mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Minor cleanup/formatting changes
PiperOrigin-RevId: 374164136 Change-Id: I505cbc3ac9f899ed965cde66aaae1aba55a90c64
This commit is contained in:
parent
ca6ec4337d
commit
2d3a040f64
|
@ -84,7 +84,7 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
|||
}
|
||||
|
||||
// Add LD_ORIGIN_PATH to envs, as it'll make the amount of syscalls invoked by
|
||||
// ld.so smaller. See http://b/7626303 for more details on this behavior.
|
||||
// ld.so smaller.
|
||||
if (!path_.empty()) {
|
||||
request.add_envs(absl::StrCat("LD_ORIGIN_PATH=",
|
||||
file_util::fileops::StripBasename(path_)));
|
||||
|
|
|
@ -237,6 +237,7 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
|
|||
if (!sanitizer::GetListOfFDs(&open_fds)) {
|
||||
SAPI_RAW_LOG(WARNING, "Could not get list of current open FDs");
|
||||
}
|
||||
|
||||
InitializeNamespaces(request, uid, gid, avoid_pivot_root);
|
||||
|
||||
auto caps = cap_init();
|
||||
|
@ -320,9 +321,8 @@ pid_t ForkServer::ServeRequest() {
|
|||
if (comms_->IsTerminated()) {
|
||||
SAPI_RAW_VLOG(1, "ForkServer Comms closed. Exiting");
|
||||
exit(0);
|
||||
} else {
|
||||
SAPI_RAW_LOG(FATAL, "Failed to receive ForkServer request");
|
||||
}
|
||||
SAPI_RAW_LOG(FATAL, "Failed to receive ForkServer request");
|
||||
}
|
||||
int comms_fd;
|
||||
SAPI_RAW_CHECK(comms_->RecvFD(&comms_fd), "Failed to receive Comms FD");
|
||||
|
@ -575,6 +575,7 @@ void ForkServer::InitializeNamespaces(const ForkRequest& request, uid_t uid,
|
|||
SAPI_RAW_PCHECK(!unshare(clone_flags),
|
||||
"Could not create new namespaces for libunwind");
|
||||
}
|
||||
|
||||
Namespace::InitializeNamespaces(
|
||||
uid, gid, clone_flags, Mounts(request.mount_tree()),
|
||||
request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND, request.hostname(),
|
||||
|
|
|
@ -328,7 +328,7 @@ absl::Status Mounts::AddMappingsForBinary(const std::string& path,
|
|||
SAPI_RETURN_IF_ERROR(ValidateInterpreter(interpreter));
|
||||
|
||||
std::vector<std::string> search_paths;
|
||||
// 1. LD_LIBRARY_PRELOAD
|
||||
// 1. LD_LIBRARY_PATH
|
||||
if (!ld_library_path.empty()) {
|
||||
std::vector<std::string> ld_library_paths =
|
||||
absl::StrSplit(ld_library_path, absl::ByAnyChar(":;"));
|
||||
|
@ -476,65 +476,52 @@ uint64_t GetMountFlagsFor(const std::string& path) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
static constexpr struct {
|
||||
const uint64_t mount_flag;
|
||||
const uint64_t vfs_flag;
|
||||
} mount_pairs[] = {
|
||||
{MS_NOSUID, ST_NOSUID}, {MS_NODEV, ST_NODEV},
|
||||
{MS_NOEXEC, ST_NOEXEC}, {MS_SYNCHRONOUS, ST_SYNCHRONOUS},
|
||||
{MS_MANDLOCK, ST_MANDLOCK}, {MS_NOATIME, ST_NOATIME},
|
||||
{MS_NODIRATIME, ST_NODIRATIME}, {MS_RELATIME, ST_RELATIME},
|
||||
};
|
||||
|
||||
uint64_t flags = 0;
|
||||
for (const auto& i : mount_pairs) {
|
||||
if (vfs.f_flag & i.vfs_flag) {
|
||||
flags |= i.mount_flag;
|
||||
using MountPair = std::pair<uint64_t, uint64_t>;
