From 5267d14248eae6bce9cc01ea3eb99a4faa135e8b Mon Sep 17 00:00:00 2001 From: Christian Blichmann Date: Mon, 12 Jul 2021 05:42:57 -0700 Subject: [PATCH] Take a vector in `Policy::AllowUnsafeKeepCapabilities()` The existing function signature took a `unique_ptr<>` owning a vector, and took `nullptr` to mean an empty set of capabilities. This is more naturally modeled by taking the vector directly and `std::move`-ing it. PiperOrigin-RevId: 384214849 Change-Id: I177f04a06803ae00429b19a1f3f12e7be04d2908 --- sandboxed_api/sandbox2/policy.cc | 9 ++------- sandboxed_api/sandbox2/policy.h | 2 +- sandboxed_api/sandbox2/stack_trace.cc | 4 +--- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/sandboxed_api/sandbox2/policy.cc b/sandboxed_api/sandbox2/policy.cc index c99486d..83f3138 100644 --- a/sandboxed_api/sandbox2/policy.cc +++ b/sandboxed_api/sandbox2/policy.cc @@ -164,16 +164,11 @@ bool Policy::SendPolicy(Comms* comms) const { return true; } -void Policy::AllowUnsafeKeepCapabilities( - std::unique_ptr> caps) { +void Policy::AllowUnsafeKeepCapabilities(std::vector caps) { if (namespace_) { namespace_->DisableUserNamespace(); } - if (!caps) { - capabilities_.clear(); - } else { - capabilities_ = {caps->begin(), caps->end()}; - } + capabilities_ = std::move(caps); } void Policy::GetPolicyDescription(PolicyDescription* policy) const { diff --git a/sandboxed_api/sandbox2/policy.h b/sandboxed_api/sandbox2/policy.h index 179ccfb..edd5cb8 100644 --- a/sandboxed_api/sandbox2/policy.h +++ b/sandboxed_api/sandbox2/policy.h @@ -52,7 +52,7 @@ class Policy final { // Skips creation of a user namespace and keep capabilities in the global // namespace. This only makes sense in some rare cases where the sandbox is // started as root, please talk to sandbox-team@ before using this function. - void AllowUnsafeKeepCapabilities(std::unique_ptr> caps); + void AllowUnsafeKeepCapabilities(std::vector caps); // Stores information about the policy (and the policy builder if existing) // in the protobuf structure. diff --git a/sandboxed_api/sandbox2/stack_trace.cc b/sandboxed_api/sandbox2/stack_trace.cc index e42b3d2..e387a86 100644 --- a/sandboxed_api/sandbox2/stack_trace.cc +++ b/sandboxed_api/sandbox2/stack_trace.cc @@ -158,9 +158,7 @@ absl::StatusOr> StackTracePeer::GetPolicy( } SAPI_ASSIGN_OR_RETURN(std::unique_ptr policy, builder.TryBuild()); - auto keep_capabilities = absl::make_unique>(); - keep_capabilities->push_back(CAP_SYS_PTRACE); - policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities)); + policy->AllowUnsafeKeepCapabilities({CAP_SYS_PTRACE}); // Use no special namespace flags when cloning. We will join an existing // user namespace and will unshare() afterwards (See forkserver.cc). policy->GetNamespace()->clone_flags_ = 0;