StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Disallow AddPolicyForSyscalls with an empty list

Browse Source 
PiperOrigin-RevId: 549887306
Change-Id: I05a97b39a2c92ad5ab2002c7af7e83a8184392cf
This commit is contained in:
Wiktor Garbacz 2023-07-21 02:24:03 -07:00 committed by Copybara-Service
parent e86462db77
commit 9d1d4b7fd3
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sandboxed_api/sandbox2/policybuilder.cc
View File

@ -1068,6 +1068,11 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnSyscall(uint32_t num, BpfFunc f) {
PolicyBuilder& PolicyBuilder::AddPolicyOnSyscalls( PolicyBuilder& PolicyBuilder::AddPolicyOnSyscalls(
absl::Span<const uint32_t> nums, absl::Span<const sock_filter> policy) { absl::Span<const uint32_t> nums, absl::Span<const sock_filter> policy) {
if (nums.empty()) {
SetError(absl::InvalidArgumentError(
"Cannot add a policy for empty list of syscalls"));
return *this;
}
std::deque<sock_filter> out; std::deque<sock_filter> out;
// Insert and verify the policy. // Insert and verify the policy.
out.insert(out.end(), policy.begin(), policy.end()); out.insert(out.end(), policy.begin(), policy.end());

1
sandboxed_api/sandbox2/policybuilder_test.cc
View File

@ -96,7 +96,6 @@ TEST(PolicyBuilderTest, Testpolicy_size) {
assert_increased(); assert_increased();
builder.AddPolicyOnSyscalls({ __NR_fchmod, __NR_chdir }, { ALLOW }); builder.AddPolicyOnSyscalls({ __NR_fchmod, __NR_chdir }, { ALLOW });
assert_increased(); assert_increased();
builder.AddPolicyOnSyscalls({ }, { ALLOW }); assert_increased();
// This might change in the future if we implement an optimization. // This might change in the future if we implement an optimization.
builder.AddPolicyOnSyscall(__NR_umask, { ALLOW }); assert_increased(); builder.AddPolicyOnSyscall(__NR_umask, { ALLOW }); assert_increased();