Change the default action instead of appending ALLOW

Also create a visibility restricted version of the function.

PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c
This commit is contained in:
Wiktor Garbacz 2023-03-01 05:35:51 -08:00 committed by Copybara-Service
parent fbfbd13adf
commit 5a8a25e9ac
15 changed files with 128 additions and 35 deletions

View File

@ -24,6 +24,24 @@ package(
licenses(["notice"])
cc_library(
name = "allow_all_syscalls",
hdrs = ["allow_all_syscalls.h"],
copts = sapi_platform_copts(),
visibility = [
"//sandboxed_api/sandbox2:__pkg__",
"//sandboxed_api/sandbox2/examples/tool:__pkg__",
],
)
cc_library(
name = "testonly_allow_all_syscalls",
testonly = True,
hdrs = ["allow_all_syscalls.h"],
copts = sapi_platform_copts(),
visibility = ["//visibility:public"],
)
cc_library(
name = "bpfdisassembler",
srcs = ["bpfdisassembler.cc"],
@ -472,6 +490,7 @@ cc_library(
hdrs = ["policybuilder.h"],
copts = sapi_platform_copts(),
deps = [
":allow_all_syscalls",
":mounts",
":namespace",
":policy",
@ -652,6 +671,7 @@ cc_test(
":comms",
":namespace",
":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/util:fileops",
@ -822,6 +842,7 @@ cc_test(
deps = [
":limits",
":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers",
@ -890,6 +911,7 @@ cc_test(
],
deps = [
":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers",
@ -911,6 +933,7 @@ cc_test(
":comms",
":sandbox2",
":sanitizer",
":testonly_allow_all_syscalls",
":util",
"//sandboxed_api:testing",
"//sandboxed_api/util:status_matchers",
@ -945,6 +968,7 @@ cc_test(
":regs",
":sandbox2",
":stack_trace",
":testonly_allow_all_syscalls",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:fileops",
@ -968,6 +992,7 @@ cc_test(
deps = [
":comms",
":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:status_matchers",
@ -1002,6 +1027,7 @@ cc_test(
":comms",
":policybuilder",
":sandbox2",
":testonly_allow_all_syscalls",
"//sandboxed_api:config",
"//sandboxed_api:testing",
"//sandboxed_api/sandbox2/util:bpf_helper",

View File

@ -17,6 +17,15 @@ add_subdirectory(unwind)
add_subdirectory(util)
add_subdirectory(network_proxy)
# sandboxed_api/sandbox2:allow_all_syscalls
add_library(sandbox2_allow_all_syscalls ${SAPI_LIB_TYPE}
allow_all_syscalls.h
)
add_library(sandbox2::allow_all_syscalls ALIAS sandbox2_allow_all_syscalls)
target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
sapi::base
)
# sandboxed_api/sandbox2:bpfdisassembler
add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE}
bpfdisassembler.cc
@ -796,6 +805,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
)
target_link_libraries(sandbox2_namespace_test PRIVATE
absl::strings
sandbox2::allow_all_syscalls
sandbox2::comms
sapi::config
sapi::fileops
@ -905,6 +915,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
sandbox2::testcase_minimal
)
target_link_libraries(sandbox2_limits_test PRIVATE
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sapi::config
sandbox2::limits
@ -987,6 +998,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
)
target_link_libraries(sandbox2_sandbox2_test PRIVATE
absl::strings
sandbox2::allow_all_syscalls
sapi::config
sandbox2::sandbox2
sapi::testing
@ -1011,6 +1023,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
)
target_link_libraries(sandbox2_sanitizer_test PRIVATE
absl::strings
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sandbox2::client
sandbox2::comms
@ -1054,6 +1067,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
absl::flags
absl::status
absl::strings
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sandbox2::global_forkserver
sandbox2::namespace
@ -1082,6 +1096,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
sandbox2::testcase_ipc
)
target_link_libraries(sandbox2_ipc_test PRIVATE
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sandbox2::comms
sandbox2::ipc
@ -1104,6 +1119,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
)
target_link_libraries(sandbox2_policybuilder_test
PRIVATE absl::strings
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sandbox2::comms
sandbox2::policybuilder

View File

@ -0,0 +1,27 @@
// Copyright 2013 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
#define SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
namespace sandbox2 {
class AllowAllSyscalls {
public:
explicit AllowAllSyscalls() = default;
};
} // namespace sandbox2
#endif // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_

View File

@ -31,6 +31,7 @@ cc_binary(
copts = sapi_platform_copts(),
deps = [
"//sandboxed_api/sandbox2",
"//sandboxed_api/sandbox2:allow_all_syscalls",
"//sandboxed_api/sandbox2:util",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:fileops",