|
||||
for (const auto& [mount_flag, vfs_flag] : {
|
||||
MountPair(MS_NOSUID, ST_NOSUID),
|
||||
MountPair(MS_NODEV, ST_NODEV),
|
||||
MountPair(MS_NOEXEC, ST_NOEXEC),
|
||||
MountPair(MS_SYNCHRONOUS, ST_SYNCHRONOUS),
|
||||
MountPair(MS_MANDLOCK, ST_MANDLOCK),
|
||||
MountPair(MS_NOATIME, ST_NOATIME),
|
||||
MountPair(MS_NODIRATIME, ST_NODIRATIME),
|
||||
MountPair(MS_RELATIME, ST_RELATIME),
|
||||
}) {
|
||||
if (vfs.f_flag & vfs_flag) {
|
||||
flags |= mount_flag;
|
||||
}
|
||||
}
|
||||
|
||||
return flags;
|
||||
}
|
||||
|
||||
std::string MountFlagsToString(uint64_t flags) {
|
||||
#define SAPI_MAP(x) \
|
||||
{ x, #x }
|
||||
static constexpr std::pair<uint64_t, absl::string_view> map[] = {
|
||||
SAPI_MAP(MS_RDONLY),
|
||||
SAPI_MAP(MS_NOSUID),
|
||||
SAPI_MAP(MS_NODEV),
|
||||
SAPI_MAP(MS_NOEXEC),
|
||||
SAPI_MAP(MS_SYNCHRONOUS),
|
||||
SAPI_MAP(MS_REMOUNT),
|
||||
SAPI_MAP(MS_MANDLOCK),
|
||||
SAPI_MAP(MS_DIRSYNC),
|
||||
SAPI_MAP(MS_NOATIME),
|
||||
SAPI_MAP(MS_NODIRATIME),
|
||||
SAPI_MAP(MS_BIND),
|
||||
SAPI_MAP(MS_MOVE),
|
||||
static constexpr std::pair<uint64_t, absl::string_view> kMap[] = {
|
||||
SAPI_MAP(MS_RDONLY), SAPI_MAP(MS_NOSUID),
|
||||
SAPI_MAP(MS_NODEV), SAPI_MAP(MS_NOEXEC),
|
||||
SAPI_MAP(MS_SYNCHRONOUS), SAPI_MAP(MS_REMOUNT),
|
||||
SAPI_MAP(MS_MANDLOCK), SAPI_MAP(MS_DIRSYNC),
|
||||
SAPI_MAP(MS_NOATIME), SAPI_MAP(MS_NODIRATIME),
|
||||
SAPI_MAP(MS_BIND), SAPI_MAP(MS_MOVE),
|
||||
SAPI_MAP(MS_REC),
|
||||
#ifdef MS_VERBOSE
|
||||
// MS_VERBOSE is deprecated
|
||||
SAPI_MAP(MS_VERBOSE),
|
||||
SAPI_MAP(MS_VERBOSE), // Deprecated
|
||||
#endif
|
||||
SAPI_MAP(MS_SILENT),
|
||||
SAPI_MAP(MS_POSIXACL),
|
||||
SAPI_MAP(MS_UNBINDABLE),
|
||||
SAPI_MAP(MS_PRIVATE),
|
||||
SAPI_MAP(MS_SILENT), SAPI_MAP(MS_POSIXACL),
|
||||
SAPI_MAP(MS_UNBINDABLE), SAPI_MAP(MS_PRIVATE),
|
||||
SAPI_MAP(MS_SLAVE), // Inclusive language: system constant
|
||||
SAPI_MAP(MS_SHARED),
|
||||
SAPI_MAP(MS_RELATIME),
|
||||
SAPI_MAP(MS_KERNMOUNT),
|
||||
SAPI_MAP(MS_I_VERSION),
|
||||
SAPI_MAP(MS_SHARED), SAPI_MAP(MS_RELATIME),
|
||||
SAPI_MAP(MS_KERNMOUNT), SAPI_MAP(MS_I_VERSION),
|
||||
SAPI_MAP(MS_STRICTATIME),
|
||||
#ifdef MS_LAZYTIME
|
||||
// MS_LAZYTIME was added in Linux 4.0
|
||||
SAPI_MAP(MS_LAZYTIME),
|
||||
SAPI_MAP(MS_LAZYTIME), // Added in Linux 4.0
|
||||
#endif
|
||||
};
|
||||
#undef SAPI_MAP
|
||||
std::vector<absl::string_view> flags_list;
|
||||
for (auto [val, str] : map) {
|
||||
for (const auto& [val, str] : kMap) {
|
||||
if ((flags & val) == val) {
|
||||
flags &= ~val;
|
||||
flags_list.push_back(str);
|
||||
|
|
|
@ -58,6 +58,11 @@ class Policy final {
|
|||
void GetPolicyDescription(PolicyDescription* policy) const;
|
||||
|
||||
private:
|
||||
friend class Monitor;
|
||||
friend class PolicyBuilder;
|
||||
friend class PolicyBuilderPeer; // For testing
|
||||
friend class StackTracePeer;
|
||||
|
||||
// Private constructor only called by the PolicyBuilder.
