mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Reduce dependencies on libcap
PiperOrigin-RevId: 319228803 Change-Id: I1a9497f9e33bbe1e84749505305cd9c148b6d700
This commit is contained in:
parent
0d375e69e1
commit
6008dc6db4
|
@ -159,7 +159,6 @@ cc_library(
|
||||||
"//sandboxed_api/util:flags",
|
"//sandboxed_api/util:flags",
|
||||||
"@com_google_absl//absl/base:core_headers",
|
"@com_google_absl//absl/base:core_headers",
|
||||||
"@com_google_absl//absl/types:optional",
|
"@com_google_absl//absl/types:optional",
|
||||||
"@org_kernel_libcap//:libcap",
|
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -240,7 +239,6 @@ cc_library(
|
||||||
"@com_google_absl//absl/base:core_headers",
|
"@com_google_absl//absl/base:core_headers",
|
||||||
"@com_google_absl//absl/memory",
|
"@com_google_absl//absl/memory",
|
||||||
"@com_google_absl//absl/strings",
|
"@com_google_absl//absl/strings",
|
||||||
"@org_kernel_libcap//:libcap",
|
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -149,7 +149,6 @@ add_library(sandbox2::policy ALIAS sandbox2_policy)
|
||||||
target_link_libraries(sandbox2_policy PRIVATE
|
target_link_libraries(sandbox2_policy PRIVATE
|
||||||
absl::core_headers
|
absl::core_headers
|
||||||
absl::optional
|
absl::optional
|
||||||
libcap::libcap
|
|
||||||
sandbox2::bpf_helper
|
sandbox2::bpf_helper
|
||||||
sandbox2::bpfdisassembler
|
sandbox2::bpfdisassembler
|
||||||
sandbox2::comms
|
sandbox2::comms
|
||||||
|
@ -242,7 +241,6 @@ target_link_libraries(sandbox2_executor PRIVATE
|
||||||
absl::memory
|
absl::memory
|
||||||
absl::strings
|
absl::strings
|
||||||
glog::glog
|
glog::glog
|
||||||
libcap::libcap
|
|
||||||
sandbox2::fileops
|
sandbox2::fileops
|
||||||
sandbox2::forkserver
|
sandbox2::forkserver
|
||||||
sandbox2::forkserver_proto
|
sandbox2::forkserver_proto
|
||||||
|
@ -277,7 +275,6 @@ target_link_libraries(sandbox2_sandbox2
|
||||||
absl::strings
|
absl::strings
|
||||||
absl::synchronization
|
absl::synchronization
|
||||||
absl::time
|
absl::time
|
||||||
libcap::libcap
|
|
||||||
sandbox2::bpf_helper
|
sandbox2::bpf_helper
|
||||||
sandbox2::client
|
sandbox2::client
|
||||||
sandbox2::comms
|
sandbox2::comms
|
||||||
|
|
|
@ -26,7 +26,6 @@
|
||||||
|
|
||||||
#include "absl/memory/memory.h"
|
#include "absl/memory/memory.h"
|
||||||
#include "absl/strings/str_cat.h"
|
#include "absl/strings/str_cat.h"
|
||||||
#include "libcap/include/sys/capability.h"
|
|
||||||
#include "sandboxed_api/sandbox2/forkserver.h"
|
#include "sandboxed_api/sandbox2/forkserver.h"
|
||||||
#include "sandboxed_api/sandbox2/forkserver.pb.h"
|
#include "sandboxed_api/sandbox2/forkserver.pb.h"
|
||||||
#include "sandboxed_api/sandbox2/global_forkclient.h"
|
#include "sandboxed_api/sandbox2/global_forkclient.h"
|
||||||
|
@ -73,7 +72,7 @@ std::vector<std::string> Executor::CopyEnviron() {
|
||||||
}
|
}
|
||||||
|
|
||||||
pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
||||||
const std::vector<cap_value_t>* caps,
|
const std::vector<int>* caps,
|
||||||
pid_t* init_pid_out) {
|
pid_t* init_pid_out) {
|
||||||
if (started_) {
|
if (started_) {
|
||||||
LOG(ERROR) << "This executor has already been started";
|
LOG(ERROR) << "This executor has already been started";
|
||||||
|
|
|
@ -16,7 +16,6 @@
|
||||||
#define SANDBOXED_API_SANDBOX2_EXECUTOR_H_
|
#define SANDBOXED_API_SANDBOX2_EXECUTOR_H_
|
||||||
|
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <sys/capability.h>
|
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <memory>
|
#include <memory>
|
||||||
#include <string>
|
#include <string>
|
||||||
|
@ -137,7 +136,7 @@ class Executor final {
|
||||||
//
|
//
|
||||||
// Returns the same values as fork().
