mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Internal change.
For OSS, this change should be mostly a no-op. Visible edits are due to changed order of code and/or includes. PiperOrigin-RevId: 394177395 Change-Id: I1d32f9fd175579e8f05c051b1307953b249d139d
This commit is contained in:
parent
9ab330dc7a
commit
289adcff06
|
@ -182,7 +182,7 @@ TEST(MountTreeTest, TestList) {
|
|||
const bool is_ro;
|
||||
};
|
||||
// clang-format off
|
||||
const TestCase test_cases[] = {
|
||||
constexpr TestCase kTestCases[] = {
|
||||
// NOTE: Directories have a trailing '/'; files don't.
|
||||
{"/a/b", true},
|
||||
{"/a/c/", true},
|
||||
|
@ -196,7 +196,7 @@ TEST(MountTreeTest, TestList) {
|
|||
Mounts mounts;
|
||||
|
||||
// Create actual directories and files on disk and selectively add
|
||||
for (const auto &test_case : test_cases) {
|
||||
for (const auto &test_case : kTestCases) {
|
||||
const auto inside_path = test_case.path;
|
||||
const std::string outside_path = absl::StrCat("/some/dir/", inside_path);
|
||||
if (absl::EndsWith(outside_path, "/")) {
|
||||
|
|
|
@ -28,9 +28,11 @@
|
|||
#include <utility>
|
||||
|
||||
#include "absl/memory/memory.h"
|
||||
#include "absl/status/status.h"
|
||||
#include "absl/status/statusor.h"
|
||||
#include "absl/strings/escaping.h"
|
||||
#include "absl/strings/match.h"
|
||||
#include "absl/strings/string_view.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
#include "sandboxed_api/sandbox2/namespace.h"
|
||||
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
|
||||
|
@ -824,25 +826,18 @@ PolicyBuilder& PolicyBuilder::AddFile(absl::string_view path, bool is_ro) {
|
|||
return AddFileAt(path, path, is_ro);
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::SetError(const absl::Status& status) {
|
||||
LOG(ERROR) << status;
|
||||
last_status_ = status;
|
||||
return *this;
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
|
||||
absl::string_view inside, bool is_ro) {
|
||||
EnableNamespaces();
|
||||
|
||||
auto fixed_outside_or = ValidateAbsolutePath(outside);
|
||||
if (!fixed_outside_or.ok()) {
|
||||
SetError(fixed_outside_or.status());
|
||||
auto valid_outside = ValidateAbsolutePath(outside);
|
||||
if (!valid_outside.ok()) {
|
||||
SetError(valid_outside.status());
|
||||
return *this;
|
||||
}
|
||||
auto fixed_outside = std::move(fixed_outside_or).value();
|
||||
|
||||
if (absl::StartsWith(fixed_outside, "/proc/self") &&
|
||||
fixed_outside != "/proc/self/cpuset") {
|
||||
if (absl::StartsWith(*valid_outside, "/proc/self") &&
|
||||
*valid_outside != "/proc/self/cpuset") {
|
||||
SetError(absl::InvalidArgumentError(
|
||||
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
|
||||
"whole /proc instead. You tried to mount ",
|
||||
|
@ -850,7 +845,7 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
|
|||
return *this;
|
||||
}
|
||||
|
||||
if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
|
||||
if (auto status = mounts_.AddFileAt(*valid_outside, inside, is_ro);
|
||||
!status.ok()) {
|
||||
SetError(
|
||||
absl::InternalError(absl::StrCat("Could not add file ", outside, " => ",
|
||||
|
@ -863,17 +858,16 @@ PolicyBuilder& PolicyBuilder::AddLibrariesForBinary(
|
|||
absl::string_view path, absl::string_view ld_library_path) {
|
||||
EnableNamespaces();
|
||||
|
||||
auto fixed_path_or = ValidatePath(path);
|
||||
if (!fixed_path_or.ok()) {
|
||||
SetError(fixed_path_or.status());
|
||||
auto valid_path = ValidatePath(path);
|
||||
if (!valid_path.ok()) {
|
||||
SetError(valid_path.status());
|
||||
return *this;
|
||||
}
|
||||
auto fixed_path = std::move(fixed_path_or).value();
|
||||
|
||||
if (auto status = mounts_.AddMappingsForBinary(fixed_path, ld_library_path);
|
||||
if (auto status = mounts_.AddMappingsForBinary(*valid_path, ld_library_path);
|
||||
!status.ok()) {
|
||||
SetError(absl::InternalError(absl::StrCat(
