Use default SAPI policy in the examples

PiperOrigin-RevId: 557903883
Change-Id: Ieb65c5cf109037073449f16a466e33937deeb553

sandboxed_api/examples/stringop/BUILD.bazel

@@ -54,7 +54,6 @@ STRINGOP_FUNCTIONS = [
 
 sapi_library(
     name = "stringop-sapi",
-    hdrs = ["sandbox.h"],
     functions = STRINGOP_FUNCTIONS,
     generator_version = 1,
     input_files = ["stringop.cc"],

sandboxed_api/examples/stringop/CMakeLists.txt

@@ -46,7 +46,6 @@ target_link_libraries(sapi_stringop
 
 # sandboxed_api/examples/stringop/lib:stringop-sapi
 add_sapi_library(stringop-sapi
-  SOURCES sandbox.h
   FUNCTIONS duplicate_string
             reverse_string
             pb_duplicate_string

sandboxed_api/examples/stringop/main_stringop.cc

@@ -23,13 +23,14 @@
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/time/time.h"
-#include "sandboxed_api/examples/stringop/sandbox.h"
 #include "sandboxed_api/examples/stringop/stringop_params.pb.h"
 #include "sandboxed_api/transaction.h"
 #include "sandboxed_api/util/status_macros.h"
 #include "sandboxed_api/util/status_matchers.h"
 #include "sandboxed_api/vars.h"
 
+#include "sandboxed_api/examples/stringop/stringop-sapi.sapi.h"
+
 namespace {
 
 using ::sapi::IsOk;
@@ -40,7 +41,7 @@ using ::testing::StrEq;
 
 // Tests using a simple transaction (and function pointers):
 TEST(StringopTest, ProtobufStringDuplication) {
-  sapi::BasicTransaction st(absl::make_unique<StringopSapiSandbox>());
+  sapi::BasicTransaction st(absl::make_unique<StringopSandbox>());
   EXPECT_THAT(st.Run([](sapi::Sandbox* sandbox) -> absl::Status {
     StringopApi api(sandbox);
     stringop::StringDuplication proto;
@@ -65,7 +66,7 @@ TEST(StringopTest, ProtobufStringDuplication) {
 }
 
 TEST(StringopTest, ProtobufStringReversal) {
-  StringopSapiSandbox sandbox;
+  StringopSandbox sandbox;
   ASSERT_THAT(sandbox.Init(), IsOk());
   StringopApi api(&sandbox);
 
@@ -82,7 +83,7 @@ TEST(StringopTest, ProtobufStringReversal) {
 }
 
 TEST(StringopTest, RawStringDuplication) {
-  StringopSapiSandbox sandbox;
+  StringopSandbox sandbox;
   ASSERT_THAT(sandbox.Init(), IsOk());
   StringopApi api(&sandbox);
 
@@ -99,7 +100,7 @@ TEST(StringopTest, RawStringDuplication) {
 }
 
 TEST(StringopTest, RawStringReversal) {
-  StringopSapiSandbox sandbox;
+  StringopSandbox sandbox;
   ASSERT_THAT(sandbox.Init(), IsOk());
   StringopApi api(&sandbox);
 
@@ -137,7 +138,7 @@ TEST(StringopTest, RawStringReversal) {
 }
 
 TEST(StringopTest, RawStringLength) {
-  StringopSapiSandbox sandbox;
+  StringopSandbox sandbox;
   ASSERT_THAT(sandbox.Init(), IsOk());
   StringopApi api(&sandbox);
   SAPI_ASSERT_OK_AND_ASSIGN(void* target_mem_ptr, api.get_raw_c_string());
@@ -147,7 +148,7 @@ TEST(StringopTest, RawStringLength) {
 }
 
 TEST(StringopTest, RawStringReading) {
-  StringopSapiSandbox sandbox;
+  StringopSandbox sandbox;
   ASSERT_THAT(sandbox.Init(), IsOk());
   StringopApi api(&sandbox);
   SAPI_ASSERT_OK_AND_ASSIGN(void* target_mem_ptr, api.get_raw_c_string());

sandboxed_api/examples/stringop/sandbox.h

@@ -1,53 +0,0 @@
-// Copyright 2019 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef SANDBOXED_API_EXAMPLES_STRINGOP_SANDBOX_H_
-#define SANDBOXED_API_EXAMPLES_STRINGOP_SANDBOX_H_
-
-#include <linux/audit.h>
-#include <sys/syscall.h>
-
-#include "sandboxed_api/examples/stringop/stringop-sapi.sapi.h"
-#include "sandboxed_api/sandbox2/policy.h"
-#include "sandboxed_api/sandbox2/policybuilder.h"
-
-class StringopSapiSandbox : public StringopSandbox {
- public:
-  std::unique_ptr<sandbox2::Policy> ModifyPolicy(
-      sandbox2::PolicyBuilder*) override {
-    // Return a new policy.
-    return sandbox2::PolicyBuilder()
-        .AllowRead()
-        .AllowWrite()
-        .AllowOpen()
-        .AllowSystemMalloc()
-        .AllowHandleSignals()
-        .AllowExit()
-        .AllowStat()
-        .AllowTime()
-        .AllowSyscalls({
-            __NR_recvmsg,
-            __NR_sendmsg,
-            __NR_lseek,
-            __NR_nanosleep,
-            __NR_futex,
-            __NR_gettid,
-            __NR_close,
-        })
-        .AddFile("/etc/localtime")
-        .BuildOrDie();
-  }
-};
-
-#endif  // SANDBOXED_API_EXAMPLES_STRINGOP_SANDBOX_H_

