mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Take a vector in Policy::AllowUnsafeKeepCapabilities()
The existing function signature took a `unique_ptr<>` owning a vector, and took `nullptr` to mean an empty set of capabilities. This is more naturally modeled by taking the vector directly and `std::move`-ing it. PiperOrigin-RevId: 384214849 Change-Id: I177f04a06803ae00429b19a1f3f12e7be04d2908
This commit is contained in:
parent
002cb9ae01
commit
5267d14248
|
@ -164,16 +164,11 @@ bool Policy::SendPolicy(Comms* comms) const {
|
|||
return true;
|
||||
}
|
||||
|
||||
void Policy::AllowUnsafeKeepCapabilities(
|
||||
std::unique_ptr<std::vector<int>> caps) {
|
||||
void Policy::AllowUnsafeKeepCapabilities(std::vector<int> caps) {
|
||||
if (namespace_) {
|
||||
namespace_->DisableUserNamespace();
|
||||
}
|
||||
if (!caps) {
|
||||
capabilities_.clear();
|
||||
} else {
|
||||
capabilities_ = {caps->begin(), caps->end()};
|
||||
}
|
||||
capabilities_ = std::move(caps);
|
||||
}
|
||||
|
||||
void Policy::GetPolicyDescription(PolicyDescription* policy) const {
|
||||
|
|
|
@ -52,7 +52,7 @@ class Policy final {
|
|||
// Skips creation of a user namespace and keep capabilities in the global
|
||||
// namespace. This only makes sense in some rare cases where the sandbox is
|
||||
// started as root, please talk to sandbox-team@ before using this function.
|
||||
void AllowUnsafeKeepCapabilities(std::unique_ptr<std::vector<int>> caps);
|
||||
void AllowUnsafeKeepCapabilities(std::vector<int> caps);
|
||||
|
||||
// Stores information about the policy (and the policy builder if existing)
|
||||
// in the protobuf structure.
|
||||
|
|
|
@ -158,9 +158,7 @@ absl::StatusOr<std::unique_ptr<Policy>> StackTracePeer::GetPolicy(
|
|||
}
|
||||
|
||||
SAPI_ASSIGN_OR_RETURN(std::unique_ptr<Policy> policy, builder.TryBuild());
|
||||
auto keep_capabilities = absl::make_unique<std::vector<int>>();
|
||||
keep_capabilities->push_back(CAP_SYS_PTRACE);
|
||||
policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
|
||||
policy->AllowUnsafeKeepCapabilities({CAP_SYS_PTRACE});
|
||||
// Use no special namespace flags when cloning. We will join an existing
|
||||
// user namespace and will unshare() afterwards (See forkserver.cc).
|
||||
policy->GetNamespace()->clone_flags_ = 0;
|
||||
|
|
Loading…
Reference in New Issue
Block a user