View File

@ -27,6 +27,7 @@ target_link_libraries(sandbox2_sandbox2tool PRIVATE
absl::log_initialize
absl::strings
absl::time
sandbox2::allow_all_syscalls
sandbox2::bpf_helper
sandbox2::sandbox2
sandbox2::util

View File

@ -43,6 +43,7 @@
#include "absl/strings/str_format.h"
#include "absl/strings/str_split.h"
#include "absl/time/time.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/ipc.h"
#include "sandboxed_api/sandbox2/limits.h"
@ -162,7 +163,7 @@ int main(int argc, char* argv[]) {
sandbox2::PolicyBuilder builder;
builder.AddPolicyOnSyscall(__NR_tee, {KILL});
builder.DangerDefaultAllowAll();
builder.DefaultAction(sandbox2::AllowAllSyscalls());
if (absl::GetFlag(FLAGS_sandbox2tool_need_networking)) {
builder.AllowUnrestrictedNetworking();

View File

@ -19,6 +19,7 @@
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
@ -52,7 +53,7 @@ TEST_P(IPCTest, MapFDByNamePreExecve) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));
@ -89,7 +90,7 @@ TEST_P(IPCTest, MapFDByNamePostExecve) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));
@ -121,7 +122,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));

View File

@ -23,6 +23,7 @@
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h"
@ -45,7 +46,7 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();
@ -63,7 +64,7 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();
@ -81,7 +82,7 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();
@ -99,7 +100,7 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();
@ -117,7 +118,7 @@ TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
sandbox2::PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
auto result = s2.Run();

View File

@ -29,6 +29,7 @@
#include "absl/strings/numbers.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
@ -73,7 +74,7 @@ TEST(NamespaceTest, FileNamespaceWorks) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "0", "/binary_path", "/etc/passwd"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(path, "/binary_path")
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(2));
@ -90,7 +91,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "0", "/temp_file"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(name, "/temp_file")
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(0));
@ -100,7 +101,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "1", "/temp_file"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddFileAt(name, "/temp_file")
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(1));
@ -115,7 +116,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "2"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(0));
}
@ -126,7 +127,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
path, {path, "2"},
PolicyBuilder()
.DisableNamespaces()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
EXPECT_THAT(reason_code, Ne(0));
}
@ -140,7 +141,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "3", "1000", "1000"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(0));
}
@ -151,7 +152,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
path, {path, "3", absl::StrCat(getuid()), absl::StrCat(getgid())},
PolicyBuilder()
.DisableNamespaces()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(0));
}
@ -164,7 +165,7 @@ TEST(NamespaceTest, RootReadOnly) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "4", "/tmp/testfile", "/testfile"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */)
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(2));
@ -176,7 +177,7 @@ TEST(NamespaceTest, RootWritable) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "4", "/testfile"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.SetRootWritable()
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(0));
@ -188,7 +189,7 @@ TEST(HostnameTest, None) {
path, {path, "sandbox2"},
PolicyBuilder()
.DisableNamespaces()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(1));
}
@ -198,7 +199,7 @@ TEST(HostnameTest, Default) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "sandbox2"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(0));
}
@ -208,7 +209,7 @@ TEST(HostnameTest, Configured) {
int reason_code = RunSandboxeeWithArgsAndPolicy(
path, {path, "configured"},
PolicyBuilder()
.DangerDefaultAllowAll() // Do not restrict syscalls
.DefaultAction(AllowAllSyscalls()) // Do not restrict syscalls
.SetHostname("configured")
.BuildOrDie());
EXPECT_THAT(reason_code, Eq(0));

View File

@ -44,6 +44,7 @@
#include "absl/strings/match.h"
#include "absl/strings/string_view.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/util/bpf_helper.h"
@ -1112,7 +1113,12 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) {
}
PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() {
user_policy_.push_back(ALLOW);
default_action_ = ALLOW;
return *this;
}
PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) {
default_action_ = ALLOW;
return *this;
}
@ -1185,6 +1191,9 @@ absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
output->collect_stacktrace_on_kill_ = collect_stacktrace_on_kill_;
output->collect_stacktrace_on_exit_ = collect_stacktrace_on_exit_;
output->user_policy_ = std::move(user_policy_);
if (default_action_) {
output->user_policy_.push_back(*default_action_);
}
output->user_policy_.insert(output->user_policy_.end(),
overridable_policy_.begin(),
overridable_policy_.end());

