diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel index b0fd159..b0c960c 100644 --- a/sandboxed_api/sandbox2/BUILD.bazel +++ b/sandboxed_api/sandbox2/BUILD.bazel @@ -24,6 +24,24 @@ package( licenses(["notice"]) +cc_library( + name = "allow_all_syscalls", + hdrs = ["allow_all_syscalls.h"], + copts = sapi_platform_copts(), + visibility = [ + "//sandboxed_api/sandbox2:__pkg__", + "//sandboxed_api/sandbox2/examples/tool:__pkg__", + ], +) + +cc_library( + name = "testonly_allow_all_syscalls", + testonly = True, + hdrs = ["allow_all_syscalls.h"], + copts = sapi_platform_copts(), + visibility = ["//visibility:public"], +) + cc_library( name = "bpfdisassembler", srcs = ["bpfdisassembler.cc"], @@ -472,6 +490,7 @@ cc_library( hdrs = ["policybuilder.h"], copts = sapi_platform_copts(), deps = [ + ":allow_all_syscalls", ":mounts", ":namespace", ":policy", @@ -652,6 +671,7 @@ cc_test( ":comms", ":namespace", ":sandbox2", + ":testonly_allow_all_syscalls", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/util:fileops", @@ -822,6 +842,7 @@ cc_test( deps = [ ":limits", ":sandbox2", + ":testonly_allow_all_syscalls", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/util:status_matchers", @@ -890,6 +911,7 @@ cc_test( ], deps = [ ":sandbox2", + ":testonly_allow_all_syscalls", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/util:status_matchers", @@ -911,6 +933,7 @@ cc_test( ":comms", ":sandbox2", ":sanitizer", + ":testonly_allow_all_syscalls", ":util", "//sandboxed_api:testing", "//sandboxed_api/util:status_matchers", @@ -945,6 +968,7 @@ cc_test( ":regs", ":sandbox2", ":stack_trace", + ":testonly_allow_all_syscalls", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:fileops", @@ -968,6 +992,7 @@ cc_test( deps = [ ":comms", ":sandbox2", + ":testonly_allow_all_syscalls", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:status_matchers", @@ -1002,6 +1027,7 @@ cc_test( ":comms", ":policybuilder", ":sandbox2", + ":testonly_allow_all_syscalls", "//sandboxed_api:config", "//sandboxed_api:testing", "//sandboxed_api/sandbox2/util:bpf_helper", diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt index ec717bc..416ece2 100644 --- a/sandboxed_api/sandbox2/CMakeLists.txt +++ b/sandboxed_api/sandbox2/CMakeLists.txt @@ -17,6 +17,15 @@ add_subdirectory(unwind) add_subdirectory(util) add_subdirectory(network_proxy) +# sandboxed_api/sandbox2:allow_all_syscalls +add_library(sandbox2_allow_all_syscalls ${SAPI_LIB_TYPE} + allow_all_syscalls.h +) +add_library(sandbox2::allow_all_syscalls ALIAS sandbox2_allow_all_syscalls) +target_link_libraries(sandbox2_allow_all_syscalls PRIVATE + sapi::base +) + # sandboxed_api/sandbox2:bpfdisassembler add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE} bpfdisassembler.cc @@ -796,6 +805,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING) ) target_link_libraries(sandbox2_namespace_test PRIVATE absl::strings + sandbox2::allow_all_syscalls sandbox2::comms sapi::config sapi::fileops @@ -905,6 +915,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING) sandbox2::testcase_minimal ) target_link_libraries(sandbox2_limits_test PRIVATE + sandbox2::allow_all_syscalls sandbox2::bpf_helper sapi::config sandbox2::limits @@ -987,6 +998,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING) ) target_link_libraries(sandbox2_sandbox2_test PRIVATE absl::strings + sandbox2::allow_all_syscalls sapi::config sandbox2::sandbox2 sapi::testing @@ -1011,6 +1023,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING) ) target_link_libraries(sandbox2_sanitizer_test PRIVATE absl::strings + sandbox2::allow_all_syscalls sandbox2::bpf_helper sandbox2::client sandbox2::comms @@ -1054,6 +1067,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING) absl::flags absl::status absl::strings + sandbox2::allow_all_syscalls sandbox2::bpf_helper sandbox2::global_forkserver sandbox2::namespace @@ -1082,6 +1096,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING) sandbox2::testcase_ipc ) target_link_libraries(sandbox2_ipc_test PRIVATE + sandbox2::allow_all_syscalls sandbox2::bpf_helper sandbox2::comms sandbox2::ipc @@ -1104,6 +1119,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING) ) target_link_libraries(sandbox2_policybuilder_test PRIVATE absl::strings + sandbox2::allow_all_syscalls sandbox2::bpf_helper sandbox2::comms sandbox2::policybuilder diff --git a/sandboxed_api/sandbox2/allow_all_syscalls.h b/sandboxed_api/sandbox2/allow_all_syscalls.h new file mode 100644 index 0000000..13e0a6a --- /dev/null +++ b/sandboxed_api/sandbox2/allow_all_syscalls.h @@ -0,0 +1,27 @@ +// Copyright 2013 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_ +#define SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_ + +namespace sandbox2 { + +class AllowAllSyscalls { + public: + explicit AllowAllSyscalls() = default; +}; + +} // namespace sandbox2 + +#endif // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_ diff --git a/sandboxed_api/sandbox2/examples/tool/BUILD.bazel b/sandboxed_api/sandbox2/examples/tool/BUILD.bazel index 22bbb95..841c8bd 100644 --- a/sandboxed_api/sandbox2/examples/tool/BUILD.bazel +++ b/sandboxed_api/sandbox2/examples/tool/BUILD.bazel @@ -31,6 +31,7 @@ cc_binary( copts = sapi_platform_copts(), deps = [ "//sandboxed_api/sandbox2", + "//sandboxed_api/sandbox2:allow_all_syscalls", "//sandboxed_api/sandbox2:util", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:fileops", diff --git a/sandboxed_api/sandbox2/examples/tool/CMakeLists.txt b/sandboxed_api/sandbox2/examples/tool/CMakeLists.txt index 0c86daf..bd777cd 100644 --- a/sandboxed_api/sandbox2/examples/tool/CMakeLists.txt +++ b/sandboxed_api/sandbox2/examples/tool/CMakeLists.txt @@ -27,6 +27,7 @@ target_link_libraries(sandbox2_sandbox2tool PRIVATE absl::log_initialize absl::strings absl::time + sandbox2::allow_all_syscalls sandbox2::bpf_helper sandbox2::sandbox2 sandbox2::util diff --git a/sandboxed_api/sandbox2/examples/tool/sandbox2tool.cc b/sandboxed_api/sandbox2/examples/tool/sandbox2tool.cc index 63459ce..9314a88 100644 --- a/sandboxed_api/sandbox2/examples/tool/sandbox2tool.cc +++ b/sandboxed_api/sandbox2/examples/tool/sandbox2tool.cc @@ -43,6 +43,7 @@ #include "absl/strings/str_format.h" #include "absl/strings/str_split.h" #include "absl/time/time.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/ipc.h" #include "sandboxed_api/sandbox2/limits.h" @@ -162,7 +163,7 @@ int main(int argc, char* argv[]) { sandbox2::PolicyBuilder builder; builder.AddPolicyOnSyscall(__NR_tee, {KILL}); - builder.DangerDefaultAllowAll(); + builder.DefaultAction(sandbox2::AllowAllSyscalls()); if (absl::GetFlag(FLAGS_sandbox2tool_need_networking)) { builder.AllowUnrestrictedNetworking(); diff --git a/sandboxed_api/sandbox2/ipc_test.cc b/sandboxed_api/sandbox2/ipc_test.cc index bfa3736..fecf7c0 100644 --- a/sandboxed_api/sandbox2/ipc_test.cc +++ b/sandboxed_api/sandbox2/ipc_test.cc @@ -19,6 +19,7 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/policy.h" @@ -52,7 +53,7 @@ TEST_P(IPCTest, MapFDByNamePreExecve) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); Sandbox2 s2(std::move(executor), std::move(policy)); @@ -89,7 +90,7 @@ TEST_P(IPCTest, MapFDByNamePostExecve) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); Sandbox2 s2(std::move(executor), std::move(policy)); @@ -121,7 +122,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); Sandbox2 s2(std::move(executor), std::move(policy)); diff --git a/sandboxed_api/sandbox2/limits_test.cc b/sandboxed_api/sandbox2/limits_test.cc index b01e56d..d0e23c9 100644 --- a/sandboxed_api/sandbox2/limits_test.cc +++ b/sandboxed_api/sandbox2/limits_test.cc @@ -23,6 +23,7 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" #include "sandboxed_api/config.