From 546fda8f1e1e1c26b1cf296a736d4a12eacf6399 Mon Sep 17 00:00:00 2001 From: Oliver Kunz Date: Fri, 27 May 2022 06:45:14 -0700 Subject: [PATCH] Internal change PiperOrigin-RevId: 451384097 Change-Id: Ib1177bbb147074dfff8719a0733417f4f1afc9da --- sandboxed_api/sandbox2/policybuilder.cc | 1 + sandboxed_api/sandbox2/policybuilder.h | 33 +++++++++++++------------ 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index 2111967..979e7e3 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -724,6 +724,7 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() { } PolicyBuilder& PolicyBuilder::AllowDynamicStartup() { + AllowRead(); AllowStat(); AllowSyscalls({__NR_lseek, diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 7d8c1a3..ebc5a85 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -414,8 +414,9 @@ class PolicyBuilder final { PolicyBuilder& AllowDynamicStartup(); // Appends a policy, which will be run on the specified syscall. - // This policy must be written without labels. If you need labels, use the - // next function. + // This policy must be written without labels. If you need labels, use + // the overloaded function passing a BpfFunc object instead of the + // sock_filter. PolicyBuilder& AddPolicyOnSyscall(uint32_t num, absl::Span policy); @@ -457,19 +458,18 @@ class PolicyBuilder final { // target architecture. PolicyBuilder& AddPolicyOnMmap(absl::Span policy); - // Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls is - // a subset of {__NR_mmap, __NR_mmap2}, which exists on the target + // Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls + // is a subset of {__NR_mmap, __NR_mmap2}, which exists on the target // architecture. PolicyBuilder& AddPolicyOnMmap(BpfFunc f); - // Builds the policy returning a unique_ptr to it. This should only be called - // once. + // Builds the policy returning a unique_ptr to it. This should only be + // called once. absl::StatusOr> TryBuild(); - // Builds the policy returning a unique_ptr to it. This should only be called - // once. - // This function will abort if an error happened in any of the PolicyBuilder - // methods. + // Builds the policy returning a unique_ptr to it. This should only be + // called once. This function will abort if an error happened in any of the + // PolicyBuilder methods. std::unique_ptr BuildOrDie() { return TryBuild().value(); } // Adds a bind-mount for a file from outside the namespace to inside. This @@ -495,7 +495,8 @@ class PolicyBuilder final { PolicyBuilder& AddLibrariesForBinary(absl::string_view path, absl::string_view ld_library_path = {}); - // Similar to AddLibrariesForBinary, but binary is specified with an open fd. + // Similar to AddLibrariesForBinary, but binary is specified with an open + // fd. PolicyBuilder& AddLibrariesForBinary(int fd, absl::string_view ld_library_path = {}); @@ -515,9 +516,9 @@ class PolicyBuilder final { PolicyBuilder& AddTmpfs(absl::string_view inside, size_t size); // Allows unrestricted access to the network by *not* creating a network - // namespace. Note that this only disables the network namespace. To actually - // allow networking, you would also need to allow networking syscalls. - // Calling this function will enable use of namespaces. + // namespace. Note that this only disables the network namespace. To + // actually allow networking, you would also need to allow networking + // syscalls. Calling this function will enable use of namespaces. PolicyBuilder& AllowUnrestrictedNetworking(); // Enables the use of namespaces. @@ -539,8 +540,8 @@ class PolicyBuilder final { CHECK(!requires_namespaces_) << "Namespaces cannot be both disabled and enabled. You're probably " "using features that implicitly enable namespaces (SetHostname, " - "AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary or " - "similar)"; + "AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary " + "or similar)"; use_namespaces_ = false; return *this; }