Internal change

PiperOrigin-RevId: 451384097
Change-Id: Ib1177bbb147074dfff8719a0733417f4f1afc9da
This commit is contained in:
Oliver Kunz 2022-05-27 06:45:14 -07:00 committed by Copybara-Service
parent 5513e560eb
commit 546fda8f1e
2 changed files with 18 additions and 16 deletions

View File

@ -724,6 +724,7 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
} }
PolicyBuilder& PolicyBuilder::AllowDynamicStartup() { PolicyBuilder& PolicyBuilder::AllowDynamicStartup() {
AllowRead(); AllowRead();
AllowStat(); AllowStat();
AllowSyscalls({__NR_lseek, AllowSyscalls({__NR_lseek,

View File

@ -414,8 +414,9 @@ class PolicyBuilder final {
PolicyBuilder& AllowDynamicStartup(); PolicyBuilder& AllowDynamicStartup();
// Appends a policy, which will be run on the specified syscall. // Appends a policy, which will be run on the specified syscall.
// This policy must be written without labels. If you need labels, use the // This policy must be written without labels. If you need labels, use
// next function. // the overloaded function passing a BpfFunc object instead of the
// sock_filter.
PolicyBuilder& AddPolicyOnSyscall(uint32_t num, PolicyBuilder& AddPolicyOnSyscall(uint32_t num,
absl::Span<const sock_filter> policy); absl::Span<const sock_filter> policy);
@ -457,19 +458,18 @@ class PolicyBuilder final {
// target architecture. // target architecture.
PolicyBuilder& AddPolicyOnMmap(absl::Span<const sock_filter> policy); PolicyBuilder& AddPolicyOnMmap(absl::Span<const sock_filter> policy);
// Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls is // Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls
// a subset of {__NR_mmap, __NR_mmap2}, which exists on the target // is a subset of {__NR_mmap, __NR_mmap2}, which exists on the target
// architecture. // architecture.
PolicyBuilder& AddPolicyOnMmap(BpfFunc f); PolicyBuilder& AddPolicyOnMmap(BpfFunc f);
// Builds the policy returning a unique_ptr to it. This should only be called // Builds the policy returning a unique_ptr to it. This should only be
// once. // called once.
absl::StatusOr<std::unique_ptr<Policy>> TryBuild(); absl::StatusOr<std::unique_ptr<Policy>> TryBuild();
// Builds the policy returning a unique_ptr to it. This should only be called // Builds the policy returning a unique_ptr to it. This should only be
// once. // called once. This function will abort if an error happened in any of the
// This function will abort if an error happened in any of the PolicyBuilder // PolicyBuilder methods.
// methods.
std::unique_ptr<Policy> BuildOrDie() { return TryBuild().value(); } std::unique_ptr<Policy> BuildOrDie() { return TryBuild().value(); }
// Adds a bind-mount for a file from outside the namespace to inside. This // Adds a bind-mount for a file from outside the namespace to inside. This
@ -495,7 +495,8 @@ class PolicyBuilder final {
PolicyBuilder& AddLibrariesForBinary(absl::string_view path, PolicyBuilder& AddLibrariesForBinary(absl::string_view path,
absl::string_view ld_library_path = {}); absl::string_view ld_library_path = {});
// Similar to AddLibrariesForBinary, but binary is specified with an open fd. // Similar to AddLibrariesForBinary, but binary is specified with an open
// fd.
PolicyBuilder& AddLibrariesForBinary(int fd, PolicyBuilder& AddLibrariesForBinary(int fd,
absl::string_view ld_library_path = {}); absl::string_view ld_library_path = {});
@ -515,9 +516,9 @@ class PolicyBuilder final {
PolicyBuilder& AddTmpfs(absl::string_view inside, size_t size); PolicyBuilder& AddTmpfs(absl::string_view inside, size_t size);
// Allows unrestricted access to the network by *not* creating a network // Allows unrestricted access to the network by *not* creating a network
// namespace. Note that this only disables the network namespace. To actually // namespace. Note that this only disables the network namespace. To
// allow networking, you would also need to allow networking syscalls. // actually allow networking, you would also need to allow networking
// Calling this function will enable use of namespaces. // syscalls. Calling this function will enable use of namespaces.
PolicyBuilder& AllowUnrestrictedNetworking(); PolicyBuilder& AllowUnrestrictedNetworking();
// Enables the use of namespaces. // Enables the use of namespaces.
@ -539,8 +540,8 @@ class PolicyBuilder final {
CHECK(!requires_namespaces_) CHECK(!requires_namespaces_)
<< "Namespaces cannot be both disabled and enabled. You're probably " << "Namespaces cannot be both disabled and enabled. You're probably "
"using features that implicitly enable namespaces (SetHostname, " "using features that implicitly enable namespaces (SetHostname, "
"AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary or " "AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary "
"similar)"; "or similar)";
use_namespaces_ = false; use_namespaces_ = false;
return *this; return *this;
} }