mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Remove AllowUnsafeKeepCapabilities()
PiperOrigin-RevId: 506586347 Change-Id: I859a1f695ffbcf3b982a26df425c6b4e03c62da1
This commit is contained in:
parent
8f24f2a4f0
commit
34b2f6bc90
|
@ -83,7 +83,7 @@ std::vector<std::string> Executor::CopyEnviron() {
|
|||
}
|
||||
|
||||
absl::StatusOr<Executor::Process> Executor::StartSubProcess(
|
||||
int32_t clone_flags, const Namespace* ns, const std::vector<int>& caps) {
|
||||
int32_t clone_flags, const Namespace* ns) {
|
||||
if (started_) {
|
||||
return absl::FailedPreconditionError(
|
||||
"This executor has already been started");
|
||||
|
@ -150,10 +150,6 @@ absl::StatusOr<Executor::Process> Executor::StartSubProcess(
|
|||
|
||||
request.set_clone_flags(clone_flags);
|
||||
|
||||
for (auto cap : caps) {
|
||||
request.add_capabilities(cap);
|
||||
}
|
||||
|
||||
Process process;
|
||||
|
||||
if (fork_client_) {
|
||||
|
|
|
@ -124,12 +124,8 @@ class Executor final {
|
|||
// Starts a new process which is connected with this Executor instance via a
|
||||
// Comms channel.
|
||||
// For clone_flags refer to Linux' 'man 2 clone'.
|
||||
//
|
||||
// caps is a vector of capabilities that are kept in the permitted set after
|
||||
// the clone, use with caution.
|
||||
absl::StatusOr<Process> StartSubProcess(int clone_flags,
|
||||
const Namespace* ns = nullptr,
|
||||
const std::vector<int>& caps = {});
|
||||
const Namespace* ns = nullptr);
|
||||
|
||||
// Whether the Executor has been started yet
|
||||
bool started_ = false;
|
||||
|
|
|
@ -300,15 +300,6 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
|
|||
InitializeNamespaces(request, uid, gid, avoid_pivot_root);
|
||||
|
||||
auto caps = cap_init();
|
||||
for (auto cap : request.capabilities()) {
|
||||
SAPI_RAW_CHECK(cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_SET) == 0,
|
||||
absl::StrCat("setting capability ", cap).c_str());
|
||||
SAPI_RAW_CHECK(cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET) == 0,
|
||||
absl::StrCat("setting capability ", cap).c_str());
|
||||
SAPI_RAW_CHECK(cap_set_flag(caps, CAP_INHERITABLE, 1, &cap, CAP_SET) == 0,
|
||||
absl::StrCat("setting capability ", cap).c_str());
|
||||
}
|
||||
|
||||
SAPI_RAW_CHECK(cap_set_proc(caps) == 0, "while dropping capabilities");
|
||||
cap_free(caps);
|
||||
|
||||
|
|
|
@ -192,7 +192,7 @@ void MonitorBase::Launch() {
|
|||
// Get PID of the sandboxee.
|
||||
bool should_have_init = ns && (ns->GetCloneFlags() & CLONE_NEWPID);
|
||||
absl::StatusOr<Executor::Process> process =
|
||||
executor_->StartSubProcess(clone_flags, ns, policy_->capabilities());
|
||||
executor_->StartSubProcess(clone_flags, ns);
|
||||
|
||||
if (!process.ok()) {
|
||||
LOG(ERROR) << "Starting sandboxed subprocess failed: " << process.status();
|
||||
|
|
|
@ -208,8 +208,6 @@ Namespace::Namespace(bool allow_unrestricted_networking, Mounts mounts,
|
|||
}
|
||||
}
|
||||
|
||||
void Namespace::DisableUserNamespace() { clone_flags_ &= ~CLONE_NEWUSER; }
|
||||
|
||||
int32_t Namespace::GetCloneFlags() const { return clone_flags_; }
|
||||
|
||||
void Namespace::InitializeNamespaces(uid_t uid, gid_t gid, int32_t clone_flags,
|
||||
|
|
|
@ -47,8 +47,6 @@ class Namespace final {
|
|||
Namespace(bool allow_unrestricted_networking, Mounts mounts,
|
||||
std::string hostname, bool allow_mount_propagation);
|
||||
|
||||
void DisableUserNamespace();
|
||||
|
||||
// Returns all needed CLONE_NEW* flags.
|
||||
int32_t GetCloneFlags() const;
|
||||
|
||||
|
|
|
@ -181,13 +181,6 @@ bool Policy::SendPolicy(Comms* comms) const {
|
|||
return true;
|
||||
}
|
||||
|
||||
void Policy::AllowUnsafeKeepCapabilities(std::vector<int> caps) {
|
||||
if (namespace_) {
|
||||
namespace_->DisableUserNamespace();
|
||||
}
|
||||
capabilities_ = std::move(caps);
|
||||
}
|
||||
|
||||
void Policy::GetPolicyDescription(PolicyDescription* policy) const {
|
||||
policy->set_user_bpf_policy(user_policy_.data(),
|
||||
user_policy_.size() * sizeof(sock_filter));
|
||||
|
@ -200,10 +193,6 @@ void Policy::GetPolicyDescription(PolicyDescription* policy) const {
|
|||
namespace_->GetNamespaceDescription(
|
||||
policy->mutable_namespace_description());
|
||||
}
|
||||
|
||||
for (const auto& cap : capabilities_) {
|
||||
policy->add_capabilities(cap);
|
||||
}
|
||||
}
|
||||
|
||||
} // namespace sandbox2
|
||||
|
|
|
@ -49,11 +49,6 @@ class Comms;
|
|||
|
||||
class Policy final {
|
||||
public:
|
||||
// Skips creation of a user namespace and keep capabilities in the global
|
||||
// namespace. This only makes sense in some rare cases where the sandbox is
|
||||
// started as root, please talk to sandbox-team@ before using this function.
|
||||
void AllowUnsafeKeepCapabilities(std::vector<int> caps);
|
||||
|
||||
// Stores information about the policy (and the policy builder if existing)
|
||||
// in the protobuf structure.
|
||||
void GetPolicyDescription(PolicyDescription* policy) const;
|
||||
|
@ -80,8 +75,6 @@ class Policy final {
|
|||
namespace_ = std::move(ns);
|
||||
}
|
||||
|
||||
const std::vector<int>& capabilities() const { return capabilities_; }
|
||||
|
||||
// Returns the default policy, which blocks certain dangerous syscalls and
|
||||
// mismatched syscall tables.
|
||||
std::vector<sock_filter> GetDefaultPolicy() const;
|
||||
|
@ -99,9 +92,6 @@ class Policy final {
|
|||
bool collect_stacktrace_on_kill_ = true;
|
||||
bool collect_stacktrace_on_exit_ = false;
|
||||
|
||||
// The capabilities to keep in the sandboxee.
|
||||
std::vector<int> capabilities_;
|
||||
|
||||
// Optional pointer to a PolicyBuilder description pb object.
|
||||
std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user