preemptive_threads/security/

isolation.rs

//! Thread isolation and sandboxing implementation.

use crate::errors::ThreadError;
use crate::security::{SecurityConfig, SecurityViolation, handle_security_violation};
use crate::thread_new::ThreadId;
use portable_atomic::{AtomicU64, AtomicUsize, Ordering};
use alloc::{collections::BTreeMap, vec, vec::Vec};

/// Thread isolation boundaries and sandboxing.
pub struct ThreadIsolation {
    /// Isolated thread domains
    domains: BTreeMap<ThreadId, IsolationDomain>,
    /// Isolation violations detected
    violations_detected: AtomicUsize,
    /// Domain boundary crosses
    boundary_crosses: AtomicU64,
}

impl ThreadIsolation {
    pub fn new() -> Self {
        Self {
            domains: BTreeMap::new(),
            violations_detected: AtomicUsize::new(0),
            boundary_crosses: AtomicU64::new(0),
        }
    }
    
    /// Create new isolation domain for thread.
    pub fn create_domain(
        &mut self,
        thread_id: ThreadId,
        config: IsolationConfig,
    ) -> Result<(), ThreadError> {
        let domain = IsolationDomain::new(thread_id, config)?;
        self.domains.insert(thread_id, domain);
        Ok(())
    }
    
    /// Check if thread access is allowed.
    pub fn check_access(
        &self,
        accessor_id: ThreadId,
        target_id: ThreadId,
        access_type: AccessType,
    ) -> bool {
        if accessor_id == target_id {
            return true; // Self-access always allowed
        }
        
        let accessor_domain = match self.domains.get(&accessor_id) {
            Some(domain) => domain,
            None => return true, // No isolation for this thread
        };
        
        let allowed = accessor_domain.check_cross_domain_access(target_id, access_type);
        
        if !allowed {
            self.violations_detected.fetch_add(1, Ordering::Relaxed);
        } else {
            self.boundary_crosses.fetch_add(1, Ordering::Relaxed);
        }
        
        allowed
    }
    
    /// Remove thread from isolation domain.
    pub fn remove_domain(&mut self, thread_id: ThreadId) {
        self.domains.remove(&thread_id);
    }
}

/// Thread isolation domain configuration.
#[derive(Debug, Clone)]
pub struct IsolationConfig {
    /// Domain security level
    pub security_level: SecurityLevel,
    /// Allowed cross-domain operations
    pub allowed_operations: Vec<AccessType>,
    /// Memory access restrictions
    pub memory_restrictions: MemoryRestrictions,
    /// Resource limits for this domain
    pub resource_limits: ResourceLimits,
    /// Inter-domain communication policy
    pub ipc_policy: IpcPolicy,
}

impl Default for IsolationConfig {
    fn default() -> Self {
        Self {
            security_level: SecurityLevel::Medium,
            allowed_operations: vec![AccessType::Signal],
            memory_restrictions: MemoryRestrictions::default(),
            resource_limits: ResourceLimits::default(),
            ipc_policy: IpcPolicy::Restricted,
        }
    }
}

/// Security levels for isolation domains.
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
pub enum SecurityLevel {
    /// Minimal isolation (performance-focused)
    Low,
    /// Standard isolation (balanced)
    Medium,
    /// Maximum isolation (security-focused)
    High,
    /// Critical isolation (for sensitive operations)
    Critical,
}

/// Types of cross-domain access.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum AccessType {
    /// Memory read access
    MemoryRead,
    /// Memory write access
    MemoryWrite,
    /// Signal delivery
    Signal,
    /// Resource sharing
    ResourceShare,
    /// IPC communication
    Ipc,
    /// Thread control (suspend/resume)
    ThreadControl,
}

