diff --git a/sandboxed_api/sandbox2/executor.cc b/sandboxed_api/sandbox2/executor.cc index b469162..66b7247 100644 --- a/sandboxed_api/sandbox2/executor.cc +++ b/sandboxed_api/sandbox2/executor.cc @@ -50,7 +50,7 @@ std::vector Executor::CopyEnviron() { } pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns, - const std::vector* caps, + const std::vector& caps, pid_t* init_pid_out) { if (started_) { LOG(ERROR) << "This executor has already been started"; @@ -76,12 +76,8 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns, } ForkRequest request; - for (size_t i = 0; i < argv_.size(); i++) { - request.add_args(argv_[i]); - } - for (size_t i = 0; i < envp_.size(); i++) { - request.add_envs(envp_[i]); - } + *request.mutable_args() = {argv_.begin(), argv_.end()}; + *request.mutable_envs() = {envp_.begin(), envp_.end()}; // Add LD_ORIGIN_PATH to envs, as it'll make the amount of syscalls invoked by // ld.so smaller. @@ -113,15 +109,13 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns, request.set_clone_flags(clone_flags); - if (caps) { - for (auto cap : *caps) { - request.add_capabilities(cap); - } + for (auto cap : caps) { + request.add_capabilities(cap); } int ns_fd = -1; if (libunwind_sbox_for_pid_ != 0) { - std::string ns_path = + const std::string ns_path = absl::StrCat("/proc/", libunwind_sbox_for_pid_, "/ns/user"); PCHECK((ns_fd = open(ns_path.c_str(), O_RDONLY)) != -1) << "Could not open user ns fd (" << ns_path << ")"; diff --git a/sandboxed_api/sandbox2/executor.h b/sandboxed_api/sandbox2/executor.h index 03241a6..0bd0cfc 100644 --- a/sandboxed_api/sandbox2/executor.h +++ b/sandboxed_api/sandbox2/executor.h @@ -125,7 +125,7 @@ class Executor final { // // Returns the same values as fork(). pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr, - const std::vector* caps = nullptr, + const std::vector& caps = {}, pid_t* init_pid_out = nullptr); // Whether the Executor has been started yet diff --git a/sandboxed_api/sandbox2/monitor.cc b/sandboxed_api/sandbox2/monitor.cc index d7fcb8b..aff3992 100644 --- a/sandboxed_api/sandbox2/monitor.cc +++ b/sandboxed_api/sandbox2/monitor.cc @@ -266,7 +266,7 @@ void Monitor::Run() { // Get PID of the sandboxee. pid_t init_pid = 0; bool should_have_init = ns && (ns->GetCloneFlags() & CLONE_NEWPID); - pid_ = executor_->StartSubProcess(clone_flags, ns, policy_->GetCapabilities(), + pid_ = executor_->StartSubProcess(clone_flags, ns, policy_->capabilities(), &init_pid); if (init_pid > 0) { diff --git a/sandboxed_api/sandbox2/policy.cc b/sandboxed_api/sandbox2/policy.cc index bea54f6..c99486d 100644 --- a/sandboxed_api/sandbox2/policy.cc +++ b/sandboxed_api/sandbox2/policy.cc @@ -169,7 +169,11 @@ void Policy::AllowUnsafeKeepCapabilities( if (namespace_) { namespace_->DisableUserNamespace(); } - capabilities_ = std::move(caps); + if (!caps) { + capabilities_.clear(); + } else { + capabilities_ = {caps->begin(), caps->end()}; + } } void Policy::GetPolicyDescription(PolicyDescription* policy) const { @@ -185,10 +189,8 @@ void Policy::GetPolicyDescription(PolicyDescription* policy) const { policy->mutable_namespace_description()); } - if (capabilities_) { - for (const auto& cap : *capabilities_) { - policy->add_capabilities(cap); - } + for (const auto& cap : capabilities_) { + policy->add_capabilities(cap); } } diff --git a/sandboxed_api/sandbox2/policy.h b/sandboxed_api/sandbox2/policy.h index 657a2b9..179ccfb 100644 --- a/sandboxed_api/sandbox2/policy.h +++ b/sandboxed_api/sandbox2/policy.h @@ -42,7 +42,7 @@ namespace sandbox2 { namespace internal { // Magic values of registers when executing sys_execveat, so we can recognize // the pre-sandboxing state and notify the Monitor -constexpr uintptr_t kExecveMagic = 0x921c2c34; +inline constexpr uintptr_t kExecveMagic = 0x921c2c34; } // namespace internal class Comms; @@ -79,9 +79,7 @@ class Policy final { namespace_ = std::move(ns); } - const std::vector* GetCapabilities() const { - return capabilities_.get(); - } + const std::vector& capabilities() const { return capabilities_; } // Returns the default policy, which blocks certain dangerous syscalls and // mismatched syscall tables. @@ -100,7 +98,7 @@ class Policy final { bool collect_stacktrace_on_kill_ = true; // The capabilities to keep in the sandboxee. - std::unique_ptr> capabilities_; + std::vector capabilities_; // Optional pointer to a PolicyBuilder description pb object. std::unique_ptr policy_builder_description_;