mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Internal change
PiperOrigin-RevId: 451384097 Change-Id: Ib1177bbb147074dfff8719a0733417f4f1afc9da
This commit is contained in:
parent
5513e560eb
commit
546fda8f1e
|
@ -724,6 +724,7 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
|
|||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowDynamicStartup() {
|
||||
|
||||
AllowRead();
|
||||
AllowStat();
|
||||
AllowSyscalls({__NR_lseek,
|
||||
|
|
|
@ -414,8 +414,9 @@ class PolicyBuilder final {
|
|||
PolicyBuilder& AllowDynamicStartup();
|
||||
|
||||
// Appends a policy, which will be run on the specified syscall.
|
||||
// This policy must be written without labels. If you need labels, use the
|
||||
// next function.
|
||||
// This policy must be written without labels. If you need labels, use
|
||||
// the overloaded function passing a BpfFunc object instead of the
|
||||
// sock_filter.
|
||||
PolicyBuilder& AddPolicyOnSyscall(uint32_t num,
|
||||
absl::Span<const sock_filter> policy);
|
||||
|
||||
|
@ -457,19 +458,18 @@ class PolicyBuilder final {
|
|||
// target architecture.
|
||||
PolicyBuilder& AddPolicyOnMmap(absl::Span<const sock_filter> policy);
|
||||
|
||||
// Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls is
|
||||
// a subset of {__NR_mmap, __NR_mmap2}, which exists on the target
|
||||
// Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls
|
||||
// is a subset of {__NR_mmap, __NR_mmap2}, which exists on the target
|
||||
// architecture.
|
||||
PolicyBuilder& AddPolicyOnMmap(BpfFunc f);
|
||||
|
||||
// Builds the policy returning a unique_ptr to it. This should only be called
|
||||
// once.
|
||||
// Builds the policy returning a unique_ptr to it. This should only be
|
||||
// called once.
|
||||
absl::StatusOr<std::unique_ptr<Policy>> TryBuild();
|
||||
|
||||
// Builds the policy returning a unique_ptr to it. This should only be called
|
||||
// once.
|
||||
// This function will abort if an error happened in any of the PolicyBuilder
|
||||
// methods.
|
||||
// Builds the policy returning a unique_ptr to it. This should only be
|
||||
// called once. This function will abort if an error happened in any of the
|
||||
// PolicyBuilder methods.
|
||||
std::unique_ptr<Policy> BuildOrDie() { return TryBuild().value(); }
|
||||
|
||||
// Adds a bind-mount for a file from outside the namespace to inside. This
|
||||
|
@ -495,7 +495,8 @@ class PolicyBuilder final {
|
|||
PolicyBuilder& AddLibrariesForBinary(absl::string_view path,
|
||||
absl::string_view ld_library_path = {});
|
||||
|
||||
// Similar to AddLibrariesForBinary, but binary is specified with an open fd.
|
||||
// Similar to AddLibrariesForBinary, but binary is specified with an open
|
||||
// fd.
|
||||
PolicyBuilder& AddLibrariesForBinary(int fd,
|
||||
absl::string_view ld_library_path = {});
|
||||
|
||||
|
@ -515,9 +516,9 @@ class PolicyBuilder final {
|
|||
PolicyBuilder& AddTmpfs(absl::string_view inside, size_t size);
|
||||
|
||||
// Allows unrestricted access to the network by *not* creating a network
|
||||
// namespace. Note that this only disables the network namespace. To actually
|
||||
// allow networking, you would also need to allow networking syscalls.
|
||||
// Calling this function will enable use of namespaces.
|
||||
// namespace. Note that this only disables the network namespace. To
|
||||
// actually allow networking, you would also need to allow networking
|
||||
// syscalls. Calling this function will enable use of namespaces.
|
||||
PolicyBuilder& AllowUnrestrictedNetworking();
|
||||
|
||||
// Enables the use of namespaces.
|
||||
|
@ -539,8 +540,8 @@ class PolicyBuilder final {
|
|||
CHECK(!requires_namespaces_)
|
||||
<< "Namespaces cannot be both disabled and enabled. You're probably "
|
||||
"using features that implicitly enable namespaces (SetHostname, "
|
||||
"AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary or "
|
||||
"similar)";
|
||||
"AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary "
|
||||
"or similar)";
|
||||
use_namespaces_ = false;
|
||||
return *this;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user