/// Memory access restrictions for domains.
#[derive(Debug, Clone)]
pub struct MemoryRestrictions {
    /// Allowed memory regions
    pub allowed_regions: Vec<MemoryRegion>,
    /// Forbidden memory regions
    pub forbidden_regions: Vec<MemoryRegion>,
    /// Heap access policy
    pub heap_access: HeapAccessPolicy,
    /// Stack access policy
    pub stack_access: StackAccessPolicy,
}

impl Default for MemoryRestrictions {
    fn default() -> Self {
        Self {
            allowed_regions: Vec::new(),
            forbidden_regions: Vec::new(),
            heap_access: HeapAccessPolicy::Isolated,
            stack_access: StackAccessPolicy::Private,
        }
    }
}

/// Memory region descriptor.
#[derive(Debug, Clone)]
pub struct MemoryRegion {
    pub start: usize,
    pub size: usize,
    pub permissions: MemoryPermissions,
}

/// Memory permissions for regions.
#[derive(Debug, Clone, Copy)]
pub struct MemoryPermissions {
    pub read: bool,
    pub write: bool,
    pub execute: bool,
}

/// Heap access policies.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum HeapAccessPolicy {
    /// Thread has isolated heap
    Isolated,
    /// Thread shares global heap
    Shared,
    /// Thread has no heap access
    None,
}

/// Stack access policies.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum StackAccessPolicy {
    /// Private stack, no cross-access
    Private,
    /// Limited cross-access for debugging
    LimitedAccess,
    /// Full cross-access allowed
    Shared,
}

/// Resource limits for isolation domains.
#[derive(Debug, Clone)]
pub struct ResourceLimits {
    /// Maximum memory allocation
    pub max_memory: Option<usize>,
    /// Maximum CPU time (nanoseconds)
    pub max_cpu_time: Option<u64>,
    /// Maximum file handles
    pub max_file_handles: Option<usize>,
    /// Maximum network connections
    pub max_network_connections: Option<usize>,
}

impl Default for ResourceLimits {
    fn default() -> Self {
        Self {
            max_memory: Some(64 * 1024 * 1024), // 64MB default
            max_cpu_time: None,
            max_file_handles: Some(256),
            max_network_connections: Some(16),
        }
    }
}

/// Inter-process communication policies.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum IpcPolicy {
    /// No IPC allowed
    Blocked,
    /// Only with explicitly allowed domains
    Restricted,
    /// IPC with security checks
    Controlled,
    /// Full IPC access
    Unrestricted,
}

/// Individual thread isolation domain.
#[derive(Debug)]
pub struct IsolationDomain {
    /// Thread ID for this domain
    pub thread_id: ThreadId,
    /// Domain configuration
    pub config: IsolationConfig,
    /// Current resource usage
    pub resource_usage: ResourceUsage,
    /// Allowed domain interactions
    pub allowed_domains: Vec<ThreadId>,
    /// Domain creation time
    pub created_at: u64,
}

impl IsolationDomain {
    /// Create new isolation domain.
    pub fn new(thread_id: ThreadId, config: IsolationConfig) -> Result<Self, ThreadError> {
        Ok(Self {
            thread_id,
            config,
            resource_usage: ResourceUsage::new(),
            allowed_domains: Vec::new(),
            created_at: crate::time::get_monotonic_time().as_nanos() as u64,
        })
    }
    
    /// Check if cross-domain access is allowed.
    pub fn check_cross_domain_access(
        &self,
        target_domain: ThreadId,
        access_type: AccessType,
    ) -> bool {
        // Always deny access to higher security levels
        // (Would need to look up target domain's security level)
        
        // Check if this access type is explicitly allowed
        if !self.config.allowed_operations.contains(&access_type) {
            return false;
        }
        
        // Check if target domain is in allowed list
        if !self.allowed_domains.is_empty() && !self.allowed_domains.contains(&target_domain) {
            return false;
        }
        
        // Apply security level-specific checks
        match self.config.security_level {
            SecurityLevel::Low => true,
            SecurityLevel::Medium => match access_type {
                AccessType::MemoryWrite | AccessType::ThreadControl => false,
                _ => true,
            },
            SecurityLevel::High => match access_type {
                AccessType::Signal => true,
                _ => false,
            },
            SecurityLevel::Critical => false, // Deny all cross-domain access
        }
    }
    
