routing/
policy.rs

1// Copyright 2020 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5use crate::capability_source::{
6    AnonymizedAggregateSource, BuiltinSource, CapabilitySource, CapabilityToCapabilitySource,
7    ComponentSource, EnvironmentSource, FilteredAggregateProviderSource, FilteredProviderSource,
8    FrameworkSource, NamespaceSource, VoidSource,
9};
10use cm_config::{
11    AllowlistEntry, AllowlistMatcher, CapabilityAllowlistKey, CapabilityAllowlistSource,
12    DebugCapabilityKey, SecurityPolicy,
13};
14use log::{error, warn};
15use moniker::{ExtendedMoniker, Moniker};
16use std::sync::Arc;
17use thiserror::Error;
18use zx_status as zx;
19
20use cm_rust::CapabilityTypeName;
21#[cfg(feature = "serde")]
22use serde::{Deserialize, Serialize};
23
24/// Errors returned by the PolicyChecker and the ScopedPolicyChecker.
25#[cfg_attr(feature = "serde", derive(Deserialize, Serialize), serde(rename_all = "snake_case"))]
26#[derive(Debug, Clone, Error, PartialEq)]
27pub enum PolicyError {
28    #[error("security policy disallows \"{policy}\" job policy for \"{moniker}\"")]
29    JobPolicyDisallowed { policy: String, moniker: Moniker },
30
31    #[error("security policy disallows \"{policy}\" child policy for \"{moniker}\"")]
32    ChildPolicyDisallowed { policy: String, moniker: Moniker },
33
34    #[error("security policy was unable to extract the source from the routed capability at component \"{moniker}\"")]
35    InvalidCapabilitySource { moniker: ExtendedMoniker },
36
37    #[error("security policy disallows \"{cap}\" from \"{source_moniker}\" being used at \"{target_moniker}\"")]
38    CapabilityUseDisallowed {
39        cap: String,
40        source_moniker: ExtendedMoniker,
41        target_moniker: Moniker,
42    },
43
44    #[error(
45        "debug security policy disallows \"{cap}\" from being registered in \
46        environment \"{env_name}\" at \"{env_moniker}\""
47    )]
48    DebugCapabilityUseDisallowed { cap: String, env_moniker: Moniker, env_name: String },
49}
50
51impl PolicyError {
52    /// Convert this error into its approximate `zx::Status` equivalent.
53    pub fn as_zx_status(&self) -> zx::Status {
54        zx::Status::ACCESS_DENIED
55    }
56}
57
58impl From<PolicyError> for ExtendedMoniker {
59    fn from(err: PolicyError) -> ExtendedMoniker {
60        match err {
61            PolicyError::ChildPolicyDisallowed { moniker, .. }
62            | PolicyError::DebugCapabilityUseDisallowed { env_moniker: moniker, .. }
63            | PolicyError::JobPolicyDisallowed { moniker, .. } => moniker.into(),
64
65            PolicyError::CapabilityUseDisallowed { source_moniker: moniker, .. }
66            | PolicyError::InvalidCapabilitySource { moniker } => moniker,
67        }
68    }
69}
70
71/// Evaluates security policy globally across the entire Model and all components.
72/// This is used to enforce runtime capability routing restrictions across all
73/// components to prevent high privilleged capabilities from being routed to
74/// components outside of the list defined in the runtime security policy.
75#[derive(Clone, Debug, Default)]
76pub struct GlobalPolicyChecker {
77    /// The security policy to apply.
78    policy: Arc<SecurityPolicy>,
79}
80
81impl GlobalPolicyChecker {
82    /// Constructs a new PolicyChecker object configured by the SecurityPolicy.
83    pub fn new(policy: Arc<SecurityPolicy>) -> Self {
84        Self { policy }
85    }
86
87    fn get_policy_key(
88        capability_source: &CapabilitySource,
89    ) -> Result<CapabilityAllowlistKey, PolicyError> {
90        Ok(match &capability_source {
91            CapabilitySource::Namespace(NamespaceSource { capability, .. }) => {
92                CapabilityAllowlistKey {
93                    source_moniker: ExtendedMoniker::ComponentManager,
94                    source_name: capability
95                        .source_name()
96                        .ok_or(PolicyError::InvalidCapabilitySource {
97                            moniker: capability_source.source_moniker(),
98                        })?