|
// Returns the same values as fork().
|
||||||
pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr,
|
pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr,
|
||||||
const std::vector<cap_value_t>* caps = nullptr,
|
const std::vector<int>* caps = nullptr,
|
||||||
pid_t* init_pid_out = nullptr);
|
pid_t* init_pid_out = nullptr);
|
||||||
|
|
||||||
// Whether the Executor has been started yet
|
// Whether the Executor has been started yet
|
||||||
|
|
|
@ -19,7 +19,6 @@
|
||||||
#include <asm/types.h>
|
#include <asm/types.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <sched.h>
|
#include <sched.h>
|
||||||
#include <sys/capability.h>
|
|
||||||
#include <sys/prctl.h>
|
#include <sys/prctl.h>
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
@ -43,6 +42,7 @@
|
||||||
#include "absl/strings/str_format.h"
|
#include "absl/strings/str_format.h"
|
||||||
#include "absl/strings/str_join.h"
|
#include "absl/strings/str_join.h"
|
||||||
#include "absl/synchronization/mutex.h"
|
#include "absl/synchronization/mutex.h"
|
||||||
|
#include "libcap/include/sys/capability.h"
|
||||||
#include "sandboxed_api/sandbox2/client.h"
|
#include "sandboxed_api/sandbox2/client.h"
|
||||||
#include "sandboxed_api/sandbox2/comms.h"
|
#include "sandboxed_api/sandbox2/comms.h"
|
||||||
#include "sandboxed_api/sandbox2/forkserver.pb.h"
|
#include "sandboxed_api/sandbox2/forkserver.pb.h"
|
||||||
|
|
|
@ -28,7 +28,6 @@
|
||||||
|
|
||||||
#include <glog/logging.h>
|
#include <glog/logging.h>
|
||||||
#include "sandboxed_api/util/flag.h"
|
#include "sandboxed_api/util/flag.h"
|
||||||
#include "libcap/include/sys/capability.h"
|
|
||||||
#include "sandboxed_api/sandbox2/bpfdisassembler.h"
|
#include "sandboxed_api/sandbox2/bpfdisassembler.h"
|
||||||
#include "sandboxed_api/sandbox2/comms.h"
|
#include "sandboxed_api/sandbox2/comms.h"
|
||||||
#include "sandboxed_api/sandbox2/regs.h"
|
#include "sandboxed_api/sandbox2/regs.h"
|
||||||
|
@ -151,7 +150,7 @@ bool Policy::SendPolicy(Comms* comms) const {
|
||||||
}
|
}
|
||||||
|
|
||||||
void Policy::AllowUnsafeKeepCapabilities(
|
void Policy::AllowUnsafeKeepCapabilities(
|
||||||
std::unique_ptr<std::vector<cap_value_t>> caps) {
|
std::unique_ptr<std::vector<int>> caps) {
|
||||||
if (namespace_) {
|
if (namespace_) {
|
||||||
namespace_->DisableUserNamespace();
|
namespace_->DisableUserNamespace();
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,7 +20,6 @@
|
||||||
|
|
||||||
#include <asm/types.h>
|
#include <asm/types.h>
|
||||||
#include <linux/filter.h>
|
#include <linux/filter.h>
|
||||||
#include <sys/capability.h>
|
|
||||||
|
|
||||||
#include <cstddef>
|
#include <cstddef>
|
||||||
#include <memory>
|
#include <memory>
|
||||||
|
@ -53,8 +52,7 @@ class Policy final {
|
||||||
// Skips creation of a user namespace and keep capabilities in the global
|
// Skips creation of a user namespace and keep capabilities in the global
|
||||||
// namespace. This only makes sense in some rare cases where the sandbox is
|
// namespace. This only makes sense in some rare cases where the sandbox is
|
||||||
// started as root, please talk to sandbox-team@ before using this function.