    /// Add allowed domain for interaction.
    pub fn allow_domain_interaction(&mut self, domain_id: ThreadId) {
        if !self.allowed_domains.contains(&domain_id) {
            self.allowed_domains.push(domain_id);
        }
    }
    
    /// Remove allowed domain.
    pub fn disallow_domain_interaction(&mut self, domain_id: ThreadId) {
        self.allowed_domains.retain(|&id| id != domain_id);
    }
    
    /// Check if memory access is allowed.
    pub fn check_memory_access(&self, address: usize, size: usize, write: bool) -> bool {
        // Check against forbidden regions first
        for region in &self.config.memory_restrictions.forbidden_regions {
            if address >= region.start && address < region.start + region.size {
                return false;
            }
        }
        
        // If allowed regions specified, must be in one of them
        if !self.config.memory_restrictions.allowed_regions.is_empty() {
            let mut found = false;
            for region in &self.config.memory_restrictions.allowed_regions {
                if address >= region.start 
                   && address + size <= region.start + region.size 
                   && (!write || region.permissions.write) {
                    found = true;
                    break;
                }
            }
            if !found {
                return false;
            }
        }
        
        true
    }
    
    /// Update resource usage and check limits.
    pub fn update_resource_usage(&mut self, usage: ResourceUsage) -> Result<(), ThreadError> {
        // Check memory limit
        if let Some(max_memory) = self.config.resource_limits.max_memory {
            if usage.memory_used > max_memory {
                return Err(ThreadError::ResourceExhaustion());
            }
        }
        
        // Check CPU time limit
        if let Some(max_cpu) = self.config.resource_limits.max_cpu_time {
            if usage.cpu_time_used > max_cpu {
                return Err(ThreadError::ResourceExhaustion());
            }
        }
        
        self.resource_usage = usage;
        Ok(())
    }
}

/// Current resource usage for a domain.
#[derive(Debug, Clone)]
pub struct ResourceUsage {
    pub memory_used: usize,
    pub cpu_time_used: u64,
    pub file_handles_used: usize,
    pub network_connections_used: usize,
}

impl ResourceUsage {
    pub fn new() -> Self {
        Self {
            memory_used: 0,
            cpu_time_used: 0,
            file_handles_used: 0,
            network_connections_used: 0,
        }
    }
}

/// Global thread isolation manager.
static mut THREAD_ISOLATION: Option<ThreadIsolation> = None;

/// Memory access guard for isolated domains.
pub struct MemoryAccessGuard {
    domain_id: ThreadId,
    address: usize,
    size: usize,
}

impl MemoryAccessGuard {
    /// Create new memory access guard.
    pub fn new(domain_id: ThreadId, address: usize, size: usize) -> Result<Self, ThreadError> {
        // Verify access is allowed
        if !check_memory_access(domain_id, address, size, false) {
            handle_security_violation(SecurityViolation::IsolationViolation);
        }
        
        Ok(Self {
            domain_id,
            address,
            size,
        })
    }
    
    /// Get safe pointer for reading.
    pub unsafe fn read_ptr<T>(&self) -> *const T {
        self.address as *const T
    }
    
    /// Get safe pointer for writing (requires write access check).
    pub unsafe fn write_ptr<T>(&self) -> Result<*mut T, ThreadError> {
        if !check_memory_access(self.domain_id, self.address, self.size, true) {
            handle_security_violation(SecurityViolation::IsolationViolation);
        }
        Ok(self.address as *mut T)
    }
}

/// Cross-domain communication channel.
pub struct CrossDomainChannel {
    sender_domain: ThreadId,
    receiver_domain: ThreadId,
    allowed: bool,
}

impl CrossDomainChannel {
    /// Create new cross-domain communication channel.
    pub fn new(sender: ThreadId, receiver: ThreadId) -> Result<Self, ThreadError> {
        let allowed = check_cross_domain_access(sender, receiver, AccessType::Ipc);
        
        if !allowed {
            return Err(ThreadError::PermissionDenied());
        }
        
        Ok(Self {
            sender_domain: sender,
            receiver_domain: receiver,
            allowed,
        })
    }
    
    /// Send message through channel.
    pub fn send<T>(&self, message: T) -> Result<(), ThreadError> {
        if !self.allowed {
            return Err(ThreadError::PermissionDenied());
        }
        
        // In real implementation, this would use secure IPC mechanism
        // For now, just validate the operation is allowed
        Ok(())
    }
}

/// Helper functions for isolation management.

