mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
More efficient fork request handling and #Cleanup
- Assign to `*mutable_XXX()` instead of looping - Use a const ref for capabilities PiperOrigin-RevId: 384192675 Change-Id: I4db3d0c8ce0d7f6acc9fd486a2409962516b5fe7
This commit is contained in:
parent
372b8e2696
commit
002cb9ae01
|
@ -50,7 +50,7 @@ std::vector<std::string> Executor::CopyEnviron() {
|
|||
}
|
||||
|
||||
pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
||||
const std::vector<int>* caps,
|
||||
const std::vector<int>& caps,
|
||||
pid_t* init_pid_out) {
|
||||
if (started_) {
|
||||
LOG(ERROR) << "This executor has already been started";
|
||||
|
@ -76,12 +76,8 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
|||
}
|
||||
|
||||
ForkRequest request;
|
||||
for (size_t i = 0; i < argv_.size(); i++) {
|
||||
request.add_args(argv_[i]);
|
||||
}
|
||||
for (size_t i = 0; i < envp_.size(); i++) {
|
||||
request.add_envs(envp_[i]);
|
||||
}
|
||||
*request.mutable_args() = {argv_.begin(), argv_.end()};
|
||||
*request.mutable_envs() = {envp_.begin(), envp_.end()};
|
||||
|
||||
// Add LD_ORIGIN_PATH to envs, as it'll make the amount of syscalls invoked by
|
||||
// ld.so smaller.
|
||||
|
@ -113,15 +109,13 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
|||
|
||||
request.set_clone_flags(clone_flags);
|
||||
|
||||
if (caps) {
|
||||
for (auto cap : *caps) {
|
||||
for (auto cap : caps) {
|
||||
request.add_capabilities(cap);
|
||||
}
|
||||
}
|
||||
|
||||
int ns_fd = -1;
|
||||
if (libunwind_sbox_for_pid_ != 0) {
|
||||
std::string ns_path =
|
||||
const std::string ns_path =
|
||||
absl::StrCat("/proc/", libunwind_sbox_for_pid_, "/ns/user");
|
||||
PCHECK((ns_fd = open(ns_path.c_str(), O_RDONLY)) != -1)
|
||||
<< "Could not open user ns fd (" << ns_path << ")";
|
||||
|
|
|
@ -125,7 +125,7 @@ class Executor final {
|
|||
//
|
||||
// Returns the same values as fork().
|
||||
pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr,
|
||||
const std::vector<int>* caps = nullptr,
|
||||
const std::vector<int>& caps = {},
|
||||
pid_t* init_pid_out = nullptr);
|
||||
|
||||
// Whether the Executor has been started yet
|
||||
|
|
|
@ -266,7 +266,7 @@ void Monitor::Run() {
|
|||
// Get PID of the sandboxee.
|
||||
pid_t init_pid = 0;
|
||||
bool should_have_init = ns && (ns->GetCloneFlags() & CLONE_NEWPID);
|
||||
pid_ = executor_->StartSubProcess(clone_flags, ns, policy_->GetCapabilities(),
|
||||
pid_ = executor_->StartSubProcess(clone_flags, ns, policy_->capabilities(),
|
||||
&init_pid);
|
||||
|
||||
if (init_pid > 0) {
|
||||
|
|
|
@ -169,7 +169,11 @@ void Policy::AllowUnsafeKeepCapabilities(
|
|||
if (namespace_) {
|
||||
namespace_->DisableUserNamespace();
|
||||
}
|
||||
capabilities_ = std::move(caps);
|
||||
if (!caps) {
|
||||
capabilities_.clear();
|
||||
} else {
|
||||
capabilities_ = {caps->begin(), caps->end()};
|
||||
}
|
||||
}
|
||||
|
||||
void Policy::GetPolicyDescription(PolicyDescription* policy) const {
|
||||
|
@ -185,11 +189,9 @@ void Policy::GetPolicyDescription(PolicyDescription* policy) const {
|
|||
policy->mutable_namespace_description());
|
||||
}
|
||||
|
||||
if (capabilities_) {
|
||||
for (const auto& cap : *capabilities_) {
|
||||
for (const auto& cap : capabilities_) {
|
||||
policy->add_capabilities(cap);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
} // namespace sandbox2
|
||||
|
|
|
@ -42,7 +42,7 @@ namespace sandbox2 {
|
|||
namespace internal {
|
||||
// Magic values of registers when executing sys_execveat, so we can recognize
|
||||
// the pre-sandboxing state and notify the Monitor
|
||||
constexpr uintptr_t kExecveMagic = 0x921c2c34;
|
||||
inline constexpr uintptr_t kExecveMagic = 0x921c2c34;
|
||||
} // namespace internal
|
||||
|
||||
class Comms;
|
||||
|
@ -79,9 +79,7 @@ class Policy final {
|
|||
namespace_ = std::move(ns);
|
||||
}
|
||||
|
||||
const std::vector<int>* GetCapabilities() const {
|
||||
return capabilities_.get();
|
||||
}
|
||||
const std::vector<int>& capabilities() const { return capabilities_; }
|
||||
|
||||
// Returns the default policy, which blocks certain dangerous syscalls and
|
||||
// mismatched syscall tables.
|
||||
|
@ -100,7 +98,7 @@ class Policy final {
|
|||
bool collect_stacktrace_on_kill_ = true;
|
||||
|
||||
// The capabilities to keep in the sandboxee.
|
||||
std::unique_ptr<std::vector<int>> capabilities_;
|
||||
std::vector<int> capabilities_;
|
||||
|
||||
// Optional pointer to a PolicyBuilder description pb object.
|
||||
std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;
|
||||
|
|
Loading…
Reference in New Issue
Block a user