Add DisableNamespaces to PolicyBuilder

Currently mostly no-op, but this is the first step to turn namespaces on by default. PiperOrigin-RevId: 249439158 Change-Id: I5eeb1216dc868c660f62ad50c34f626afbf7db61
2024-03-22 13:11:30 +08:00 · 2019-05-22 06:53:49 -07:00 · 2019-05-22 06:53:49 -07:00 · 85059ef40d
commit 85059ef40d
parent 71a317e65f
2 changed files with 19 additions and 1 deletions
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -31,7 +31,6 @@
 #include <cstdint>
 #include <utility>

-#include <glog/logging.h>
 #include "absl/strings/escaping.h"
 #include "absl/strings/match.h"
 #include "sandboxed_api/sandbox2/namespace.h"
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -26,6 +26,7 @@
 #include <tuple>
 #include <vector>

+#include <glog/logging.h>
 #include "absl/base/macros.h"
 #include "absl/memory/memory.h"
 #include "absl/strings/string_view.h"
@ -444,10 +445,27 @@ class PolicyBuilder final {
  // (e.g. AddFile), therefore it is only necessary to explicitly enable
  // namespaces when not using any other namespace helper feature.
  PolicyBuilder& EnableNamespaces() {
+    CHECK(!disable_namespaces_)
+        << "Namespaces cannot be both disabled and enabled";
    use_namespaces_ = true;
    return *this;
  }

+  // Disables the use of namespaces.
+  //
+  // Sandbox2 with namespaces enabled is the recommended mode and will be the
+  // default in future, then calling this function will be necessary in order
+  // to use Sandbox2 without namespaces.
+  PolicyBuilder& DisableNamespaces() {
+    CHECK(!use_namespaces_)
+        << "Namespaces cannot be both disabled and enabled. You're probably "
+           "using features that implicitly enable namespaces (SetHostname, "
+           "AddFile, AddDirectory, AddDataDependency, AddLibrariesForBinary or "
+           "similar)";
+    disable_namespaces_ = true;
+    return *this;
+  }
+
  // Set hostname in the network namespace instead of default "sandbox2".
  //
  // Calling this function will enable use of namespaces.
@ -495,6 +513,7 @@ class PolicyBuilder final {

  Mounts mounts_;
  bool use_namespaces_ = false;
+  bool disable_namespaces_ = false;
  bool allow_unrestricted_networking_ = false;
  std::string hostname_ = kDefaultHostname;