99                        .clone(),
100                    source: CapabilityAllowlistSource::Self_,
101                    capability: capability.type_name(),
102                }
103            }
104            CapabilitySource::Component(ComponentSource { capability, moniker }) => {
105                CapabilityAllowlistKey {
106                    source_moniker: ExtendedMoniker::ComponentInstance(moniker.clone()),
107                    source_name: capability
108                        .source_name()
109                        .ok_or(PolicyError::InvalidCapabilitySource {
110                            moniker: capability_source.source_moniker(),
111                        })?
112                        .clone(),
113                    source: CapabilityAllowlistSource::Self_,
114                    capability: capability.type_name(),
115                }
116            }
117            CapabilitySource::Builtin(BuiltinSource { capability, .. }) => CapabilityAllowlistKey {
118                source_moniker: ExtendedMoniker::ComponentManager,
119                source_name: capability.source_name().clone(),
120                source: CapabilityAllowlistSource::Self_,
121                capability: capability.type_name(),
122            },
123            CapabilitySource::Framework(FrameworkSource { capability, moniker }) => {
124                CapabilityAllowlistKey {
125                    source_moniker: ExtendedMoniker::ComponentInstance(moniker.clone()),
126                    source_name: capability.source_name().clone(),
127                    source: CapabilityAllowlistSource::Framework,
128                    capability: capability.type_name(),
129                }
130            }
131            CapabilitySource::Void(VoidSource { capability, moniker }) => CapabilityAllowlistKey {
132                source_moniker: ExtendedMoniker::ComponentInstance(moniker.clone()),
133                source_name: capability.source_name().clone(),
134                source: CapabilityAllowlistSource::Void,
135                capability: capability.type_name(),
136            },
137            CapabilitySource::Capability(CapabilityToCapabilitySource {
138                source_capability,
139                moniker,
140            }) => CapabilityAllowlistKey {
141                source_moniker: ExtendedMoniker::ComponentInstance(moniker.clone()),
142                source_name: source_capability
143                    .source_name()
144                    .ok_or(PolicyError::InvalidCapabilitySource {
145                        moniker: capability_source.source_moniker(),
146                    })?
147                    .clone(),
148                source: CapabilityAllowlistSource::Capability,
149                capability: source_capability.type_name(),
150            },
151            CapabilitySource::AnonymizedAggregate(AnonymizedAggregateSource {
152                capability,
153                moniker,
154                ..
155            })
156            | CapabilitySource::FilteredProvider(FilteredProviderSource {
157                capability,
158                moniker,
159                ..
160            })
161            | CapabilitySource::FilteredAggregateProvider(FilteredAggregateProviderSource {
162                capability,
163                moniker,
164                ..
165            }) => CapabilityAllowlistKey {
166                source_moniker: ExtendedMoniker::ComponentInstance(moniker.clone()),
167                source_name: capability.source_name().clone(),
168                source: CapabilityAllowlistSource::Self_,
169                capability: capability.type_name(),
170            },
171            CapabilitySource::Environment(EnvironmentSource { capability, .. }) => {
172                CapabilityAllowlistKey {
173                    source_moniker: ExtendedMoniker::ComponentManager,
174                    source_name: capability
175                        .source_name()
176                        .ok_or(PolicyError::InvalidCapabilitySource {
177                            moniker: capability_source.source_moniker(),
178                        })?
179                        .clone(),
180                    source: CapabilityAllowlistSource::Environment,
181                    capability: capability.type_name(),
182                }
183            }
184        })
185    }
186
187    /// Returns Ok(()) if the provided capability source can be routed to the
188    /// given target_moniker, else a descriptive PolicyError.
189    pub fn can_route_capability<'a>(
190        &self,
191        capability_source: &'a CapabilitySource,
192        target_moniker: &'a Moniker,
193    ) -> Result<(), PolicyError> {
194        let policy_key = Self::get_policy_key(capability_source).map_err(|e| {
195            error!("Security policy could not generate a policy key for `{}`", capability_source);
196            e
197        })?;
198
199        match self.policy.capability_policy.get(&policy_key) {
200            Some(entries) => {
201                let parts = target_moniker
202                    .path()
203                    .clone()
204                    .into_iter()
205                    .map(|c| AllowlistMatcher::Exact(c))
206                    .collect();
207                let entry = AllowlistEntry { matchers: parts };
208
209                // Use the HashSet to find any exact matches quickly.
210                if entries.contains(&entry) {
211                    return Ok(());
212                }
213
214                // Otherwise linear search for any non-exact matches.
