mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Internal change
PiperOrigin-RevId: 451384097 Change-Id: Ib1177bbb147074dfff8719a0733417f4f1afc9da
This commit is contained in:
parent
5513e560eb
commit
546fda8f1e
|
@ -724,6 +724,7 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowDynamicStartup() {
|
PolicyBuilder& PolicyBuilder::AllowDynamicStartup() {
|
||||||
|
|
||||||
AllowRead();
|
AllowRead();
|
||||||
AllowStat();
|
AllowStat();
|
||||||
AllowSyscalls({__NR_lseek,
|
AllowSyscalls({__NR_lseek,
|
||||||
|
|
|
@ -414,8 +414,9 @@ class PolicyBuilder final {
|
||||||
PolicyBuilder& AllowDynamicStartup();
|
PolicyBuilder& AllowDynamicStartup();
|
||||||
|
|
||||||
// Appends a policy, which will be run on the specified syscall.
|
// Appends a policy, which will be run on the specified syscall.
|
||||||
// This policy must be written without labels. If you need labels, use the
|
// This policy must be written without labels. If you need labels, use
|
||||||
// next function.
|
// the overloaded function passing a BpfFunc object instead of the
|
||||||
|
// sock_filter.
|
||||||
PolicyBuilder& AddPolicyOnSyscall(uint32_t num,
|
PolicyBuilder& AddPolicyOnSyscall(uint32_t num,
|
||||||
absl::Span<const sock_filter> policy);
|
absl::Span<const sock_filter> policy);
|
||||||
|
|
||||||
|
@ -457,19 +458,18 @@ class PolicyBuilder final {
|
||||||
// target architecture.
|
// target architecture.
|
||||||
PolicyBuilder& AddPolicyOnMmap(absl::Span<const sock_filter> policy);
|
PolicyBuilder& AddPolicyOnMmap(absl::Span<const sock_filter> policy);
|
||||||
|
|
||||||
// Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls is
|
// Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls
|
||||||
// a subset of {__NR_mmap, __NR_mmap2}, which exists on the target
|
// is a subset of {__NR_mmap, __NR_mmap2}, which exists on the target
|
||||||
// architecture.
|
// architecture.
|
||||||
PolicyBuilder& AddPolicyOnMmap(BpfFunc f);
|
PolicyBuilder& AddPolicyOnMmap(BpfFunc f);
|
||||||
|
|
||||||
// Builds the policy returning a unique_ptr to it. This should only be called
|
// Builds the policy returning a unique_ptr to it. This should only be
|
||||||
// once.
|
// called once.
|
||||||
absl::StatusOr<std::unique_ptr<Policy>> TryBuild();
|
absl::StatusOr<std::unique_ptr<Policy>> TryBuild();
|
||||||
|
|
||||||
// Builds the policy returning a unique_ptr to it. This should only be called
|
// Builds the policy returning a unique_ptr to it. This should only be
|
||||||
// once.
|
// called once. This function will abort if an error happened in any of the
|
||||||
// This function will abort if an error happened in any of the PolicyBuilder
|
// PolicyBuilder methods.
|
||||||
// methods.
|
|
||||||
std::unique_ptr<Policy> BuildOrDie() { return TryBuild().value(); }
|
std::unique_ptr<Policy> BuildOrDie() { return TryBuild().value(); }
|
||||||
|
|
||||||
// Adds a bind-mount for a file from outside the namespace to inside. This
|
// Adds a bind-mount for a file from outside the namespace to inside. This
|
||||||
|
@ -495,7 +495,8 @@ class PolicyBuilder final {
|
||||||
PolicyBuilder& AddLibrariesForBinary(absl::string_view path,
|
PolicyBuilder& AddLibrariesForBinary(absl::string_view path,
|
||||||
absl::string_view ld_library_path = {});
|
absl::string_view ld_library_path = {});
|
||||||
|
|
||||||
// Similar to AddLibrariesForBinary, but binary is specified with an open fd.
|
// Similar to AddLibrariesForBinary, but binary is specified with an open
|
||||||
|
// fd.
|
||||||
PolicyBuilder& AddLibrariesForBinary(int fd,
|
PolicyBuilder& AddLibrariesForBinary(int fd,
|
||||||
absl::string_view ld_library_path = {});
|
absl::string_view ld_library_path = {});
|
||||||
|
|
||||||
|
@ -515,9 +516,9 @@ class PolicyBuilder final {
|
||||||
PolicyBuilder& AddTmpfs(absl::string_view inside, size_t size);
|
PolicyBuilder& AddTmpfs(absl::string_view inside, size_t size);
|
||||||
|
|
||||||
// Allows unrestricted access to the network by *not* creating a network
|
// Allows unrestricted access to the network by *not* creating a network
|
||||||
// namespace. Note that this only disables the network namespace. To actually
|
// namespace. Note that this only disables the network namespace. To
|
||||||
// allow networking, you would also need to allow networking syscalls.
|
// actually allow networking, you would also need to allow networking
|
||||||
// Calling this function will enable use of namespaces.
|
// syscalls. Calling this function will enable use of namespaces.
|
||||||
PolicyBuilder& AllowUnrestrictedNetworking();
|
PolicyBuilder& AllowUnrestrictedNetworking();
|
||||||
|
|
||||||
// Enables the use of namespaces.
|
// Enables the use of namespaces.
|
||||||
|
@ -539,8 +540,8 @@ class PolicyBuilder final {
|
||||||
CHECK(!requires_namespaces_)
|
CHECK(!requires_namespaces_)
|
||||||
<< "Namespaces cannot be both disabled and enabled. You're probably "
|
<< "Namespaces cannot be both disabled and enabled. You're probably "
|
||||||
"using features that implicitly enable namespaces (SetHostname, "
|
"using features that implicitly enable namespaces (SetHostname, "
|
||||||
"AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary or "
|
"AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary "
|
||||||
"similar)";
|
"or similar)";
|
||||||
use_namespaces_ = false;
|
use_namespaces_ = false;
|
||||||
return *this;
|
return *this;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user