sandboxed_api/examples/sum/BUILD.bazel

@@ -44,8 +44,6 @@ cc_library(
 
 sapi_library(
     name = "sum-sapi",
-    srcs = [],
-    hdrs = ["sandbox.h"],
     functions = [
         "sum",
         "sums",

sandboxed_api/examples/sum/CMakeLists.txt

@@ -45,7 +45,6 @@ target_link_libraries(sapi_sum
 
 # sandboxed_api/examples/sum/lib:sum-sapi
 add_sapi_library(sum-sapi
-  SOURCES sandbox.h
   FUNCTIONS sum
             sums
             addf

sandboxed_api/examples/sum/main_sum.cc

@@ -27,7 +27,6 @@
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/strings/str_cat.h"
-#include "sandboxed_api/examples/sum/sandbox.h"
 #include "sandboxed_api/examples/sum/sum-sapi.sapi.h"
 #include "sandboxed_api/examples/sum/sum_params.pb.h"
 #include "sandboxed_api/transaction.h"
@@ -218,7 +217,7 @@ int main(int argc, char* argv[]) {
 
   absl::Status status;
 
-  sapi::BasicTransaction st(std::make_unique<SumSapiSandbox>());
+  sapi::BasicTransaction st(std::make_unique<SumSandbox>());
   // Using the simple transaction (and function pointers):
   CHECK(st.Run(test_addition, 1, 1, 2).ok());
   CHECK(st.Run(test_addition, 1336, 1, 1337).ok());
@@ -263,14 +262,14 @@ int main(int argc, char* argv[]) {
   CHECK(status.ok()) << status.message();
 
   // Using overloaded transaction class:
-  SumTransaction sapi_crash{std::make_unique<SumSapiSandbox>(), /*crash=*/true,
+  SumTransaction sapi_crash{std::make_unique<SumSandbox>(), /*crash=*/true,
                             /*violate=*/false,
                             /*time_out=*/false};
   status = sapi_crash.Run();
   LOG(INFO) << "Final run result for crash: " << status;
   CHECK(status.code() == absl::StatusCode::kUnavailable);
 
-  SumTransaction sapi_violate{std::make_unique<SumSapiSandbox>(),
+  SumTransaction sapi_violate{std::make_unique<SumSandbox>(),
                               /*crash=*/false,
                               /*violate=*/true,
                               /*time_out=*/false};
@@ -278,7 +277,7 @@ int main(int argc, char* argv[]) {
   LOG(INFO) << "Final run result for violate: " << status;
   CHECK(status.code() == absl::StatusCode::kUnavailable);
 
-  SumTransaction sapi_timeout(std::make_unique<SumSapiSandbox>(),
+  SumTransaction sapi_timeout(std::make_unique<SumSandbox>(),
                               /*crash=*/false,
                               /*violate=*/false,
                               /*time_out=*/true);
@@ -286,7 +285,7 @@ int main(int argc, char* argv[]) {
   LOG(INFO) << "Final run result for timeout: " << status;
   CHECK(status.code() == absl::StatusCode::kUnavailable);
 
-  SumTransaction sapi{std::make_unique<SumSapiSandbox>(), /*crash=*/false,
+  SumTransaction sapi{std::make_unique<SumSandbox>(), /*crash=*/false,
                       /*violate=*/false, /*time_out=*/false};
   for (int i = 0; i < 32; ++i) {
     status = sapi.Run();

sandboxed_api/examples/sum/sandbox.h

@@ -1,55 +0,0 @@
-// Copyright 2019 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef SANDBOXED_API_EXAMPLES_SUM_SANDBOX_H_
-#define SANDBOXED_API_EXAMPLES_SUM_SANDBOX_H_
-
-#include <linux/audit.h>
-#include <sys/syscall.h>
-
-#include "sandboxed_api/examples/sum/sum-sapi.sapi.h"
-#include "sandboxed_api/sandbox2/policy.h"
-#include "sandboxed_api/sandbox2/policybuilder.h"
-
-class SumSapiSandbox : public SumSandbox {
- public:
-  std::unique_ptr<sandbox2::Policy> ModifyPolicy(
-      sandbox2::PolicyBuilder*) override {
-    // Return a new policy.
-    return sandbox2::PolicyBuilder()
-        .AllowRead()
-        .AllowWrite()
-        .AllowOpen()
-        .AllowSystemMalloc()
-        .AllowHandleSignals()
-        .AllowExit()
-        .AllowStat()
-        .AllowTime()
-        .AllowGetIDs()
-        .AllowGetPIDs()
-        .AllowSyscalls({
-            __NR_tgkill,
-            __NR_recvmsg,
-            __NR_sendmsg,
-            __NR_lseek,
-            __NR_nanosleep,
-            __NR_futex,
-            __NR_close,
-        })
-        .AddFile("/etc/localtime")
-        .BuildOrDie();
-  }
-};
-
-#endif  // SANDBOXED_API_EXAMPLES_SUM_LIB_SANDBOX_H_

sandboxed_api/sapi_test.cc

@@ -21,10 +21,8 @@
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "absl/status/status.h"
-#include "sandboxed_api/examples/stringop/sandbox.h"
 #include "sandboxed_api/examples/stringop/stringop-sapi.sapi.h"
 #include "sandboxed_api/examples/stringop/stringop_params.pb.h"
-#include "sandboxed_api/examples/sum/sandbox.h"
 #include "sandboxed_api/examples/sum/sum-sapi.sapi.h"
 #include "sandboxed_api/testing.h"
 #include "sandboxed_api/transaction.h"