215                if entries.iter().any(|entry| entry.matches(&target_moniker)) {
216                    Ok(())
217                } else {
218                    warn!(
219                        "Security policy prevented `{}` from `{}` being routed to `{}`.",
220                        policy_key.source_name, policy_key.source_moniker, target_moniker
221                    );
222                    Err(PolicyError::CapabilityUseDisallowed {
223                        cap: policy_key.source_name.to_string(),
224                        source_moniker: policy_key.source_moniker.to_owned(),
225                        target_moniker: target_moniker.to_owned(),
226                    })
227                }
228            }
229            None => Ok(()),
230        }
231    }
232
233    /// Returns Ok(()) if the provided debug capability source is allowed to be routed from given
234    /// environment.
235    pub fn can_register_debug_capability<'a>(
236        &self,
237        capability_type: CapabilityTypeName,
238        name: &'a cm_types::Name,
239        env_moniker: &'a Moniker,
240        env_name: &'a cm_types::Name,
241    ) -> Result<(), PolicyError> {
242        let debug_key = DebugCapabilityKey {
243            name: name.clone(),
244            source: CapabilityAllowlistSource::Self_,
245            capability: capability_type,
246            env_name: env_name.clone(),
247        };
248        let route_allowed = match self.policy.debug_capability_policy.get(&debug_key) {
249            None => false,
250            Some(allowlist_set) => allowlist_set.iter().any(|entry| entry.matches(env_moniker)),
251        };
252        if route_allowed {
253            return Ok(());
254        }
255
256        warn!(
257            "Debug security policy prevented `{}` from being registered to environment `{}` in `{}`.",
258            debug_key.name, env_name, env_moniker,
259        );
260        Err(PolicyError::DebugCapabilityUseDisallowed {
261            cap: debug_key.name.to_string(),
262            env_moniker: env_moniker.to_owned(),
263            env_name: env_name.to_string(),
264        })
265    }
266
267    /// Returns Ok(()) if `target_moniker` is allowed to have `on_terminate=REBOOT` set.
268    pub fn reboot_on_terminate_allowed(&self, target_moniker: &Moniker) -> Result<(), PolicyError> {
269        self.policy
270            .child_policy
271            .reboot_on_terminate
272            .iter()
273            .any(|entry| entry.matches(&target_moniker))
274            .then_some(())
275            .ok_or_else(|| PolicyError::ChildPolicyDisallowed {
276                policy: "reboot_on_terminate".to_owned(),
277                moniker: target_moniker.to_owned(),
278            })
279    }
280}
281
282/// Evaluates security policy relative to a specific Component (based on that Component's
283/// Moniker).
284#[derive(Clone)]
285pub struct ScopedPolicyChecker {
286    /// The security policy to apply.
287    policy: Arc<SecurityPolicy>,
288
289    /// The moniker of the component that policy will be evaluated for.
290    pub scope: Moniker,
291}
292
293impl ScopedPolicyChecker {
294    pub fn new(policy: Arc<SecurityPolicy>, scope: Moniker) -> Self {
295        ScopedPolicyChecker { policy, scope }
296    }
297
298    // This interface is super simple for now since there's only three allowlists. In the future
299    // we'll probably want a different interface than an individual function per policy item.