|
||||
Policy() = default;
|
||||
|
||||
|
@ -105,11 +110,6 @@ class Policy final {
|
|||
|
||||
// Contains a list of hosts the sandboxee is allowed to connect to.
|
||||
absl::optional<AllowedHosts> allowed_hosts_;
|
||||
|
||||
friend class Monitor;
|
||||
friend class PolicyBuilder;
|
||||
friend class PolicyBuilderPeer; // For testing
|
||||
friend class StackTracePeer;
|
||||
};
|
||||
|
||||
} // namespace sandbox2
|
||||
|
|
|
@ -249,6 +249,7 @@ cc_library(
|
|||
copts = sapi_platform_copts(),
|
||||
deps = [
|
||||
":fileops",
|
||||
":status",
|
||||
":strerror",
|
||||
"@com_google_absl//absl/status",
|
||||
"@com_google_absl//absl/status:statusor",
|
||||
|
|
|
@ -151,6 +151,7 @@ add_library(sapi::temp_file ALIAS sapi_util_temp_file)
|
|||
target_link_libraries(sapi_util_temp_file
|
||||
PRIVATE absl::strings
|
||||
sapi::fileops
|
||||
sapi::status
|
||||
sapi::strerror
|
||||
sapi::base
|
||||
PUBLIC absl::status
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
#include "absl/status/statusor.h"
|
||||
#include "absl/strings/str_cat.h"
|
||||
#include "sandboxed_api/util/fileops.h"
|
||||
#include "sandboxed_api/util/status_macros.h"
|
||||
#include "sandboxed_api/util/strerror.h"
|
||||
|
||||
namespace sapi {
|
||||
|
@ -38,28 +39,22 @@ absl::StatusOr<std::pair<std::string, int>> CreateNamedTempFile(
|
|||
std::string name_template = absl::StrCat(prefix, kMktempSuffix);
|
||||
int fd = mkstemp(&name_template[0]);
|
||||
if (fd < 0) {
|
||||
return absl::UnknownError(absl::StrCat("mkstemp():", StrError(errno)));
|
||||
return absl::UnknownError(absl::StrCat("mkstemp(): ", StrError(errno)));
|
||||
}
|
||||
return std::pair<std::string, int>{std::move(name_template), fd};
|
||||
}
|
||||
|
||||
absl::StatusOr<std::string> CreateNamedTempFileAndClose(
|
||||
absl::string_view prefix) {
|
||||
auto result_or = CreateNamedTempFile(prefix);
|
||||
if (result_or.ok()) {
|
||||
std::string path;
|
||||
int fd;
|
||||
std::tie(path, fd) = std::move(result_or).value();
|
||||
close(fd);
|
||||
return path;
|
||||
}
|
||||
return result_or.status();
|
||||
SAPI_ASSIGN_OR_RETURN(auto result, CreateNamedTempFile(prefix));
|
||||
close(result.second);
|
||||
return std::move(result.first);
|
||||
}
|
||||
|
||||
absl::StatusOr<std::string> CreateTempDir(absl::string_view prefix) {
|
||||
std::string name_template = absl::StrCat(prefix, kMktempSuffix);
|
||||
if (mkdtemp(&name_template[0]) == nullptr) {
|
||||
return absl::UnknownError(absl::StrCat("mkdtemp():", StrError(errno)));
|
||||
return absl::UnknownError(absl::StrCat("mkdtemp(): ", StrError(errno)));
|
||||
}
|
||||
return name_template;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user