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policybuilder.h" @@ -45,7 +46,7 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); auto result = s2.Run(); @@ -63,7 +64,7 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); auto result = s2.Run(); @@ -81,7 +82,7 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); auto result = s2.Run(); @@ -99,7 +100,7 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); auto result = s2.Run(); @@ -117,7 +118,7 @@ TEST(LimitsTest, RLimitASAllocaBigAboveLimit) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); sandbox2::Sandbox2 s2(std::move(executor), std::move(policy)); auto result = s2.Run(); diff --git a/sandboxed_api/sandbox2/namespace_test.cc b/sandboxed_api/sandbox2/namespace_test.cc index 147d833..457a195 100644 --- a/sandboxed_api/sandbox2/namespace_test.cc +++ b/sandboxed_api/sandbox2/namespace_test.cc @@ -29,6 +29,7 @@ #include "absl/strings/numbers.h" #include "absl/strings/str_cat.h" #include "sandboxed_api/config.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/policy.h" @@ -73,7 +74,7 @@ TEST(NamespaceTest, FileNamespaceWorks) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "0", "/binary_path", "/etc/passwd"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .AddFileAt(path, "/binary_path") .BuildOrDie()); EXPECT_THAT(reason_code, Eq(2)); @@ -90,7 +91,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "0", "/temp_file"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .AddFileAt(name, "/temp_file") .BuildOrDie()); EXPECT_THAT(reason_code, Eq(0)); @@ -100,7 +101,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "1", "/temp_file"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .AddFileAt(name, "/temp_file") .BuildOrDie()); EXPECT_THAT(reason_code, Eq(1)); @@ -115,7 +116,7 @@ TEST(NamespaceTest, UserNamespaceWorks) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "2"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .BuildOrDie()); EXPECT_THAT(reason_code, Eq(0)); } @@ -126,7 +127,7 @@ TEST(NamespaceTest, UserNamespaceWorks) { path, {path, "2"}, PolicyBuilder() .DisableNamespaces() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .BuildOrDie()); EXPECT_THAT(reason_code, Ne(0)); } @@ -140,7 +141,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "3", "1000", "1000"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .BuildOrDie()); EXPECT_THAT(reason_code, Eq(0)); } @@ -151,7 +152,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) { path, {path, "3", absl::StrCat(getuid()), absl::StrCat(getgid())}, PolicyBuilder() .DisableNamespaces() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .BuildOrDie()); EXPECT_THAT(reason_code, Eq(0)); } @@ -164,7 +165,7 @@ TEST(NamespaceTest, RootReadOnly) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "4", "/tmp/testfile", "/testfile"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */) .BuildOrDie()); EXPECT_THAT(reason_code, Eq(2)); @@ -176,7 +177,7 @@ TEST(NamespaceTest, RootWritable) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "4", "/testfile"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .SetRootWritable() .BuildOrDie()); EXPECT_THAT(reason_code, Eq(0)); @@ -188,7 +189,7 @@ TEST(HostnameTest, None) { path, {path, "sandbox2"}, PolicyBuilder() .DisableNamespaces() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .BuildOrDie()); EXPECT_THAT(reason_code, Eq(1)); } @@ -198,7 +199,7 @@ TEST(HostnameTest, Default) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "sandbox2"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .BuildOrDie()); EXPECT_THAT(reason_code, Eq(0)); } @@ -208,7 +209,7 @@ TEST(HostnameTest, Configured) { int reason_code = RunSandboxeeWithArgsAndPolicy( path, {path, "configured"}, PolicyBuilder() - .DangerDefaultAllowAll() // Do not restrict syscalls + .DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls .SetHostname("configured") .BuildOrDie()); EXPECT_THAT(reason_code, Eq(0)); diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index 6b3afa1..46190ea 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -44,6 +44,7 @@ #include "absl/strings/match.h" #include "absl/strings/string_view.h" #include "sandboxed_api/config.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/namespace.h" #include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/util/bpf_helper.h" @@ -1112,7 +1113,12 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) { } PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() { - user_policy_.push_back(ALLOW); + default_action_ = ALLOW; + return *this; +} + +PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) { + default_action_ = ALLOW; return *this; } @@ -1185,6 +1191,9 @@ absl::StatusOr> PolicyBuilder::TryBuild() { output->collect_stacktrace_on_kill_ = collect_stacktrace_on_kill_; output->collect_stacktrace_on_exit_ = collect_stacktrace_on_exit_; output->user_policy_ = std::move(user_policy_); + if (default_action_) { + output->user_policy_.push_back(*default_action_); + } output->user_policy_.insert(output->user_policy_.end(), overridable_policy_.begin(), overridable_policy_.end()); diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index c38e20e..c83f36f 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -40,6 +40,8 @@ struct bpf_labels; namespace sandbox2 { +class AllowAllSyscalls; + // PolicyBuilder is a helper class to simplify creation of policies. The builder // uses fluent interface for convenience and increased readability of policies. // @@ -666,10 +668,13 @@ class PolicyBuilder final { // Enables/disables stack trace collection on normal process exit. PolicyBuilder& CollectStacktracesOnExit(bool enable); - // Appends an unconditional ALLOW action for all syscalls. + // Changes the default action to ALLOW. + // All syscalls not handled explicitly by the policy will thus be allowed. // Do not use in environment with untrusted code and/or data, ask // sandbox-team@ first if unsure. + ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead") PolicyBuilder& DangerDefaultAllowAll(); + PolicyBuilder& DefaultAction(AllowAllSyscalls); // Allows syscalls that are necessary for the NetworkProxyClient PolicyBuilder& AddNetworkProxyPolicy(); @@ -739,6 +744,7 @@ class PolicyBuilder final { // Seccomp fields std::vector user_policy_; std::vector overridable_policy_; + std::optional default_action_; bool user_policy_handles_bpf_ = false; bool user_policy_handles_ptrace_ = false; absl::flat_hash_set handled_syscalls_; diff --git a/sandboxed_api/sandbox2/policybuilder_test.cc b/sandboxed_api/sandbox2/policybuilder_test.cc index 9d57ba2..d402585 100644 --- a/sandboxed_api/sandbox2/policybuilder_test.cc +++ b/sandboxed_api/sandbox2/policybuilder_test.cc @@ -30,6 +30,7 @@ #include "absl/strings/str_cat.h" #include "absl/strings/str_split.h" #include "sandboxed_api/config.