/// Initialize thread isolation subsystem.
pub fn init_thread_isolation(_config: SecurityConfig) -> Result<(), ThreadError> {
    unsafe {
        THREAD_ISOLATION = Some(ThreadIsolation::new());
    }
    
    // Initialization completed
    Ok(())
}

/// Create isolation domain for thread.
pub fn create_isolation_domain(
    thread_id: ThreadId,
    config: IsolationConfig,
) -> Result<(), ThreadError> {
    unsafe {
        if let Some(isolation) = &mut THREAD_ISOLATION {
            isolation.create_domain(thread_id, config)
        } else {
            Err(ThreadError::InvalidState())
        }
    }
}

/// Check cross-domain access permission.
pub fn check_cross_domain_access(
    accessor_id: ThreadId,
    target_id: ThreadId,
    access_type: AccessType,
) -> bool {
    unsafe {
        if let Some(isolation) = &THREAD_ISOLATION {
            isolation.check_access(accessor_id, target_id, access_type)
        } else {
            true // No isolation active, allow access
        }
    }
}

/// Check memory access permission for domain.
pub fn check_memory_access(
    domain_id: ThreadId,
    address: usize,
    size: usize,
    write: bool,
) -> bool {
    unsafe {
        if let Some(isolation) = &THREAD_ISOLATION {
            if let Some(domain) = isolation.domains.get(&domain_id) {
                domain.check_memory_access(address, size, write)
            } else {
                true // No domain restrictions
            }
        } else {
            true // No isolation active
        }
    }
}

/// Remove thread from isolation system.
pub fn remove_isolation_domain(thread_id: ThreadId) {
    unsafe {
        if let Some(isolation) = &mut THREAD_ISOLATION {
            isolation.remove_domain(thread_id);
        }
    }
}

/// Thread isolation statistics.
#[derive(Debug, Clone)]
pub struct IsolationStats {
    pub domains_active: usize,
    pub violations_detected: usize,
    pub boundary_crosses: u64,
    pub isolation_enabled: bool,
}

/// Get thread isolation statistics.
pub fn get_isolation_stats() -> IsolationStats {
    unsafe {
        if let Some(isolation) = &THREAD_ISOLATION {
            IsolationStats {
                domains_active: isolation.domains.len(),
                violations_detected: isolation.violations_detected.load(Ordering::Relaxed),
                boundary_crosses: isolation.boundary_crosses.load(Ordering::Relaxed),
                isolation_enabled: true,
            }
        } else {
            IsolationStats {
                domains_active: 0,
                violations_detected: 0,
                boundary_crosses: 0,
                isolation_enabled: false,
            }
        }
    }
}

/// Macro for creating isolated thread domain.
#[macro_export]
macro_rules! isolated_thread {
    ($thread_id:expr, $security_level:expr) => {{
        use crate::security::isolation::{IsolationConfig, SecurityLevel, create_isolation_domain};
        let config = IsolationConfig {
            security_level: $security_level,
            ..Default::default()
        };
        create_isolation_domain($thread_id, config)
    }};
}

/// Macro for safe cross-domain access.
#[macro_export]
macro_rules! cross_domain_access {
    ($accessor:expr, $target:expr, $access_type:expr, $operation:expr) => {{
        use crate::security::isolation::check_cross_domain_access;
        if check_cross_domain_access($accessor, $target, $access_type) {
            Some($operation)
        } else {
            None
        }
    }};
}