StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Add DisableNamespaces to PolicyBuilder

Browse Source 
Currently mostly no-op, but this is the first step to turn namespaces on
by default.

PiperOrigin-RevId: 249439158
Change-Id: I5eeb1216dc868c660f62ad50c34f626afbf7db61
This commit is contained in:
Wiktor Garbacz 2019-05-22 06:53:49 -07:00 committed by Copybara-Service
parent 71a317e65f
commit 85059ef40d
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sandboxed_api/sandbox2/policybuilder.cc
View File

@ -31,7 +31,6 @@
#include <cstdint> #include <cstdint>
#include <utility> #include <utility>
#include <glog/logging.h>
#include "absl/strings/escaping.h" #include "absl/strings/escaping.h"
#include "absl/strings/match.h" #include "absl/strings/match.h"
#include "sandboxed_api/sandbox2/namespace.h" #include "sandboxed_api/sandbox2/namespace.h"

19
sandboxed_api/sandbox2/policybuilder.h
View File

@ -26,6 +26,7 @@
#include <tuple> #include <tuple>
#include <vector> #include <vector>
#include <glog/logging.h>
#include "absl/base/macros.h" #include "absl/base/macros.h"
#include "absl/memory/memory.h" #include "absl/memory/memory.h"
#include "absl/strings/string_view.h" #include "absl/strings/string_view.h"
@ -444,10 +445,27 @@ class PolicyBuilder final {
// (e.g. AddFile), therefore it is only necessary to explicitly enable // (e.g. AddFile), therefore it is only necessary to explicitly enable
// namespaces when not using any other namespace helper feature. // namespaces when not using any other namespace helper feature.
PolicyBuilder& EnableNamespaces() { PolicyBuilder& EnableNamespaces() {
CHECK(!disable_namespaces_)
<< "Namespaces cannot be both disabled and enabled";
use_namespaces_ = true; use_namespaces_ = true;
return *this; return *this;
} }
// Disables the use of namespaces.
//
// Sandbox2 with namespaces enabled is the recommended mode and will be the
// default in future, then calling this function will be necessary in order
// to use Sandbox2 without namespaces.
PolicyBuilder& DisableNamespaces() {
CHECK(!use_namespaces_)
<< "Namespaces cannot be both disabled and enabled. You're probably "
"using features that implicitly enable namespaces (SetHostname, "
"AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary or "
"similar)";
disable_namespaces_ = true;
return *this;
}
// Set hostname in the network namespace instead of default "sandbox2". // Set hostname in the network namespace instead of default "sandbox2".
// //
// Calling this function will enable use of namespaces. // Calling this function will enable use of namespaces.
@ -495,6 +513,7 @@ class PolicyBuilder final {
Mounts mounts_; Mounts mounts_;
bool use_namespaces_ = false; bool use_namespaces_ = false;
bool disable_namespaces_ = false;
bool allow_unrestricted_networking_ = false; bool allow_unrestricted_networking_ = false;
std::string hostname_ = kDefaultHostname; std::string hostname_ = kDefaultHostname;