Reduce dependencies on libcap

PiperOrigin-RevId: 319228803
Change-Id: I1a9497f9e33bbe1e84749505305cd9c148b6d700

sandboxed_api/sandbox2/BUILD.bazel

@@ -159,7 +159,6 @@ cc_library(
         "//sandboxed_api/util:flags",
         "@com_google_absl//absl/base:core_headers",
         "@com_google_absl//absl/types:optional",
-        "@org_kernel_libcap//:libcap",
     ],
 )
 
@@ -240,7 +239,6 @@ cc_library(
         "@com_google_absl//absl/base:core_headers",
         "@com_google_absl//absl/memory",
         "@com_google_absl//absl/strings",
-        "@org_kernel_libcap//:libcap",
     ],
 )
 

sandboxed_api/sandbox2/CMakeLists.txt

@@ -149,7 +149,6 @@ add_library(sandbox2::policy ALIAS sandbox2_policy)
 target_link_libraries(sandbox2_policy PRIVATE
   absl::core_headers
   absl::optional
-  libcap::libcap
   sandbox2::bpf_helper
   sandbox2::bpfdisassembler
   sandbox2::comms
@@ -242,7 +241,6 @@ target_link_libraries(sandbox2_executor PRIVATE
   absl::memory
   absl::strings
   glog::glog
-  libcap::libcap
   sandbox2::fileops
   sandbox2::forkserver
   sandbox2::forkserver_proto
@@ -277,7 +275,6 @@ target_link_libraries(sandbox2_sandbox2
           absl::strings
           absl::synchronization
           absl::time
-          libcap::libcap
           sandbox2::bpf_helper
           sandbox2::client
           sandbox2::comms

sandboxed_api/sandbox2/executor.cc

@@ -26,7 +26,6 @@
 
 #include "absl/memory/memory.h"
 #include "absl/strings/str_cat.h"
-#include "libcap/include/sys/capability.h"
 #include "sandboxed_api/sandbox2/forkserver.h"
 #include "sandboxed_api/sandbox2/forkserver.pb.h"
 #include "sandboxed_api/sandbox2/global_forkclient.h"
@@ -73,7 +72,7 @@ std::vector<std::string> Executor::CopyEnviron() {
 }
 
 pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
-                                const std::vector<cap_value_t>* caps,
+                                const std::vector<int>* caps,
                                 pid_t* init_pid_out) {
   if (started_) {
     LOG(ERROR) << "This executor has already been started";

sandboxed_api/sandbox2/executor.h

@@ -16,7 +16,6 @@
 #define SANDBOXED_API_SANDBOX2_EXECUTOR_H_
 
 #include <stdlib.h>
-#include <sys/capability.h>
 #include <unistd.h>
 #include <memory>
 #include <string>
@@ -137,7 +136,7 @@ class Executor final {
   //
   // Returns the same values as fork().
   pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr,
-                        const std::vector<cap_value_t>* caps = nullptr,
+                        const std::vector<int>* caps = nullptr,
                         pid_t* init_pid_out = nullptr);
 
   // Whether the Executor has been started yet

sandboxed_api/sandbox2/forkserver.cc

@@ -19,7 +19,6 @@
 #include <asm/types.h>
 #include <fcntl.h>
 #include <sched.h>
-#include <sys/capability.h>
 #include <sys/prctl.h>
 #include <sys/socket.h>
 #include <sys/types.h>
@@ -43,6 +42,7 @@
 #include "absl/strings/str_format.h"
 #include "absl/strings/str_join.h"
 #include "absl/synchronization/mutex.h"
+#include "libcap/include/sys/capability.h"
 #include "sandboxed_api/sandbox2/client.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/forkserver.pb.h"

sandboxed_api/sandbox2/policy.cc

@@ -28,7 +28,6 @@
 
 #include <glog/logging.h>
 #include "sandboxed_api/util/flag.h"
-#include "libcap/include/sys/capability.h"
 #include "sandboxed_api/sandbox2/bpfdisassembler.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/regs.h"
@@ -151,7 +150,7 @@ bool Policy::SendPolicy(Comms* comms) const {
 }
 
 void Policy::AllowUnsafeKeepCapabilities(
-    std::unique_ptr<std::vector<cap_value_t>> caps) {
+    std::unique_ptr<std::vector<int>> caps) {
   if (namespace_) {
     namespace_->DisableUserNamespace();
   }

sandboxed_api/sandbox2/policy.h

@@ -20,7 +20,6 @@
 
 #include <asm/types.h>
 #include <linux/filter.h>
-#include <sys/capability.h>
 
 #include <cstddef>
 #include <memory>
@@ -53,8 +52,7 @@ class Policy final {
   // Skips creation of a user namespace and keep capabilities in the global
   // namespace. This only makes sense in some rare cases where the sandbox is
   // started as root, please talk to sandbox-team@ before using this function.
-  void AllowUnsafeKeepCapabilities(
+  void AllowUnsafeKeepCapabilities(std::unique_ptr<std::vector<int>> caps);
-      std::unique_ptr<std::vector<cap_value_t>> caps);
 
   // Stores information about the policy (and the policy builder if existing)
   // in the protobuf structure.
@@ -76,7 +74,7 @@ class Policy final {
     namespace_ = std::move(ns);
   }
 
-  const std::vector<cap_value_t>* GetCapabilities() const {
+  const std::vector<int>* GetCapabilities() const {
     return capabilities_.get();
   }
 
@@ -91,7 +89,7 @@ class Policy final {
   bool collect_stacktrace_on_kill_ = true;
 
   // The capabilities to keep in the sandboxee.
-  std::unique_ptr<std::vector<cap_value_t>> capabilities_;
+  std::unique_ptr<std::vector<int>> capabilities_;
 
   // Optional pointer to a PolicyBuilder description pb object.
   std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;

sandboxed_api/sandbox2/stack_trace.cc

@@ -16,7 +16,6 @@
 
 #include "sandboxed_api/sandbox2/stack_trace.h"
 
-#include <sys/capability.h>
 #include <sys/resource.h>
 #include <syscall.h>
 
@@ -146,7 +145,7 @@ std::unique_ptr<Policy> StackTracePeer::GetPolicy(pid_t target_pid,
     return nullptr;
   }
   std::unique_ptr<Policy> policy = std::move(policy_or).value();
-  auto keep_capabilities = absl::make_unique<std::vector<cap_value_t>>();
+  auto keep_capabilities = absl::make_unique<std::vector<int>>();
   keep_capabilities->push_back(CAP_SYS_PTRACE);
   policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
   // Use no special namespace flags when cloning. We will join an existing