Reduce dependencies on libcap

PiperOrigin-RevId: 319228803
Change-Id: I1a9497f9e33bbe1e84749505305cd9c148b6d700
This commit is contained in:
Wiktor Garbacz 2020-07-01 08:23:20 -07:00 committed by Copybara-Service
parent 0d375e69e1
commit 6008dc6db4
8 changed files with 8 additions and 19 deletions

View File

@ -159,7 +159,6 @@ cc_library(
"//sandboxed_api/util:flags", "//sandboxed_api/util:flags",
"@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/types:optional", "@com_google_absl//absl/types:optional",
"@org_kernel_libcap//:libcap",
], ],
) )
@ -240,7 +239,6 @@ cc_library(
"@com_google_absl//absl/base:core_headers", "@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory", "@com_google_absl//absl/memory",
"@com_google_absl//absl/strings", "@com_google_absl//absl/strings",
"@org_kernel_libcap//:libcap",
], ],
) )

View File

@ -149,7 +149,6 @@ add_library(sandbox2::policy ALIAS sandbox2_policy)
target_link_libraries(sandbox2_policy PRIVATE target_link_libraries(sandbox2_policy PRIVATE
absl::core_headers absl::core_headers
absl::optional absl::optional
libcap::libcap
sandbox2::bpf_helper sandbox2::bpf_helper
sandbox2::bpfdisassembler sandbox2::bpfdisassembler
sandbox2::comms sandbox2::comms
@ -242,7 +241,6 @@ target_link_libraries(sandbox2_executor PRIVATE
absl::memory absl::memory
absl::strings absl::strings
glog::glog glog::glog
libcap::libcap
sandbox2::fileops sandbox2::fileops
sandbox2::forkserver sandbox2::forkserver
sandbox2::forkserver_proto sandbox2::forkserver_proto
@ -277,7 +275,6 @@ target_link_libraries(sandbox2_sandbox2
absl::strings absl::strings
absl::synchronization absl::synchronization
absl::time absl::time
libcap::libcap
sandbox2::bpf_helper sandbox2::bpf_helper
sandbox2::client sandbox2::client
sandbox2::comms sandbox2::comms

View File

@ -26,7 +26,6 @@
#include "absl/memory/memory.h" #include "absl/memory/memory.h"
#include "absl/strings/str_cat.h" #include "absl/strings/str_cat.h"
#include "libcap/include/sys/capability.h"
#include "sandboxed_api/sandbox2/forkserver.h" #include "sandboxed_api/sandbox2/forkserver.h"
#include "sandboxed_api/sandbox2/forkserver.pb.h" #include "sandboxed_api/sandbox2/forkserver.pb.h"
#include "sandboxed_api/sandbox2/global_forkclient.h" #include "sandboxed_api/sandbox2/global_forkclient.h"
@ -73,7 +72,7 @@ std::vector<std::string> Executor::CopyEnviron() {
} }
pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns, pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
const std::vector<cap_value_t>* caps, const std::vector<int>* caps,
pid_t* init_pid_out) { pid_t* init_pid_out) {
if (started_) { if (started_) {
LOG(ERROR) << "This executor has already been started"; LOG(ERROR) << "This executor has already been started";

View File

@ -16,7 +16,6 @@
#define SANDBOXED_API_SANDBOX2_EXECUTOR_H_ #define SANDBOXED_API_SANDBOX2_EXECUTOR_H_
#include <stdlib.h> #include <stdlib.h>
#include <sys/capability.h>
#include <unistd.h> #include <unistd.h>
#include <memory> #include <memory>
#include <string> #include <string>
@ -137,7 +136,7 @@ class Executor final {
// //
// Returns the same values as fork(). // Returns the same values as fork().
pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr, pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr,
const std::vector<cap_value_t>* caps = nullptr, const std::vector<int>* caps = nullptr,
pid_t* init_pid_out = nullptr); pid_t* init_pid_out = nullptr);
// Whether the Executor has been started yet // Whether the Executor has been started yet

