mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Reduce dependencies on libcap
PiperOrigin-RevId: 319228803 Change-Id: I1a9497f9e33bbe1e84749505305cd9c148b6d700
This commit is contained in:
parent
0d375e69e1
commit
6008dc6db4
|
@ -159,7 +159,6 @@ cc_library(
|
|||
"//sandboxed_api/util:flags",
|
||||
"@com_google_absl//absl/base:core_headers",
|
||||
"@com_google_absl//absl/types:optional",
|
||||
"@org_kernel_libcap//:libcap",
|
||||
],
|
||||
)
|
||||
|
||||
|
@ -240,7 +239,6 @@ cc_library(
|
|||
"@com_google_absl//absl/base:core_headers",
|
||||
"@com_google_absl//absl/memory",
|
||||
"@com_google_absl//absl/strings",
|
||||
"@org_kernel_libcap//:libcap",
|
||||
],
|
||||
)
|
||||
|
||||
|
|
|
@ -149,7 +149,6 @@ add_library(sandbox2::policy ALIAS sandbox2_policy)
|
|||
target_link_libraries(sandbox2_policy PRIVATE
|
||||
absl::core_headers
|
||||
absl::optional
|
||||
libcap::libcap
|
||||
sandbox2::bpf_helper
|
||||
sandbox2::bpfdisassembler
|
||||
sandbox2::comms
|
||||
|
@ -242,7 +241,6 @@ target_link_libraries(sandbox2_executor PRIVATE
|
|||
absl::memory
|
||||
absl::strings
|
||||
glog::glog
|
||||
libcap::libcap
|
||||
sandbox2::fileops
|
||||
sandbox2::forkserver
|
||||
sandbox2::forkserver_proto
|
||||
|
@ -277,7 +275,6 @@ target_link_libraries(sandbox2_sandbox2
|
|||
absl::strings
|
||||
absl::synchronization
|
||||
absl::time
|
||||
libcap::libcap
|
||||
sandbox2::bpf_helper
|
||||
sandbox2::client
|
||||
sandbox2::comms
|
||||
|
|
|
@ -26,7 +26,6 @@
|
|||
|
||||
#include "absl/memory/memory.h"
|
||||
#include "absl/strings/str_cat.h"
|
||||
#include "libcap/include/sys/capability.h"
|
||||
#include "sandboxed_api/sandbox2/forkserver.h"
|
||||
#include "sandboxed_api/sandbox2/forkserver.pb.h"
|
||||
#include "sandboxed_api/sandbox2/global_forkclient.h"
|
||||
|
@ -73,7 +72,7 @@ std::vector<std::string> Executor::CopyEnviron() {
|
|||
}
|
||||
|
||||
pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
|
||||
const std::vector<cap_value_t>* caps,
|
||||
const std::vector<int>* caps,
|
||||
pid_t* init_pid_out) {
|
||||
if (started_) {
|
||||
LOG(ERROR) << "This executor has already been started";
|
||||
|
|
|
@ -16,7 +16,6 @@
|
|||
#define SANDBOXED_API_SANDBOX2_EXECUTOR_H_
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <sys/capability.h>
|
||||
#include <unistd.h>
|
||||
#include <memory>
|
||||
#include <string>
|
||||
|
@ -137,7 +136,7 @@ class Executor final {
|
|||
//
|
||||
// Returns the same values as fork().
