death if applicable.
   int32 signal = 11;
 }
	// Copyright 2019 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// https://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	syntax = "proto3";

	package sandbox2;

	import "sandboxed_api/sandbox2/mount_tree.proto";

	enum PBViolationType {
	VIOLATION_TYPE_UNSPECIFIED = 0;
	DISALLOWED_SYSCALL = 1;
	RESOURCE_LIMIT_EXCEEDED = 2;
	SYSCALL_ARCHITECTURE_MISMATCH = 3;
	}

	message RegisterX8664 {
	uint64 r15 = 1;
	uint64 r14 = 2;
	uint64 r13 = 3;
	uint64 r12 = 4;
	uint64 rbp = 5;
	uint64 rbx = 6;
	uint64 r11 = 7;
	uint64 r10 = 8;
	uint64 r9 = 9;
	uint64 r8 = 10;
	uint64 rax = 11;
	uint64 rcx = 12;
	uint64 rdx = 13;
	uint64 rsi = 14;
	uint64 rdi = 15;
	uint64 orig_rax = 16;
	uint64 rip = 17;
	uint64 cs = 18;
	uint64 eflags = 19;
	uint64 rsp = 20;
	uint64 ss = 21;
	uint64 fs_base = 22;
	uint64 gs_base = 23;
	uint64 ds = 24;
	uint64 es = 25;
	uint64 fs = 26;
	uint64 gs = 27;
	}

	message RegisterPowerpc64 {
	repeated uint64 gpr = 1;
	uint64 nip = 2;
	uint64 msr = 3;
	uint64 orig_gpr3 = 4;
	uint64 ctr = 5;
	uint64 link = 6;
	uint64 xer = 7;
	uint64 ccr = 8;
	uint64 softe = 9;
	uint64 trap = 10;
	uint64 dar = 11;
	uint64 dsisr = 12;
	uint64 result = 13;

	uint64 zero0 = 14;
	uint64 zero1 = 15;
	uint64 zero2 = 16;
	uint64 zero3 = 17;
	}

	message RegisterAarch64 {
	repeated uint64 regs = 1;
	uint64 sp = 2;
	uint64 pc = 3;
	uint64 pstate = 4;
	}

	message RegisterArm {
	repeated uint32 regs = 1;
	uint32 pc = 2;
	uint32 cpsr = 3;
	uint32 orig_x0 = 4;
	}

	message RegisterValues {
	// Architecture architecture = 1;
	oneof register_values {
	RegisterX8664 register_x86_64 = 2;
	RegisterPowerpc64 register_powerpc64 = 3;
	RegisterAarch64 register_aarch64 = 4;
	RegisterArm register_arm = 5;
	}
	}

	message SyscallDescription {
	int32 syscall = 1;
	// Should we have a second one with the raw value?
	// This would be redundant (We dump all registers) + should not be as useful
	// for debugging as the decoded values.
	repeated string argument = 2;
	// Store the architecture of the desired syscall in here as well? Might be
	// useful when the violation type was a change in syscall architecture.
	}

	message PolicyBuilderDescription {
	repeated int32 handled_syscalls = 1;
	repeated string bind_mounts = 2;
	string built_at_sloc = 3;
	}

	message NamespaceDescription {
	int32 clone_flags = 1;
	// Do we want to have the mount tree in here?
	MountTree mount_tree_mounts = 2;
	}

	message PolicyDescription {
	bytes user_bpf_policy = 1;
	reserved 2 to 5;
	// This requires additional fields. (e.g. allowed syscall numbers)
	PolicyBuilderDescription policy_builder_description = 6;

	// namespace
	NamespaceDescription namespace_description = 7;

	repeated int32 capabilities = 8;
	}

	message Violation {
	string legacy_fatal_message = 1;
	PBViolationType violation_type = 2;
	int32 pid = 3;
	string prog_name = 4;
	PolicyDescription policy = 5;
	string stack_trace = 6;
	SyscallDescription syscall_information = 7;
	RegisterValues register_values = 8;
	reserved 9;
	string proc_maps = 10;
	// Contains the received signal that caused the death if applicable.
	int32 signal = 11;
	}