|
||||
"Could not add libraries for ", fixed_path, ": ", status.message())));
|
||||
"Could not add libraries for ", *valid_path, ": ", status.message())));
|
||||
}
|
||||
return *this;
|
||||
}
|
||||
|
@ -893,13 +887,13 @@ PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
|
|||
bool is_ro) {
|
||||
EnableNamespaces();
|
||||
|
||||
auto fixed_outside_or = ValidateAbsolutePath(outside);
|
||||
if (!fixed_outside_or.ok()) {
|
||||
SetError(fixed_outside_or.status());
|
||||
auto valid_outside = ValidateAbsolutePath(outside);
|
||||
if (!valid_outside.ok()) {
|
||||
SetError(valid_outside.status());
|
||||
return *this;
|
||||
}
|
||||
auto fixed_outside = std::move(fixed_outside_or).value();
|
||||
if (absl::StartsWith(fixed_outside, "/proc/self")) {
|
||||
|
||||
if (absl::StartsWith(*valid_outside, "/proc/self")) {
|
||||
SetError(absl::InvalidArgumentError(
|
||||
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
|
||||
"whole /proc instead. You tried to mount ",
|
||||
|
@ -907,19 +901,21 @@ PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
|
|||
return *this;
|
||||
}
|
||||
|
||||
if (auto status = mounts_.AddDirectoryAt(fixed_outside, inside, is_ro);
|
||||
if (absl::Status status =
|
||||
mounts_.AddDirectoryAt(*valid_outside, inside, is_ro);
|
||||
!status.ok()) {
|
||||
SetError(absl::InternalError(absl::StrCat("Could not add directory ",
|
||||
outside, " => ", inside, ": ",
|
||||
status.message())));
|
||||
return *this;
|
||||
}
|
||||
return *this;
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t sz) {
|
||||
PolicyBuilder& PolicyBuilder::AddTmpfs(absl::string_view inside, size_t size) {
|
||||
EnableNamespaces();
|
||||
|
||||
if (auto status = mounts_.AddTmpfs(inside, sz); !status.ok()) {
|
||||
if (auto status = mounts_.AddTmpfs(inside, size); !status.ok()) {
|
||||
SetError(absl::InternalError(absl::StrCat("Could not mount tmpfs ", inside,
|
||||
": ", status.message())));
|
||||
}
|
||||
|
@ -1081,4 +1077,10 @@ PolicyBuilder& PolicyBuilder::AllowIPv6(const std::string& ip_and_mask,
|
|||
return *this;
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::SetError(const absl::Status& status) {
|
||||
LOG(ERROR) << status;
|
||||
last_status_ = status;
|
||||
return *this;
|
||||
}
|
||||
|
||||
} // namespace sandbox2
|
||||
|
|
|
@ -567,6 +567,10 @@ class PolicyBuilder final {
|
|||
friend class PolicyBuilderPeer; // For testing
|
||||
friend class StackTracePeer;
|
||||
|
||||
static absl::StatusOr<std::string> ValidateAbsolutePath(
|
||||
absl::string_view path);
|
||||
static absl::StatusOr<std::string> ValidatePath(absl::string_view path);
|
||||
|
||||
// Allows a limited version of madvise
|
||||
PolicyBuilder& AllowLimitedMadvise();
|
||||
|
||||
|
@ -577,12 +581,12 @@ class PolicyBuilder final {
|
|||
|
||||
std::vector<sock_filter> ResolveBpfFunc(BpfFunc f);
|
||||
|
||||
static absl::StatusOr<std::string> ValidateAbsolutePath(
|
||||
absl::string_view path);
|
||||
static absl::StatusOr<std::string> ValidatePath(absl::string_view path);
|
||||
|
||||
void StoreDescription(PolicyBuilderDescription* pb_description);
|
||||
|
||||
// This function returns a PolicyBuilder so that we can use it in the status
|
||||
// macros
|
||||
PolicyBuilder& SetError(const absl::Status& status);
|
||||
|
||||
Mounts mounts_;
|
||||
bool use_namespaces_ = true;
|
||||
bool requires_namespaces_ = false;
|
||||
|
@ -603,9 +607,6 @@ class PolicyBuilder final {
|
|||
// Error handling
|
||||
absl::Status last_status_;
|
||||
bool already_built_ = false;
|
||||
// This function returns a PolicyBuilder so that we can use it in the status
|
||||
// macros
|
||||
PolicyBuilder& SetError(const absl::Status& status);
|
||||
|
||||
// Contains list of allowed hosts.
|
||||
absl::optional<AllowedHosts> allowed_hosts_;
|
||||
|
|
Loading…
Reference in New Issue
Block a user