diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel index 9d3ea9b..3e3b691 100644 --- a/sandboxed_api/sandbox2/BUILD.bazel +++ b/sandboxed_api/sandbox2/BUILD.bazel @@ -159,7 +159,6 @@ cc_library( "//sandboxed_api/util:flags", "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/types:optional", - "@org_kernel_libcap//:libcap", ], ) @@ -240,7 +239,6 @@ cc_library( "@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/memory", "@com_google_absl//absl/strings", - "@org_kernel_libcap//:libcap", ], ) diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt index d6b68b3..2e400cf 100644 --- a/sandboxed_api/sandbox2/CMakeLists.txt +++ b/sandboxed_api/sandbox2/CMakeLists.txt @@ -149,7 +149,6 @@ add_library(sandbox2::policy ALIAS sandbox2_policy) target_link_libraries(sandbox2_policy PRIVATE absl::core_headers absl::optional - libcap::libcap sandbox2::bpf_helper sandbox2::bpfdisassembler sandbox2::comms @@ -242,7 +241,6 @@ target_link_libraries(sandbox2_executor PRIVATE absl::memory absl::strings glog::glog - libcap::libcap sandbox2::fileops sandbox2::forkserver sandbox2::forkserver_proto @@ -277,7 +275,6 @@ target_link_libraries(sandbox2_sandbox2 absl::strings absl::synchronization absl::time - libcap::libcap sandbox2::bpf_helper sandbox2::client sandbox2::comms diff --git a/sandboxed_api/sandbox2/executor.cc b/sandboxed_api/sandbox2/executor.cc index bc004ab..fa886c4 100644 --- a/sandboxed_api/sandbox2/executor.cc +++ b/sandboxed_api/sandbox2/executor.cc @@ -26,7 +26,6 @@ #include "absl/memory/memory.h" #include "absl/strings/str_cat.h" -#include "libcap/include/sys/capability.h" #include "sandboxed_api/sandbox2/forkserver.h" #include "sandboxed_api/sandbox2/forkserver.pb.h" #include "sandboxed_api/sandbox2/global_forkclient.h" @@ -73,7 +72,7 @@ std::vector Executor::CopyEnviron() { } pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns, - const std::vector* caps, + const std::vector* caps, pid_t* init_pid_out) { if (started_) { LOG(ERROR) << "This executor has already been started"; diff --git a/sandboxed_api/sandbox2/executor.h b/sandboxed_api/sandbox2/executor.h index a1554e9..505b381 100644 --- a/sandboxed_api/sandbox2/executor.h +++ b/sandboxed_api/sandbox2/executor.h @@ -16,7 +16,6 @@ #define SANDBOXED_API_SANDBOX2_EXECUTOR_H_ #include -#include #include #include #include @@ -137,7 +136,7 @@ class Executor final { // // Returns the same values as fork(). pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr, - const std::vector* caps = nullptr, + const std::vector* caps = nullptr, pid_t* init_pid_out = nullptr); // Whether the Executor has been started yet diff --git a/sandboxed_api/sandbox2/forkserver.cc b/sandboxed_api/sandbox2/forkserver.cc index 0998714..f25e848 100644 --- a/sandboxed_api/sandbox2/forkserver.cc +++ b/sandboxed_api/sandbox2/forkserver.cc @@ -19,7 +19,6 @@ #include #include #include -#include #include #include #include @@ -43,6 +42,7 @@ #include "absl/strings/str_format.h" #include "absl/strings/str_join.h" #include "absl/synchronization/mutex.h" +#include "libcap/include/sys/capability.h" #include "sandboxed_api/sandbox2/client.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/forkserver.pb.h" diff --git a/sandboxed_api/sandbox2/policy.cc b/sandboxed_api/sandbox2/policy.cc index a2ca725..e631c0a 100644 --- a/sandboxed_api/sandbox2/policy.cc +++ b/sandboxed_api/sandbox2/policy.cc @@ -28,7 +28,6 @@ #include #include "sandboxed_api/util/flag.h" -#include "libcap/include/sys/capability.h" #include "sandboxed_api/sandbox2/bpfdisassembler.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/regs.h" @@ -151,7 +150,7 @@ bool Policy::SendPolicy(Comms* comms) const { } void Policy::AllowUnsafeKeepCapabilities( - std::unique_ptr> caps) { + std::unique_ptr> caps) { if (namespace_) { namespace_->DisableUserNamespace(); } diff --git a/sandboxed_api/sandbox2/policy.h b/sandboxed_api/sandbox2/policy.h index d4a0ca1..a50439b 100644 --- a/sandboxed_api/sandbox2/policy.h +++ b/sandboxed_api/sandbox2/policy.h @@ -20,7 +20,6 @@ #include #include -#include #include #include @@ -53,8 +52,7 @@ class Policy final { // Skips creation of a user namespace and keep capabilities in the global // namespace. This only makes sense in some rare cases where the sandbox is // started as root, please talk to sandbox-team@ before using this function. - void AllowUnsafeKeepCapabilities( - std::unique_ptr> caps); + void AllowUnsafeKeepCapabilities(std::unique_ptr> caps); // Stores information about the policy (and the policy builder if existing) // in the protobuf structure. @@ -76,7 +74,7 @@ class Policy final { namespace_ = std::move(ns); } - const std::vector* GetCapabilities() const { + const std::vector* GetCapabilities() const { return capabilities_.get(); } @@ -91,7 +89,7 @@ class Policy final { bool collect_stacktrace_on_kill_ = true; // The capabilities to keep in the sandboxee. - std::unique_ptr> capabilities_; + std::unique_ptr> capabilities_; // Optional pointer to a PolicyBuilder description pb object. std::unique_ptr policy_builder_description_; diff --git a/sandboxed_api/sandbox2/stack_trace.cc b/sandboxed_api/sandbox2/stack_trace.cc index 182534b..adfec8c 100644 --- a/sandboxed_api/sandbox2/stack_trace.cc +++ b/sandboxed_api/sandbox2/stack_trace.cc @@ -16,7 +16,6 @@ #include "sandboxed_api/sandbox2/stack_trace.h" -#include #include #include @@ -146,7 +145,7 @@ std::unique_ptr StackTracePeer::GetPolicy(pid_t target_pid, return nullptr; } std::unique_ptr policy = std::move(policy_or).value(); - auto keep_capabilities = absl::make_unique>(); + auto keep_capabilities = absl::make_unique>(); keep_capabilities->push_back(CAP_SYS_PTRACE); policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities)); // Use no special namespace flags when cloning. We will join an existing