StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Improve examples

Browse Source 
- CRC4: More readable policy, added explanatory comment
- Use `AllowLlvmSaniters()` in policies

PiperOrigin-RevId: 402296504
Change-Id: I6853199abedf2441eaffff9186d4d354c142e485
This commit is contained in:
Christian Blichmann 2021-10-11 07:50:01 -07:00 committed by Copybara-Service
parent d05dc7ba02
commit 2c42654333
2 changed files with 20 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
View File

@ -50,23 +50,27 @@ ABSL_FLAG(bool, call_syscall_not_allowed, false,
namespace { namespace {
std::unique_ptr<sandbox2::Policy> GetPolicy() { std::unique_ptr<sandbox2::Policy> GetPolicy() {
sandbox2::PolicyBuilder builder; return sandbox2::PolicyBuilder()
builder.DisableNamespaces().AllowExit().AddPolicyOnSyscalls( .DisableNamespaces() // Safe, as we only allow I/O on existing FDs.
{__NR_read, __NR_write, __NR_close}, .AllowExit()
.AddPolicyOnSyscalls(
{
__NR_read,
__NR_write,
__NR_close,
},
{ {
ARG_32(0), ARG_32(0),
JEQ32(sandbox2::Comms::kSandbox2ClientCommsFD, ALLOW), JEQ32(sandbox2::Comms::kSandbox2ClientCommsFD, ALLOW),
}); })
if constexpr (sapi::sanitizers::IsAny()) { .AllowLlvmSanitizers() // Will be a no-op when not using sanitizers.
builder.AllowSyscall(__NR_mmap); .BuildOrDie();
}
return builder.BuildOrDie();
} }
bool SandboxedCRC4(sandbox2::Comms* comms, uint32_t* crc4) { bool SandboxedCRC4(sandbox2::Comms* comms, uint32_t* crc4) {
const std::string input = absl::GetFlag(FLAGS_input); const std::string input = absl::GetFlag(FLAGS_input);
const uint8_t* buf = reinterpret_cast<const uint8_t*>(input.data()); auto* buf = reinterpret_cast<const uint8_t*>(input.data());
size_t buf_size = input.size(); size_t buf_size = input.size();
if (!comms->SendBytes(buf, buf_size)) { if (!comms->SendBytes(buf, buf_size)) {

13
sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox.cc
View File

@ -38,10 +38,7 @@
#include "sandboxed_api/util/runfiles.h" #include "sandboxed_api/util/runfiles.h"
std::unique_ptr<sandbox2::Policy> GetPolicy() { std::unique_ptr<sandbox2::Policy> GetPolicy() {
sandbox2::PolicyBuilder builder; return sandbox2::PolicyBuilder()
builder
// The most frequent syscall should go first in this
// sequence (to make it fast).
.AllowRead() .AllowRead()
.AllowWrite() .AllowWrite()
.AllowExit() .AllowExit()
@ -52,11 +49,9 @@ std::unique_ptr<sandbox2::Policy> GetPolicy() {
// Not defined with every CPU architecture in prod. // Not defined with every CPU architecture in prod.
__NR_arch_prctl, __NR_arch_prctl,
#endif #endif
}); })
if constexpr (sapi::sanitizers::IsAny()) { .AllowLlvmSanitizers() // Will be a no-op when not using sanitizers.
builder.AllowMmap(); .BuildOrDie();
}
return builder.BuildOrDie();
} }
static int SandboxIteration(sandbox2::ForkClient* fork_client, int32_t i) { static int SandboxIteration(sandbox2::ForkClient* fork_client, int32_t i) {