|
||||
pid_t StartSubProcess(int clone_flags, const Namespace* ns = nullptr,
|
||||
const std::vector<cap_value_t>* caps = nullptr,
|
||||
const std::vector<int>* caps = nullptr,
|
||||
pid_t* init_pid_out = nullptr);
|
||||
|
||||
// Whether the Executor has been started yet
|
||||
|
|
|
@ -19,7 +19,6 @@
|
|||
#include <asm/types.h>
|
||||
#include <fcntl.h>
|
||||
#include <sched.h>
|
||||
#include <sys/capability.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/types.h>
|
||||
|
@ -43,6 +42,7 @@
|
|||
#include "absl/strings/str_format.h"
|
||||
#include "absl/strings/str_join.h"
|
||||
#include "absl/synchronization/mutex.h"
|
||||
#include "libcap/include/sys/capability.h"
|
||||
#include "sandboxed_api/sandbox2/client.h"
|
||||
#include "sandboxed_api/sandbox2/comms.h"
|
||||
#include "sandboxed_api/sandbox2/forkserver.pb.h"
|
||||
|
|
|
@ -28,7 +28,6 @@
|
|||
|
||||
#include <glog/logging.h>
|
||||
#include "sandboxed_api/util/flag.h"
|
||||
#include "libcap/include/sys/capability.h"
|
||||
#include "sandboxed_api/sandbox2/bpfdisassembler.h"
|
||||
#include "sandboxed_api/sandbox2/comms.h"
|
||||
#include "sandboxed_api/sandbox2/regs.h"
|
||||
|
@ -151,7 +150,7 @@ bool Policy::SendPolicy(Comms* comms) const {
|
|||
}
|
||||
|
||||
void Policy::AllowUnsafeKeepCapabilities(
|
||||
std::unique_ptr<std::vector<cap_value_t>> caps) {
|
||||
std::unique_ptr<std::vector<int>> caps) {
|
||||
if (namespace_) {
|
||||
namespace_->DisableUserNamespace();
|
||||
}
|
||||
|
|
|
@ -20,7 +20,6 @@
|
|||
|
||||
#include <asm/types.h>
|
||||
#include <linux/filter.h>
|
||||
#include <sys/capability.h>
|
||||
|
||||
#include <cstddef>
|
||||
#include <memory>
|
||||
|
@ -53,8 +52,7 @@ class Policy final {
|
|||
// Skips creation of a user namespace and keep capabilities in the global
|
||||
// namespace. This only makes sense in some rare cases where the sandbox is
|
||||
// started as root, please talk to sandbox-team@ before using this function.
|
||||
void AllowUnsafeKeepCapabilities(
|
||||
std::unique_ptr<std::vector<cap_value_t>> caps);
|
||||
void AllowUnsafeKeepCapabilities(std::unique_ptr<std::vector<int>> caps);
|
||||
|
||||
// Stores information about the policy (and the policy builder if existing)
|
||||
// in the protobuf structure.
|
||||
|
@ -76,7 +74,7 @@ class Policy final {
|
|||
namespace_ = std::move(ns);
|
||||
}
|
||||
|
||||
const std::vector<cap_value_t>* GetCapabilities() const {
|
||||
const std::vector<int>* GetCapabilities() const {
|
||||
return capabilities_.get();
|
||||
}
|
||||
|
||||
|
@ -91,7 +89,7 @@ class Policy final {
|
|||
bool collect_stacktrace_on_kill_ = true;
|
||||
|
||||
// The capabilities to keep in the sandboxee.
|
||||
std::unique_ptr<std::vector<cap_value_t>> capabilities_;
|
||||
std::unique_ptr<std::vector<int>> capabilities_;
|
||||
|
||||
// Optional pointer to a PolicyBuilder description pb object.
|
||||
std::unique_ptr<PolicyBuilderDescription> policy_builder_description_;
|
||||
|
|
|
@ -16,7 +16,6 @@
|
|||
|
||||
#include "sandboxed_api/sandbox2/stack_trace.h"
|
||||
|
||||
#include <sys/capability.h>
|
||||
#include <sys/resource.h>
|
||||
#include <syscall.h>
|
||||
|
||||
|
@ -146,7 +145,7 @@ std::unique_ptr<Policy> StackTracePeer::GetPolicy(pid_t target_pid,
|
|||
return nullptr;
|
||||
}
|
||||
std::unique_ptr<Policy> policy = std::move(policy_or).value();
|
||||
auto keep_capabilities = absl::make_unique<std::vector<cap_value_t>>();
|
||||
auto keep_capabilities = absl::make_unique<std::vector<int>>();
|
||||
keep_capabilities->push_back(CAP_SYS_PTRACE);
|
||||
policy->AllowUnsafeKeepCapabilities(std::move(keep_capabilities));
|
||||
// Use no special namespace flags when cloning. We will join an existing
|
||||
|
|
Loading…
Reference in New Issue
Block a user