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/ipc.h" @@ -109,8 +110,6 @@ TEST_F(PolicyBuilderTest, Testpolicy_size) { builder.AllowTCGETS(); assert_increased(); builder.AllowTCGETS(); assert_increased(); - builder.DangerDefaultAllowAll(); assert_increased(); - builder.DangerDefaultAllowAll(); assert_increased(); builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased(); builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased(); @@ -160,7 +159,7 @@ std::string PolicyBuilderTest::Run(const std::vector& args, bool network) { PolicyBuilder builder; // Don't restrict the syscalls at all. - builder.DangerDefaultAllowAll(); + builder.DefaultAction(AllowAllSyscalls()); if constexpr (sapi::host_os::IsAndroid()) { builder.DisableNamespaces(); @@ -206,14 +205,15 @@ TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) { TEST_F(PolicyBuilderTest, TestIsCopyable) { PolicyBuilder builder; - builder.DangerDefaultAllowAll(); + builder.AllowSyscall(__NR_getpid); PolicyBuilder copy = builder; - ASSERT_EQ(PolicyBuilderPeer(©).policy_size(), 1); + ASSERT_EQ(PolicyBuilderPeer(©).policy_size(), + PolicyBuilderPeer(&builder).policy_size()); - // Building both does not crash. - builder.BuildOrDie(); - copy.BuildOrDie(); + // Both can be built. + EXPECT_THAT(builder.TryBuild(), IsOk()); + EXPECT_THAT(copy.TryBuild(), IsOk()); } TEST_F(PolicyBuilderTest, TestEcho) { diff --git a/sandboxed_api/sandbox2/sandbox2_test.cc b/sandboxed_api/sandbox2/sandbox2_test.cc index 563a834..5a3af66 100644 --- a/sandboxed_api/sandbox2/sandbox2_test.cc +++ b/sandboxed_api/sandbox2/sandbox2_test.cc @@ -27,6 +27,7 @@ #include "gtest/gtest.h" #include "absl/strings/str_cat.h" #include "sandboxed_api/config.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/policy.h" #include "sandboxed_api/sandbox2/policybuilder.h" @@ -40,7 +41,7 @@ namespace { PolicyBuilder CreateDefaultPolicyBuilder(absl::string_view path) { PolicyBuilder builder; // Don't restrict the syscalls at all. - builder.DangerDefaultAllowAll(); + builder.DefaultAction(AllowAllSyscalls()); if constexpr (sapi::sanitizers::IsAny()) { builder.AddLibrariesForBinary(path); } diff --git a/sandboxed_api/sandbox2/sanitizer_test.cc b/sandboxed_api/sandbox2/sanitizer_test.cc index 39ed6e9..702f6b4 100644 --- a/sandboxed_api/sandbox2/sanitizer_test.cc +++ b/sandboxed_api/sandbox2/sanitizer_test.cc @@ -29,6 +29,7 @@ #include "absl/container/flat_hash_set.h" #include "absl/log/log.h" #include "absl/strings/str_cat.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/policy.h" @@ -119,7 +120,7 @@ TEST(SanitizerTest, TestSandboxedBinary) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .TryBuild()); Sandbox2 s2(std::move(executor), std::move(policy)); diff --git a/sandboxed_api/sandbox2/stack_trace_test.cc b/sandboxed_api/sandbox2/stack_trace_test.cc index 0b4a5d9..1e7defb 100644 --- a/sandboxed_api/sandbox2/stack_trace_test.cc +++ b/sandboxed_api/sandbox2/stack_trace_test.cc @@ -30,6 +30,7 @@ #include "absl/flags/reflection.h" #include "absl/strings/match.h" #include "absl/strings/str_cat.h" +#include "sandboxed_api/sandbox2/allow_all_syscalls.h" #include "sandboxed_api/sandbox2/executor.h" #include "sandboxed_api/sandbox2/global_forkclient.h" #include "sandboxed_api/sandbox2/policy.h" @@ -74,7 +75,7 @@ void SymbolizationWorksCommon( auto policybuilder = PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .AddFile(path) .AddLibrariesForBinary(path) .AddFileAt(temp_filename, "/proc/cpuinfo"); @@ -186,7 +187,7 @@ TEST(StackTraceTest, SymbolizationTrustedFilesOnly) { SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder() // Don't restrict the syscalls at all. - .DangerDefaultAllowAll() + .DefaultAction(AllowAllSyscalls()) .AddFile(path) .AddLibrariesForBinary(path) .TryBuild());