View File

@ -40,6 +40,8 @@ struct bpf_labels;
namespace sandbox2 {
class AllowAllSyscalls;
// PolicyBuilder is a helper class to simplify creation of policies. The builder
// uses fluent interface for convenience and increased readability of policies.
//
@ -666,10 +668,13 @@ class PolicyBuilder final {
// Enables/disables stack trace collection on normal process exit.
PolicyBuilder& CollectStacktracesOnExit(bool enable);
// Appends an unconditional ALLOW action for all syscalls.
// Changes the default action to ALLOW.
// All syscalls not handled explicitly by the policy will thus be allowed.
// Do not use in environment with untrusted code and/or data, ask
// sandbox-team@ first if unsure.
ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead")
PolicyBuilder& DangerDefaultAllowAll();
PolicyBuilder& DefaultAction(AllowAllSyscalls);
// Allows syscalls that are necessary for the NetworkProxyClient
PolicyBuilder& AddNetworkProxyPolicy();
@ -739,6 +744,7 @@ class PolicyBuilder final {
// Seccomp fields
std::vector<sock_filter> user_policy_;
std::vector<sock_filter> overridable_policy_;
std::optional<sock_filter> default_action_;
bool user_policy_handles_bpf_ = false;
bool user_policy_handles_ptrace_ = false;
absl::flat_hash_set<uint32_t> handled_syscalls_;

View File

@ -30,6 +30,7 @@
#include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/ipc.h"
@ -109,8 +110,6 @@ TEST_F(PolicyBuilderTest, Testpolicy_size) {
builder.AllowTCGETS(); assert_increased();
builder.AllowTCGETS(); assert_increased();
builder.DangerDefaultAllowAll(); assert_increased();
builder.DangerDefaultAllowAll(); assert_increased();
builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased();
builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased();
@ -160,7 +159,7 @@ std::string PolicyBuilderTest::Run(const std::vector<std::string>& args,
bool network) {
PolicyBuilder builder;
// Don't restrict the syscalls at all.
builder.DangerDefaultAllowAll();
builder.DefaultAction(AllowAllSyscalls());
if constexpr (sapi::host_os::IsAndroid()) {
builder.DisableNamespaces();
@ -206,14 +205,15 @@ TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) {
TEST_F(PolicyBuilderTest, TestIsCopyable) {
PolicyBuilder builder;
builder.DangerDefaultAllowAll();
builder.AllowSyscall(__NR_getpid);
PolicyBuilder copy = builder;
ASSERT_EQ(PolicyBuilderPeer(&copy).policy_size(), 1);
ASSERT_EQ(PolicyBuilderPeer(&copy).policy_size(),
PolicyBuilderPeer(&builder).policy_size());
// Building both does not crash.
builder.BuildOrDie();
copy.BuildOrDie();
// Both can be built.
EXPECT_THAT(builder.TryBuild(), IsOk());
EXPECT_THAT(copy.TryBuild(), IsOk());
}
TEST_F(PolicyBuilderTest, TestEcho) {

View File

@ -27,6 +27,7 @@
#include "gtest/gtest.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
#include "sandboxed_api/sandbox2/policybuilder.h"
@ -40,7 +41,7 @@ namespace {
PolicyBuilder CreateDefaultPolicyBuilder(absl::string_view path) {
PolicyBuilder builder;
// Don't restrict the syscalls at all.
builder.DangerDefaultAllowAll();
builder.DefaultAction(AllowAllSyscalls());
if constexpr (sapi::sanitizers::IsAny()) {
builder.AddLibrariesForBinary(path);
}

View File

@ -29,6 +29,7 @@
#include "absl/container/flat_hash_set.h"
#include "absl/log/log.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/policy.h"
@ -119,7 +120,7 @@ TEST(SanitizerTest, TestSandboxedBinary) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.TryBuild());
Sandbox2 s2(std::move(executor), std::move(policy));

View File

@ -30,6 +30,7 @@
#include "absl/flags/reflection.h"
#include "absl/strings/match.h"
#include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
#include "sandboxed_api/sandbox2/executor.h"
#include "sandboxed_api/sandbox2/global_forkclient.h"
#include "sandboxed_api/sandbox2/policy.h"
@ -74,7 +75,7 @@ void SymbolizationWorksCommon(
auto policybuilder = PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.AddFile(path)
.AddLibrariesForBinary(path)
.AddFileAt(temp_filename, "/proc/cpuinfo");
@ -186,7 +187,7 @@ TEST(StackTraceTest, SymbolizationTrustedFilesOnly) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
PolicyBuilder()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.DefaultAction(AllowAllSyscalls())
.AddFile(path)
.AddLibrariesForBinary(path)
.TryBuild());