300
301    pub fn ambient_mark_vmo_exec_allowed(&self) -> Result<(), PolicyError> {
302        self.policy
303            .job_policy
304            .ambient_mark_vmo_exec
305            .iter()
306            .any(|entry| entry.matches(&self.scope))
307            .then_some(())
308            .ok_or_else(|| PolicyError::JobPolicyDisallowed {
309                policy: "ambient_mark_vmo_exec".to_owned(),
310                moniker: self.scope.to_owned(),
311            })
312    }
313
314    pub fn main_process_critical_allowed(&self) -> Result<(), PolicyError> {
315        self.policy
316            .job_policy
317            .main_process_critical
318            .iter()
319            .any(|entry| entry.matches(&self.scope))
320            .then_some(())
321            .ok_or_else(|| PolicyError::JobPolicyDisallowed {
322                policy: "main_process_critical".to_owned(),
323                moniker: self.scope.to_owned(),
324            })
325    }
326
327    pub fn create_raw_processes_allowed(&self) -> Result<(), PolicyError> {
328        self.policy
329            .job_policy
330            .create_raw_processes
331            .iter()
332            .any(|entry| entry.matches(&self.scope))
333            .then_some(())
334            .ok_or_else(|| PolicyError::JobPolicyDisallowed {
335                policy: "create_raw_processes".to_owned(),
336                moniker: self.scope.to_owned(),
337            })
338    }
339}
340
341#[cfg(test)]
342mod tests {
343    use super::*;
344    use assert_matches::assert_matches;
345    use cm_config::{AllowlistEntryBuilder, ChildPolicyAllowlists, JobPolicyAllowlists};
346    use moniker::ChildName;
347    use std::collections::HashMap;
348
349    #[test]
350    fn scoped_policy_checker_vmex() {
351        macro_rules! assert_vmex_allowed_matches {
352            ($policy:expr, $moniker:expr, $expected:pat) => {
353                let result = ScopedPolicyChecker::new($policy.clone(), $moniker.clone())
354                    .ambient_mark_vmo_exec_allowed();
355                assert_matches!(result, $expected);
356            };
357        }
358        macro_rules! assert_vmex_disallowed {
359            ($policy:expr, $moniker:expr) => {
360                assert_vmex_allowed_matches!(
361                    $policy,
362                    $moniker,
363                    Err(PolicyError::JobPolicyDisallowed { .. })
364                );
365            };
366        }
367        let policy = Arc::new(SecurityPolicy::default());
368        assert_vmex_disallowed!(policy, Moniker::root());
369        assert_vmex_disallowed!(policy, Moniker::try_from(vec!["foo"]).unwrap());
370
371        let allowed1 = Moniker::try_from(vec!["foo", "bar"]).unwrap();
372        let allowed2 = Moniker::try_from(vec!["baz", "fiz"]).unwrap();
373        let policy = Arc::new(SecurityPolicy {
374            job_policy: JobPolicyAllowlists {
375                ambient_mark_vmo_exec: vec![
376                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
377                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
378                ],
379                main_process_critical: vec![
380                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
381                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
382                ],
383                create_raw_processes: vec![
384                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
385                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
386                ],
387            },
388            capability_policy: HashMap::new(),
389            debug_capability_policy: HashMap::new(),
390            child_policy: ChildPolicyAllowlists {
391                reboot_on_terminate: vec![
392                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
393                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
394                ],
395            },
396        });
397        assert_vmex_allowed_matches!(policy, allowed1, Ok(()));
398        assert_vmex_allowed_matches!(policy, allowed2, Ok(()));
399        assert_vmex_disallowed!(policy, Moniker::root());
400        assert_vmex_disallowed!(policy, allowed1.parent().unwrap());
401        assert_vmex_disallowed!(policy, allowed1.child(ChildName::try_from("baz").unwrap()));
402    }
403
404    #[test]
405    fn scoped_policy_checker_create_raw_processes() {
406        macro_rules! assert_create_raw_processes_allowed_matches {
407            ($policy:expr, $moniker:expr, $expected:pat) => {
408                let result = ScopedPolicyChecker::new($policy.clone(), $moniker.clone())
409                    .create_raw_processes_allowed();
410                assert_matches!(result, $expected);
411            };
412        }
413        macro_rules! assert_create_raw_processes_disallowed {
414            ($policy:expr, $moniker:expr) => {
415                assert_create_raw_processes_allowed_matches!(
416                    $policy,
417                    $moniker,
418                    Err(PolicyError::JobPolicyDisallowed { .. })
419                );
420            };
421        }
422        let policy = Arc::new(SecurityPolicy::default());
423        assert_create_raw_processes_disallowed!(policy, Moniker::root());
424        assert_create_raw_processes_disallowed!(policy, Moniker::try_from(vec!["foo"]).unwrap());
425
426        let allowed1 = Moniker::try_from(vec!["foo", "bar"]).unwrap();
427        let allowed2 = Moniker::try_from(vec!["baz", "fiz"]).unwrap();
428        let policy = Arc::new(SecurityPolicy {
429            job_policy: JobPolicyAllowlists {
430                ambient_mark_vmo_exec: vec![],
