Remove AllowUnsafeKeepCapabilities()

PiperOrigin-RevId: 506586347
Change-Id: I859a1f695ffbcf3b982a26df425c6b4e03c62da1

sandboxed_api/sandbox2/executor.cc

@@ -83,7 +83,7 @@ std::vector<std::string> Executor::CopyEnviron() {
 }
 
 absl::StatusOr<Executor::Process> Executor::StartSubProcess(
-    int32_t clone_flags, const Namespace* ns, const std::vector<int>& caps) {
+    int32_t clone_flags, const Namespace* ns) {
   if (started_) {
     return absl::FailedPreconditionError(
         "This executor has already been started");
@@ -150,10 +150,6 @@ absl::StatusOr<Executor::Process> Executor::StartSubProcess(
 
   request.set_clone_flags(clone_flags);
 
-  for (auto cap : caps) {
-    request.add_capabilities(cap);
-  }
-
   Process process;
 
   if (fork_client_) {

sandboxed_api/sandbox2/executor.h

@@ -124,12 +124,8 @@ class Executor final {
   // Starts a new process which is connected with this Executor instance via a
   // Comms channel.
   // For clone_flags refer to Linux' 'man 2 clone'.
-  //
-  // caps is a vector of capabilities that are kept in the permitted set after
-  // the clone, use with caution.
   absl::StatusOr<Process> StartSubProcess(int clone_flags,
-                                          const Namespace* ns = nullptr,
-                                          const std::vector<int>& caps = {});
+                                          const Namespace* ns = nullptr);
 
   // Whether the Executor has been started yet
   bool started_ = false;

sandboxed_api/sandbox2/forkserver.cc

@@ -300,15 +300,6 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
   InitializeNamespaces(request, uid, gid, avoid_pivot_root);
 
   auto caps = cap_init();
-  for (auto cap : request.capabilities()) {
-    SAPI_RAW_CHECK(cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_SET) == 0,
-                   absl::StrCat("setting capability ", cap).c_str());
-    SAPI_RAW_CHECK(cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET) == 0,
-                   absl::StrCat("setting capability ", cap).c_str());
-    SAPI_RAW_CHECK(cap_set_flag(caps, CAP_INHERITABLE, 1, &cap, CAP_SET) == 0,
-                   absl::StrCat("setting capability ", cap).c_str());
-  }
-
   SAPI_RAW_CHECK(cap_set_proc(caps) == 0, "while dropping capabilities");
   cap_free(caps);
 

sandboxed_api/sandbox2/monitor_base.cc

@@ -192,7 +192,7 @@ void MonitorBase::Launch() {
   // Get PID of the sandboxee.
   bool should_have_init = ns && (ns->GetCloneFlags() & CLONE_NEWPID);
   absl::StatusOr<Executor::Process> process =
-      executor_->StartSubProcess(clone_flags, ns, policy_->capabilities());
+      executor_->StartSubProcess(clone_flags, ns);
 
   if (!process.ok()) {
     LOG(ERROR) << "Starting sandboxed subprocess failed: " << process.status();

sandboxed_api/sandbox2/namespace.cc

@@ -208,8 +208,6 @@ Namespace::Namespace(bool allow_unrestricted_networking, Mounts mounts,
   }
 }
 
-void Namespace::DisableUserNamespace() { clone_flags_ &= ~CLONE_NEWUSER; }
-
 int32_t Namespace::GetCloneFlags() const { return clone_flags_; }
 
 void Namespace::InitializeNamespaces(uid_t uid, gid_t gid, int32_t clone_flags,

sandboxed_api/sandbox2/namespace.h

@@ -47,8 +47,6 @@ class Namespace final {
   Namespace(bool allow_unrestricted_networking, Mounts mounts,
             std::string hostname, bool allow_mount_propagation);
 
-  void DisableUserNamespace();
-
   // Returns all needed CLONE_NEW* flags.
   int32_t GetCloneFlags() const;
 

sandboxed_api/sandbox2/policy.cc

@@ -181,13 +181,6 @@ bool Policy::SendPolicy(Comms* comms) const {
   return true;
 }
 
-void Policy::AllowUnsafeKeepCapabilities(std::vector<int> caps) {
-  if (namespace_) {
-    namespace_->DisableUserNamespace();
-  }
-  capabilities_ = std::move(caps);
-}
-
 void Policy::GetPolicyDescription(PolicyDescription* policy) const {
   policy->set_user_bpf_policy(user_policy_.data(),
                               user_policy_.size() * sizeof(sock_filter));
@@ -200,10 +193,6 @@ void Policy::GetPolicyDescription(PolicyDescription* policy) const {
     namespace_->GetNamespaceDescription(
         policy->mutable_namespace_description());
   }
-
-  for (const auto& cap : capabilities_) {
-    policy->add_capabilities(cap);
-  }
 }
 
 }  // namespace sandbox2

sandboxed_api/sandbox2/policy.h

@@ -49,11 +49,6 @@ class Comms;
 
 class Policy final {
  public:
-  // Skips creation of a user namespace and keep capabilities in the global
-  // namespace. This only makes sense in some rare cases where the sandbox is
-  // started as root, please talk to sandbox-team@ before using this function.
-  void AllowUnsafeKeepCapabilities(std::vector<int> caps);
-
   // Stores information about the policy (and the policy builder if existing)
   // in the protobuf structure.
   void GetPolicyDescription(PolicyDescription* policy) const;
@@ -80,8 +75,6 @@ class Policy final {
     namespace_ = std::move(ns);
   }
 
-  const std::vector<int>& capabilities() const { return capabilities_; }
-
   // Returns the default policy, which blocks certain dangerous syscalls and
   // mismatched syscall tables.
   std::vector<sock_filter> GetDefaultPolicy() const;
@@ -99,9 +92,6 @@ class Policy final {
   bool collect_stacktrace_on_kill_ = true;
   bool collect_stacktrace_on_exit_ = false;
 
-  // The capabilities to keep in the sandboxee.
-  std::vector<int> capabilities_;
-
   // Optional pointer to a PolicyBuilder description pb object.
   std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;