diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel index 33f66d3..eba770c 100644 --- a/sandboxed_api/sandbox2/BUILD.bazel +++ b/sandboxed_api/sandbox2/BUILD.bazel @@ -603,11 +603,9 @@ cc_library( visibility = ["//visibility:public"], deps = [ ":util", - "//sandboxed_api/util:status", - "@com_google_absl//absl/base:core_headers", + "@com_google_absl//absl/memory", "@com_google_absl//absl/status", "@com_google_absl//absl/status:statusor", - "@com_google_absl//absl/strings", ], ) diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt index f2fe725..3680ac5 100644 --- a/sandboxed_api/sandbox2/CMakeLists.txt +++ b/sandboxed_api/sandbox2/CMakeLists.txt @@ -525,6 +525,7 @@ add_library(sandbox2_buffer ${SAPI_LIB_TYPE} add_library(sandbox2::buffer ALIAS sandbox2_buffer) target_link_libraries(sandbox2_buffer PRIVATE absl::core_headers + absl::memory absl::status absl::strings sapi::strerror diff --git a/sandboxed_api/sandbox2/buffer.cc b/sandboxed_api/sandbox2/buffer.cc index 8e28068..9d7a60d 100644 --- a/sandboxed_api/sandbox2/buffer.cc +++ b/sandboxed_api/sandbox2/buffer.cc @@ -21,6 +21,7 @@ #include #include +#include "absl/memory/memory.h" #include "absl/status/status.h" #include "absl/status/statusor.h" #include "sandboxed_api/sandbox2/util.h" @@ -29,7 +30,8 @@ namespace sandbox2 { // Creates a new Buffer that is backed by the specified file descriptor. absl::StatusOr> Buffer::CreateFromFd(int fd) { - auto buffer = std::make_unique(); + // Using `new` to access a non-public constructor. + auto buffer = absl::WrapUnique(new Buffer()); struct stat stat_buf; if (fstat(fd, &stat_buf) != 0) { diff --git a/sandboxed_api/sandbox2/buffer.h b/sandboxed_api/sandbox2/buffer.h index 57bde1d..d2c15e9 100644 --- a/sandboxed_api/sandbox2/buffer.h +++ b/sandboxed_api/sandbox2/buffer.h @@ -28,11 +28,7 @@ namespace sandbox2 { // The executor must distrust the content of this buffer, like everything // else that comes under control of the sandboxee. class Buffer final { - private: - struct Tag {}; - public: - Buffer(Tag tag = {}) {} ~Buffer(); Buffer(const Buffer&) = delete; @@ -57,6 +53,8 @@ class Buffer final { int fd() const { return fd_; } private: + Buffer() = default; + uint8_t* buf_ = nullptr; int fd_ = -1; size_t size_ = 0; diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index 1d6bc28..ca47b6f 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -969,6 +969,7 @@ std::vector PolicyBuilder::ResolveBpfFunc(BpfFunc f) { } absl::StatusOr> PolicyBuilder::TryBuild() { + // Using `new` to access a non-public constructor. auto output = absl::WrapUnique(new Policy()); if (user_policy_.size() > kMaxUserPolicyLength) { diff --git a/sandboxed_api/sandbox2/stack_trace.cc b/sandboxed_api/sandbox2/stack_trace.cc index ae5d6a4..57a9749 100644 --- a/sandboxed_api/sandbox2/stack_trace.cc +++ b/sandboxed_api/sandbox2/stack_trace.cc @@ -169,12 +169,8 @@ absl::StatusOr StackTracePeer::LaunchLibunwindSandbox( const Regs* regs, const Mounts& mounts) { const pid_t pid = regs->pid(); - // Tell executor to use this special internal mode. - std::vector argv; - std::vector envp; - - // We're not using absl::make_unique here as we're a friend of this specific - // constructor and using make_unique won't work. + // Tell executor to use this special internal mode. Using `new` to access a + // non-public constructor. auto executor = absl::WrapUnique(new Executor(pid)); executor->limits() @@ -264,9 +260,8 @@ absl::StatusOr StackTracePeer::LaunchLibunwindSandbox( return absl::InternalError( "Receiving status from libunwind sandbox failed"); } - if (!status.ok()) { - return status; - } + SAPI_RETURN_IF_ERROR(status); + UnwindResult result; if (!comms->RecvProtoBuf(&result)) { return absl::InternalError("Receiving libunwind result failed");