431                main_process_critical: vec![],
432                create_raw_processes: vec![
433                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
434                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
435                ],
436            },
437            capability_policy: HashMap::new(),
438            debug_capability_policy: HashMap::new(),
439            child_policy: ChildPolicyAllowlists { reboot_on_terminate: vec![] },
440        });
441        assert_create_raw_processes_allowed_matches!(policy, allowed1, Ok(()));
442        assert_create_raw_processes_allowed_matches!(policy, allowed2, Ok(()));
443        assert_create_raw_processes_disallowed!(policy, Moniker::root());
444        assert_create_raw_processes_disallowed!(policy, allowed1.parent().unwrap());
445        assert_create_raw_processes_disallowed!(
446            policy,
447            allowed1.child(ChildName::try_from("baz").unwrap())
448        );
449    }
450
451    #[test]
452    fn scoped_policy_checker_main_process_critical_allowed() {
453        macro_rules! assert_critical_allowed_matches {
454            ($policy:expr, $moniker:expr, $expected:pat) => {
455                let result = ScopedPolicyChecker::new($policy.clone(), $moniker.clone())
456                    .main_process_critical_allowed();
457                assert_matches!(result, $expected);
458            };
459        }
460        macro_rules! assert_critical_disallowed {
461            ($policy:expr, $moniker:expr) => {
462                assert_critical_allowed_matches!(
463                    $policy,
464                    $moniker,
465                    Err(PolicyError::JobPolicyDisallowed { .. })
466                );
467            };
468        }
469        let policy = Arc::new(SecurityPolicy::default());
470        assert_critical_disallowed!(policy, Moniker::root());
471        assert_critical_disallowed!(policy, Moniker::try_from(vec!["foo"]).unwrap());
472
473        let allowed1 = Moniker::try_from(vec!["foo", "bar"]).unwrap();
474        let allowed2 = Moniker::try_from(vec!["baz", "fiz"]).unwrap();
475        let policy = Arc::new(SecurityPolicy {
476            job_policy: JobPolicyAllowlists {
477                ambient_mark_vmo_exec: vec![
478                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
479                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
480                ],
481                main_process_critical: vec![
482                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
483                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
484                ],
485                create_raw_processes: vec![
486                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
487                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
488                ],
489            },
490            capability_policy: HashMap::new(),
491            debug_capability_policy: HashMap::new(),
492            child_policy: ChildPolicyAllowlists { reboot_on_terminate: vec![] },
493        });
494        assert_critical_allowed_matches!(policy, allowed1, Ok(()));
495        assert_critical_allowed_matches!(policy, allowed2, Ok(()));
496        assert_critical_disallowed!(policy, Moniker::root());
497        assert_critical_disallowed!(policy, allowed1.parent().unwrap());
498        assert_critical_disallowed!(policy, allowed1.child(ChildName::try_from("baz").unwrap()));
499    }
500
501    #[test]
502    fn scoped_policy_checker_reboot_policy_allowed() {
503        macro_rules! assert_reboot_allowed_matches {
504            ($policy:expr, $moniker:expr, $expected:pat) => {
505                let result = GlobalPolicyChecker::new($policy.clone())
506                    .reboot_on_terminate_allowed(&$moniker);
507                assert_matches!(result, $expected);
508            };
509        }
510        macro_rules! assert_reboot_disallowed {
511            ($policy:expr, $moniker:expr) => {
512                assert_reboot_allowed_matches!(
513                    $policy,
514                    $moniker,
515                    Err(PolicyError::ChildPolicyDisallowed { .. })
516                );
517            };
518        }
519
520        // Empty policy and enabled.
521        let policy = Arc::new(SecurityPolicy::default());
522        assert_reboot_disallowed!(policy, Moniker::root());
523        assert_reboot_disallowed!(policy, Moniker::try_from(vec!["foo"]).unwrap());
524
525        // Nonempty policy.
526        let allowed1 = Moniker::try_from(vec!["foo", "bar"]).unwrap();
527        let allowed2 = Moniker::try_from(vec!["baz", "fiz"]).unwrap();
528        let policy = Arc::new(SecurityPolicy {
529            job_policy: JobPolicyAllowlists {
530                ambient_mark_vmo_exec: vec![],
531                main_process_critical: vec![],
532                create_raw_processes: vec![],
533            },
534            capability_policy: HashMap::new(),
535            debug_capability_policy: HashMap::new(),
536            child_policy: ChildPolicyAllowlists {
537                reboot_on_terminate: vec![
538                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed1),
539                    AllowlistEntryBuilder::build_exact_from_moniker(&allowed2),
540                ],
541            },
542        });
543        assert_reboot_allowed_matches!(policy, allowed1, Ok(()));
544        assert_reboot_allowed_matches!(policy, allowed2, Ok(()));
545        assert_reboot_disallowed!(policy, Moniker::root());
546        assert_reboot_disallowed!(policy, allowed1.parent().unwrap());
547        assert_reboot_disallowed!(policy, allowed1.child(ChildName::try_from("baz").unwrap()));
548    }
549}