View File

@ -19,7 +19,6 @@
#include <asm/types.h> #include <asm/types.h>
#include <fcntl.h> #include <fcntl.h>
#include <sched.h> #include <sched.h>
#include <sys/capability.h>
#include <sys/prctl.h> #include <sys/prctl.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <sys/types.h> #include <sys/types.h>
@ -43,6 +42,7 @@
#include "absl/strings/str_format.h" #include "absl/strings/str_format.h"
#include "absl/strings/str_join.h" #include "absl/strings/str_join.h"
#include "absl/synchronization/mutex.h" #include "absl/synchronization/mutex.h"
#include "libcap/include/sys/capability.h"
#include "sandboxed_api/sandbox2/client.h" #include "sandboxed_api/sandbox2/client.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/forkserver.pb.h" #include "sandboxed_api/sandbox2/forkserver.pb.h"

View File

@ -28,7 +28,6 @@
#include <glog/logging.h> #include <glog/logging.h>
#include "sandboxed_api/util/flag.h" #include "sandboxed_api/util/flag.h"
#include "libcap/include/sys/capability.h"
#include "sandboxed_api/sandbox2/bpfdisassembler.h" #include "sandboxed_api/sandbox2/bpfdisassembler.h"
#include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/regs.h" #include "sandboxed_api/sandbox2/regs.h"
@ -151,7 +150,7 @@ bool Policy::SendPolicy(Comms* comms) const {
} }
void Policy::AllowUnsafeKeepCapabilities( void Policy::AllowUnsafeKeepCapabilities(
std::unique_ptr<std::vector<cap_value_t>> caps) { std::unique_ptr<std::vector<int>> caps) {
if (namespace_) { if (namespace_) {
namespace_->DisableUserNamespace(); namespace_->DisableUserNamespace();
} }

View File

@ -20,7 +20,6 @@
#include <asm/types.h> #include <asm/types.h>
#include <linux/filter.h> #include <linux/filter.h>
#include <sys/capability.h>
#include <cstddef> #include <cstddef>
#include <memory> #include <memory>
@ -53,8 +52,7 @@ class Policy final {
// Skips creation of a user namespace and keep capabilities in the global // Skips creation of a user namespace and keep capabilities in the global
// namespace. This only makes sense in some rare cases where the sandbox is // namespace. This only makes sense in some rare cases where the sandbox is
// started as root, please talk to sandbox-team@ before using this function. // started as root, please talk to sandbox-team@ before using this function.
void AllowUnsafeKeepCapabilities( void AllowUnsafeKeepCapabilities(std::unique_ptr<std::vector<int>> caps);
std::unique_ptr<std::vector<cap_value_t>> caps);
// Stores information about the policy (and the policy builder if existing) // Stores information about the policy (and the policy builder if existing)
// in the protobuf structure. // in the protobuf structure.
@ -76,7 +74,7 @@ class Policy final {
namespace_ = std::move(ns); namespace_ = std::move(ns);
} }
const std::vector<cap_value_t>* GetCapabilities() const { const std::vector<int>* GetCapabilities() const {
return capabilities_.get(); return capabilities_.get();
} }
@ -91,7 +89,7 @@ class Policy final {
bool collect_stacktrace_on_kill_ = true; bool collect_stacktrace_on_kill_ = true;
// The capabilities to keep in the sandboxee. // The capabilities to keep in the sandboxee.
std::unique_ptr<std::vector<cap_value_t>> capabilities_; std::unique_ptr<std::vector<int>> capabilities_;
// Optional pointer to a PolicyBuilder description pb object. // Optional pointer to a PolicyBuilder description pb object.
std::unique_ptr<PolicyBuilderDescription> policy_builder_description_; std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;

View File

@ -16,7 +16,6 @@
#include "sandboxed_api/sandbox2/stack_trace.h" #include "sandboxed_api/sandbox2/stack_trace.h"
#include <sys/capability.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <syscall.h> #include <syscall.h>
@ -146,7 +145,7 @@ std::unique_ptr<Policy> StackTracePeer::GetPolicy(pid_t target_pid,
return nullptr; return nullptr;
} }
std::unique_ptr<Policy> policy = std::move(policy_or).value(); std::unique_ptr<Policy> policy = std::move(policy_or).value();
auto keep_capabilities = absl::make_unique<std::vector<cap_value_t>>(); auto keep_capabilities = absl::make_unique<std::vector<int>>();
keep_capabilities->push_back(CAP_SYS_PTRACE); keep_capabilities->push_back(CAP_SYS_PTRACE);
policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities)); policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
// Use no special namespace flags when cloning. We will join an existing // Use no special namespace flags when cloning. We will join an existing