mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Call DisableNamespaces where needed
PiperOrigin-RevId: 249637351 Change-Id: I5105d89ea0e8cfb2fca1e5ac342fa67e9caac930
This commit is contained in:
parent
85059ef40d
commit
08ff939ea7
|
@ -63,6 +63,7 @@ TEST(BufferTest, TestImplementation) {
|
||||||
|
|
||||||
std::unique_ptr<Policy> BufferTestcasePolicy() {
|
std::unique_ptr<Policy> BufferTestcasePolicy() {
|
||||||
auto s2p = PolicyBuilder()
|
auto s2p = PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
.AllowStaticStartup()
|
.AllowStaticStartup()
|
||||||
.AllowExit()
|
.AllowExit()
|
||||||
.AllowSafeFcntl()
|
.AllowSafeFcntl()
|
||||||
|
|
|
@ -49,6 +49,7 @@ namespace {
|
||||||
|
|
||||||
std::unique_ptr<sandbox2::Policy> GetPolicy() {
|
std::unique_ptr<sandbox2::Policy> GetPolicy() {
|
||||||
return sandbox2::PolicyBuilder()
|
return sandbox2::PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
.AllowExit()
|
.AllowExit()
|
||||||
.AddPolicyOnSyscalls(
|
.AddPolicyOnSyscalls(
|
||||||
{__NR_read, __NR_write, __NR_close},
|
{__NR_read, __NR_write, __NR_close},
|
||||||
|
|
|
@ -44,6 +44,7 @@ TEST(IPCTest, MapFDByNamePreExecve) {
|
||||||
Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test"));
|
Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test"));
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -74,6 +75,7 @@ TEST(IPCTest, MapFDByNamePostExecve) {
|
||||||
Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test"));
|
Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test"));
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -100,6 +102,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
|
||||||
auto executor = absl::make_unique<Executor>(path, args);
|
auto executor = absl::make_unique<Executor>(path, args);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
|
|
@ -42,6 +42,7 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
|
||||||
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -59,6 +60,7 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
|
||||||
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -76,6 +78,7 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
|
||||||
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -93,6 +96,7 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
|
||||||
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -110,6 +114,7 @@ TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
|
||||||
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
|
|
@ -83,6 +83,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
|
||||||
{
|
{
|
||||||
auto executor = absl::make_unique<Executor>(path, args);
|
auto executor = absl::make_unique<Executor>(path, args);
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all
|
// Don't restrict the syscalls at all
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -103,6 +104,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
|
||||||
std::vector<std::string> args = {path, "3", "1000", "1000"};
|
std::vector<std::string> args = {path, "3", "1000", "1000"};
|
||||||
auto executor = absl::make_unique<Executor>(path, args);
|
auto executor = absl::make_unique<Executor>(path, args);
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.EnableNamespaces()
|
||||||
// Don't restrict the syscalls at all
|
// Don't restrict the syscalls at all
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.EnableNamespaces()
|
.EnableNamespaces()
|
||||||
|
@ -122,6 +124,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
|
||||||
std::vector<std::string> args = {path, "3", uid, gid};
|
std::vector<std::string> args = {path, "3", uid, gid};
|
||||||
auto executor = absl::make_unique<Executor>(path, args);
|
auto executor = absl::make_unique<Executor>(path, args);
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all
|
// Don't restrict the syscalls at all
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -151,6 +154,7 @@ class HostnameTest : public testing::Test {
|
||||||
|
|
||||||
TEST_F(HostnameTest, None) {
|
TEST_F(HostnameTest, None) {
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all
|
// Don't restrict the syscalls at all
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
|
|
@ -42,6 +42,7 @@ namespace {
|
||||||
// chosen because unlikely to be called by a regular program.
|
// chosen because unlikely to be called by a regular program.
