diff --git a/sandboxed_api/sandbox2/policy.cc b/sandboxed_api/sandbox2/policy.cc index c99486d..83f3138 100644 --- a/sandboxed_api/sandbox2/policy.cc +++ b/sandboxed_api/sandbox2/policy.cc @@ -164,16 +164,11 @@ bool Policy::SendPolicy(Comms* comms) const { return true; } -void Policy::AllowUnsafeKeepCapabilities( - std::unique_ptr> caps) { +void Policy::AllowUnsafeKeepCapabilities(std::vector caps) { if (namespace_) { namespace_->DisableUserNamespace(); } - if (!caps) { - capabilities_.clear(); - } else { - capabilities_ = {caps->begin(), caps->end()}; - } + capabilities_ = std::move(caps); } void Policy::GetPolicyDescription(PolicyDescription* policy) const { diff --git a/sandboxed_api/sandbox2/policy.h b/sandboxed_api/sandbox2/policy.h index 179ccfb..edd5cb8 100644 --- a/sandboxed_api/sandbox2/policy.h +++ b/sandboxed_api/sandbox2/policy.h @@ -52,7 +52,7 @@ class Policy final { // Skips creation of a user namespace and keep capabilities in the global // namespace. This only makes sense in some rare cases where the sandbox is // started as root, please talk to sandbox-team@ before using this function. - void AllowUnsafeKeepCapabilities(std::unique_ptr> caps); + void AllowUnsafeKeepCapabilities(std::vector caps); // Stores information about the policy (and the policy builder if existing) // in the protobuf structure. diff --git a/sandboxed_api/sandbox2/stack_trace.cc b/sandboxed_api/sandbox2/stack_trace.cc index e42b3d2..e387a86 100644 --- a/sandboxed_api/sandbox2/stack_trace.cc +++ b/sandboxed_api/sandbox2/stack_trace.cc @@ -158,9 +158,7 @@ absl::StatusOr> StackTracePeer::GetPolicy( } SAPI_ASSIGN_OR_RETURN(std::unique_ptr policy, builder.TryBuild()); - auto keep_capabilities = absl::make_unique>(); - keep_capabilities->push_back(CAP_SYS_PTRACE); - policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities)); + policy->AllowUnsafeKeepCapabilities({CAP_SYS_PTRACE}); // Use no special namespace flags when cloning. We will join an existing // user namespace and will unshare() afterwards (See forkserver.cc). policy->GetNamespace()->clone_flags_ = 0;