mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Take a vector in Policy::AllowUnsafeKeepCapabilities()
The existing function signature took a `unique_ptr<>` owning a vector, and took `nullptr` to mean an empty set of capabilities. This is more naturally modeled by taking the vector directly and `std::move`-ing it. PiperOrigin-RevId: 384214849 Change-Id: I177f04a06803ae00429b19a1f3f12e7be04d2908
This commit is contained in:
parent
002cb9ae01
commit
5267d14248
|
@ -164,16 +164,11 @@ bool Policy::SendPolicy(Comms* comms) const {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
void Policy::AllowUnsafeKeepCapabilities(
|
void Policy::AllowUnsafeKeepCapabilities(std::vector<int> caps) {
|
||||||
std::unique_ptr<std::vector<int>> caps) {
|
|
||||||
if (namespace_) {
|
if (namespace_) {
|
||||||
namespace_->DisableUserNamespace();
|
namespace_->DisableUserNamespace();
|
||||||
}
|
}
|
||||||
if (!caps) {
|
capabilities_ = std::move(caps);
|
||||||
capabilities_.clear();
|
|
||||||
} else {
|
|
||||||
capabilities_ = {caps->begin(), caps->end()};
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void Policy::GetPolicyDescription(PolicyDescription* policy) const {
|
void Policy::GetPolicyDescription(PolicyDescription* policy) const {
|
||||||
|
|
|
@ -52,7 +52,7 @@ class Policy final {
|
||||||
// Skips creation of a user namespace and keep capabilities in the global
|
// Skips creation of a user namespace and keep capabilities in the global
|
||||||
// namespace. This only makes sense in some rare cases where the sandbox is
|
// namespace. This only makes sense in some rare cases where the sandbox is
|
||||||
// started as root, please talk to sandbox-team@ before using this function.
|
// started as root, please talk to sandbox-team@ before using this function.
|
||||||
void AllowUnsafeKeepCapabilities(std::unique_ptr<std::vector<int>> caps);
|
void AllowUnsafeKeepCapabilities(std::vector<int> caps);
|
||||||
|
|
||||||
// Stores information about the policy (and the policy builder if existing)
|
// Stores information about the policy (and the policy builder if existing)
|
||||||
// in the protobuf structure.
|
// in the protobuf structure.
|
||||||
|
|
|
@ -158,9 +158,7 @@ absl::StatusOr<std::unique_ptr<Policy>> StackTracePeer::GetPolicy(
|
||||||
}
|
}
|
||||||
|
|
||||||
SAPI_ASSIGN_OR_RETURN(std::unique_ptr<Policy> policy, builder.TryBuild());
|
SAPI_ASSIGN_OR_RETURN(std::unique_ptr<Policy> policy, builder.TryBuild());
|
||||||
auto keep_capabilities = absl::make_unique<std::vector<int>>();
|
policy->AllowUnsafeKeepCapabilities({CAP_SYS_PTRACE});
|
||||||
keep_capabilities->push_back(CAP_SYS_PTRACE);
|
|
||||||
policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
|
|
||||||
// Use no special namespace flags when cloning. We will join an existing
|
// Use no special namespace flags when cloning. We will join an existing
|
||||||
// user namespace and will unshare() afterwards (See forkserver.cc).
|
// user namespace and will unshare() afterwards (See forkserver.cc).
|
||||||
policy->GetNamespace()->clone_flags_ = 0;
|
policy->GetNamespace()->clone_flags_ = 0;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user