|
||||||
std::unique_ptr<Policy> NotifyTestcasePolicy() {
|
std::unique_ptr<Policy> NotifyTestcasePolicy() {
|
||||||
return PolicyBuilder()
|
return PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
.AllowStaticStartup()
|
.AllowStaticStartup()
|
||||||
.AllowExit()
|
.AllowExit()
|
||||||
.AllowRead()
|
.AllowRead()
|
||||||
|
|
|
@ -41,6 +41,7 @@ namespace {
|
||||||
|
|
||||||
std::unique_ptr<Policy> PolicyTestcasePolicy() {
|
std::unique_ptr<Policy> PolicyTestcasePolicy() {
|
||||||
return PolicyBuilder()
|
return PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
.AllowStaticStartup()
|
.AllowStaticStartup()
|
||||||
.AllowExit()
|
.AllowExit()
|
||||||
.AllowRead()
|
.AllowRead()
|
||||||
|
|
|
@ -194,6 +194,7 @@ std::string PolicyBuilderTest::Run(std::vector<std::string> args,
|
||||||
|
|
||||||
TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) {
|
TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) {
|
||||||
PolicyBuilder b;
|
PolicyBuilder b;
|
||||||
|
b.EnableNamespaces();
|
||||||
ASSERT_THAT(b.BuildOrDie(), NotNull());
|
ASSERT_THAT(b.BuildOrDie(), NotNull());
|
||||||
ASSERT_DEATH(b.BuildOrDie(), "Can only build policy once");
|
ASSERT_DEATH(b.BuildOrDie(), "Can only build policy once");
|
||||||
}
|
}
|
||||||
|
|
|
@ -54,6 +54,7 @@ TEST(SandboxCoreDumpTest, AbortWithoutCoreDumpReturnsSignaled) {
|
||||||
auto executor = absl::make_unique<Executor>(path, args);
|
auto executor = absl::make_unique<Executor>(path, args);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -75,6 +76,7 @@ TEST(TsyncTest, TsyncNoMemoryChecks) {
|
||||||
executor->set_enable_sandbox_before_exec(false);
|
executor->set_enable_sandbox_before_exec(false);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -101,6 +103,7 @@ TEST(ExecutorTest, ExecutorFdConstructor) {
|
||||||
auto executor = absl::make_unique<Executor>(fd, args, envs);
|
auto executor = absl::make_unique<Executor>(fd, args, envs);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
@ -205,8 +208,9 @@ TEST(StarvationTest, MonitorIsNotStarvedByTheSandboxee) {
|
||||||
std::vector<std::string> envs;
|
std::vector<std::string> envs;
|
||||||
auto executor = absl::make_unique<Executor>(path, args, envs);
|
auto executor = absl::make_unique<Executor>(path, args, envs);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
|
SAPI_ASSERT_OK_AND_ASSIGN(
|
||||||
PolicyBuilder().DangerDefaultAllowAll().TryBuild());
|
auto policy,
|
||||||
|
PolicyBuilder().DisableNamespaces().DangerDefaultAllowAll().TryBuild());
|
||||||
executor->limits()->set_walltime_limit(absl::Seconds(5));
|
executor->limits()->set_walltime_limit(absl::Seconds(5));
|
||||||
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
Sandbox2 sandbox(std::move(executor), std::move(policy));
|
||||||
auto start = absl::Now();
|
auto start = absl::Now();
|
||||||
|
|
|
@ -130,6 +130,7 @@ TEST(SanitizerTest, TestSandboxedBinary) {
|
||||||
auto executor = absl::make_unique<Executor>(path, args);
|
auto executor = absl::make_unique<Executor>(path, args);
|
||||||
|
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
|
||||||
|
.DisableNamespaces()
|
||||||
// Don't restrict the syscalls at all.
|
// Don't restrict the syscalls at all.
|
||||||
.DangerDefaultAllowAll()
|
.DangerDefaultAllowAll()
|
||||||
.TryBuild());
|
.TryBuild());
|
||||||
|
|
Loading…
Reference in New Issue
Block a user