|
// started as root, please talk to sandbox-team@ before using this function.
|
||||||
void AllowUnsafeKeepCapabilities(
|
void AllowUnsafeKeepCapabilities(std::unique_ptr<std::vector<int>> caps);
|
||||||
std::unique_ptr<std::vector<cap_value_t>> caps);
|
|
||||||
|
|
||||||
// Stores information about the policy (and the policy builder if existing)
|
// Stores information about the policy (and the policy builder if existing)
|
||||||
// in the protobuf structure.
|
// in the protobuf structure.
|
||||||
|
@ -76,7 +74,7 @@ class Policy final {
|
||||||
namespace_ = std::move(ns);
|
namespace_ = std::move(ns);
|
||||||
}
|
}
|
||||||
|
|
||||||
const std::vector<cap_value_t>* GetCapabilities() const {
|
const std::vector<int>* GetCapabilities() const {
|
||||||
return capabilities_.get();
|
return capabilities_.get();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -91,7 +89,7 @@ class Policy final {
|
||||||
bool collect_stacktrace_on_kill_ = true;
|
bool collect_stacktrace_on_kill_ = true;
|
||||||
|
|
||||||
// The capabilities to keep in the sandboxee.
|
// The capabilities to keep in the sandboxee.
|
||||||
std::unique_ptr<std::vector<cap_value_t>> capabilities_;
|
std::unique_ptr<std::vector<int>> capabilities_;
|
||||||
|
|
||||||
// Optional pointer to a PolicyBuilder description pb object.
|
// Optional pointer to a PolicyBuilder description pb object.
|
||||||
std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;
|
std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;
|
||||||
|
|
|
@ -16,7 +16,6 @@
|
||||||
|
|
||||||
#include "sandboxed_api/sandbox2/stack_trace.h"
|
#include "sandboxed_api/sandbox2/stack_trace.h"
|
||||||
|
|
||||||
#include <sys/capability.h>
|
|
||||||
#include <sys/resource.h>
|
#include <sys/resource.h>
|
||||||
#include <syscall.h>
|
#include <syscall.h>
|
||||||
|
|
||||||
|
@ -146,7 +145,7 @@ std::unique_ptr<Policy> StackTracePeer::GetPolicy(pid_t target_pid,
|
||||||
return nullptr;
|
return nullptr;
|
||||||
}
|
}
|
||||||
std::unique_ptr<Policy> policy = std::move(policy_or).value();
|
std::unique_ptr<Policy> policy = std::move(policy_or).value();
|
||||||
auto keep_capabilities = absl::make_unique<std::vector<cap_value_t>>();
|
auto keep_capabilities = absl::make_unique<std::vector<int>>();
|
||||||
keep_capabilities->push_back(CAP_SYS_PTRACE);
|
keep_capabilities->push_back(CAP_SYS_PTRACE);
|
||||||
policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
|
policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
|
||||||
// Use no special namespace flags when cloning. We will join an existing
|
// Use no special namespace flags when cloning. We will join an existing
|
||||||
|
|
Loading…
Reference in New Issue
Block a user