Reduce dependencies on libcap

PiperOrigin-RevId: 319228803
Change-Id: I1a9497f9e33bbe1e84749505305cd9c148b6d700
This commit is contained in:
Wiktor Garbacz 2020-07-01 08:23:20 -07:00 committed by Copybara-Service
parent 0d375e69e1
commit 6008dc6db4
8 changed files with 8 additions and 19 deletions

View File

@ -159,7 +159,6 @@ cc_library(
"//sandboxed_api/util:flags",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/types:optional",
"@org_kernel_libcap//:libcap",
],
)
@ -240,7 +239,6 @@ cc_library(
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@org_kernel_libcap//:libcap",
],
)

View File

@ -149,7 +149,6 @@ add_library(sandbox2::policy ALIAS sandbox2_policy)
target_link_libraries(sandbox2_policy PRIVATE
absl::core_headers
absl::optional
libcap::libcap
sandbox2::bpf_helper
sandbox2::bpfdisassembler
sandbox2::comms
@ -242,7 +241,6 @@ target_link_libraries(sandbox2_executor PRIVATE
absl::memory
absl::strings
glog::glog
libcap::libcap
sandbox2::fileops
sandbox2::forkserver
sandbox2::forkserver_proto
@ -277,7 +275,6 @@ target_link_libraries(sandbox2_sandbox2
absl::strings
absl::synchronization
absl::time
libcap::libcap
sandbox2::bpf_helper
sandbox2::client
sandbox2::comms

View File

@ -26,7 +26,6 @@
#include "absl/memory/memory.h"
#include "absl/strings/str_cat.h"
#include "libcap/include/sys/capability.h"
#include "sandboxed_api/sandbox2/forkserver.h"
#include "sandboxed_api/sandbox2/forkserver.pb.h"
#include "sandboxed_api/sandbox2/global_forkclient.h"
@ -73,7 +72,7 @@ std::vector<std::string> Executor::CopyEnviron() {
}
pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
const std::vector<cap_value_t>* caps,
const std::vector<int>* caps,
pid_t* init_pid_out) {
if (started_) {
LOG(ERROR) << "This executor has already been started";

View File

@ -16,7 +16,6 @@
#define SANDBOXED_API_SANDBOX2_EXECUTOR_H_
#include <stdlib.h>
#include <sys/capability.h>
#include <unistd.h>
#include <memory>
#include <string>
@ -137,7 +136,7 @@ class Executor final {
//
// Returns the same values as fork().
pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr,
const std::vector<cap_value_t>* caps = nullptr,
const std::vector<int>* caps = nullptr,
pid_t* init_pid_out = nullptr);
// Whether the Executor has been started yet

View File

@ -19,7 +19,6 @@
#include <asm/types.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/capability.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/types.h>
@ -43,6 +42,7 @@
#include "absl/strings/str_format.h"
#include "absl/strings/str_join.h"
#include "absl/synchronization/mutex.h"
#include "libcap/include/sys/capability.h"
#include "sandboxed_api/sandbox2/client.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/forkserver.pb.h"

View File

@ -28,7 +28,6 @@
#include <glog/logging.h>
#include "sandboxed_api/util/flag.h"
#include "libcap/include/sys/capability.h"
#include "sandboxed_api/sandbox2/bpfdisassembler.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/regs.h"
@ -151,7 +150,7 @@ bool Policy::SendPolicy(Comms* comms) const {
}
void Policy::AllowUnsafeKeepCapabilities(
std::unique_ptr<std::vector<cap_value_t>> caps) {
std::unique_ptr<std::vector<int>> caps) {
if (namespace_) {
namespace_->DisableUserNamespace();
}

View File

@ -20,7 +20,6 @@
#include <asm/types.h>
#include <linux/filter.h>
#include <sys/capability.h>
#include <cstddef>
#include <memory>
@ -53,8 +52,7 @@ class Policy final {
// Skips creation of a user namespace and keep capabilities in the global
// namespace. This only makes sense in some rare cases where the sandbox is
// started as root, please talk to sandbox-team@ before using this function.
void AllowUnsafeKeepCapabilities(
std::unique_ptr<std::vector<cap_value_t>> caps);
void AllowUnsafeKeepCapabilities(std::unique_ptr<std::vector<int>> caps);
// Stores information about the policy (and the policy builder if existing)
// in the protobuf structure.
@ -76,7 +74,7 @@ class Policy final {
namespace_ = std::move(ns);
}
const std::vector<cap_value_t>* GetCapabilities() const {
const std::vector<int>* GetCapabilities() const {
return capabilities_.get();
}
@ -91,7 +89,7 @@ class Policy final {
bool collect_stacktrace_on_kill_ = true;
// The capabilities to keep in the sandboxee.
std::unique_ptr<std::vector<cap_value_t>> capabilities_;
std::unique_ptr<std::vector<int>> capabilities_;
// Optional pointer to a PolicyBuilder description pb object.
std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;

View File

@ -16,7 +16,6 @@
#include "sandboxed_api/sandbox2/stack_trace.h"
#include <sys/capability.h>
#include <sys/resource.h>
#include <syscall.h>
@ -146,7 +145,7 @@ std::unique_ptr<Policy> StackTracePeer::GetPolicy(pid_t target_pid,
return nullptr;
}
std::unique_ptr<Policy> policy = std::move(policy_or).value();
auto keep_capabilities = absl::make_unique<std::vector<cap_value_t>>();
auto keep_capabilities = absl::make_unique<std::vector<int>>();
keep_capabilities->push_back(CAP_SYS_PTRACE);
policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
// Use no special namespace flags when cloning. We will join an existing