Call DisableNamespaces where needed

PiperOrigin-RevId: 249637351
Change-Id: I5105d89ea0e8cfb2fca1e5ac342fa67e9caac930
This commit is contained in:
Wiktor Garbacz 2019-05-23 07:20:33 -07:00 committed by Copybara-Service
parent 85059ef40d
commit 08ff939ea7
10 changed files with 24 additions and 2 deletions

View File

@ -63,6 +63,7 @@ TEST(BufferTest, TestImplementation) {
std::unique_ptr<Policy> BufferTestcasePolicy() { std::unique_ptr<Policy> BufferTestcasePolicy() {
auto s2p = PolicyBuilder() auto s2p = PolicyBuilder()
.DisableNamespaces()
.AllowStaticStartup() .AllowStaticStartup()
.AllowExit() .AllowExit()
.AllowSafeFcntl() .AllowSafeFcntl()

View File

@ -49,6 +49,7 @@ namespace {
std::unique_ptr<sandbox2::Policy> GetPolicy() { std::unique_ptr<sandbox2::Policy> GetPolicy() {
return sandbox2::PolicyBuilder() return sandbox2::PolicyBuilder()
.DisableNamespaces()
.AllowExit() .AllowExit()
.AddPolicyOnSyscalls( .AddPolicyOnSyscalls(
{__NR_read, __NR_write, __NR_close}, {__NR_read, __NR_write, __NR_close},

View File

@ -44,6 +44,7 @@ TEST(IPCTest, MapFDByNamePreExecve) {
Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test")); Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test"));
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -74,6 +75,7 @@ TEST(IPCTest, MapFDByNamePostExecve) {
Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test")); Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test"));
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -100,6 +102,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
auto executor = absl::make_unique<Executor>(path, args); auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());

View File

@ -42,6 +42,7 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -59,6 +60,7 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -76,6 +78,7 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -93,6 +96,7 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -110,6 +114,7 @@ TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());

View File

@ -83,6 +83,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
{ {
auto executor = absl::make_unique<Executor>(path, args); auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all // Don't restrict the syscalls at all
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -103,6 +104,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
std::vector<std::string> args = {path, "3", "1000", "1000"}; std::vector<std::string> args = {path, "3", "1000", "1000"};
auto executor = absl::make_unique<Executor>(path, args); auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.EnableNamespaces()
// Don't restrict the syscalls at all // Don't restrict the syscalls at all
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.EnableNamespaces() .EnableNamespaces()
@ -122,6 +124,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
std::vector<std::string> args = {path, "3", uid, gid}; std::vector<std::string> args = {path, "3", uid, gid};
auto executor = absl::make_unique<Executor>(path, args); auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all // Don't restrict the syscalls at all
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -151,6 +154,7 @@ class HostnameTest : public testing::Test {
TEST_F(HostnameTest, None) { TEST_F(HostnameTest, None) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all // Don't restrict the syscalls at all
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());

View File

@ -42,6 +42,7 @@ namespace {
// chosen because unlikely to be called by a regular program. // chosen because unlikely to be called by a regular program.
std::unique_ptr<Policy> NotifyTestcasePolicy() { std::unique_ptr<Policy> NotifyTestcasePolicy() {
return PolicyBuilder() return PolicyBuilder()
.DisableNamespaces()
.AllowStaticStartup() .AllowStaticStartup()
.AllowExit() .AllowExit()
.AllowRead() .AllowRead()

View File

@ -41,6 +41,7 @@ namespace {
std::unique_ptr<Policy> PolicyTestcasePolicy() { std::unique_ptr<Policy> PolicyTestcasePolicy() {
return PolicyBuilder() return PolicyBuilder()
.DisableNamespaces()
.AllowStaticStartup() .AllowStaticStartup()
.AllowExit() .AllowExit()
.AllowRead() .AllowRead()

View File

@ -194,6 +194,7 @@ std::string PolicyBuilderTest::Run(std::vector<std::string> args,
TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) { TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) {
PolicyBuilder b; PolicyBuilder b;
b.EnableNamespaces();
ASSERT_THAT(b.BuildOrDie(), NotNull()); ASSERT_THAT(b.BuildOrDie(), NotNull());
ASSERT_DEATH(b.BuildOrDie(), "Can only build policy once"); ASSERT_DEATH(b.BuildOrDie(), "Can only build policy once");
} }

View File

@ -54,6 +54,7 @@ TEST(SandboxCoreDumpTest, AbortWithoutCoreDumpReturnsSignaled) {
auto executor = absl::make_unique<Executor>(path, args); auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -75,6 +76,7 @@ TEST(TsyncTest, TsyncNoMemoryChecks) {
executor->set_enable_sandbox_before_exec(false); executor->set_enable_sandbox_before_exec(false);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -101,6 +103,7 @@ TEST(ExecutorTest, ExecutorFdConstructor) {
auto executor = absl::make_unique<Executor>(fd, args, envs); auto executor = absl::make_unique<Executor>(fd, args, envs);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());
@ -205,8 +208,9 @@ TEST(StarvationTest, MonitorIsNotStarvedByTheSandboxee) {
std::vector<std::string> envs; std::vector<std::string> envs;
auto executor = absl::make_unique<Executor>(path, args, envs); auto executor = absl::make_unique<Executor>(path, args, envs);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, SAPI_ASSERT_OK_AND_ASSIGN(
PolicyBuilder().DangerDefaultAllowAll().TryBuild()); auto policy,
PolicyBuilder().DisableNamespaces().DangerDefaultAllowAll().TryBuild());
executor->limits()->set_walltime_limit(absl::Seconds(5)); executor->limits()->set_walltime_limit(absl::Seconds(5));
Sandbox2 sandbox(std::move(executor), std::move(policy)); Sandbox2 sandbox(std::move(executor), std::move(policy));
auto start = absl::Now(); auto start = absl::Now();

View File

@ -130,6 +130,7 @@ TEST(SanitizerTest, TestSandboxedBinary) {
auto executor = absl::make_unique<Executor>(path, args); auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
.DisableNamespaces()
// Don't restrict the syscalls at all. // Don't restrict the syscalls at all.
.DangerDefaultAllowAll() .DangerDefaultAllowAll()
.TryBuild()); .TryBuild());