Internal change

PiperOrigin-RevId: 374874118
Change-Id: Id669e3f099e058ada3effa62f9569daaf5b36f63
This commit is contained in:
Christian Blichmann 2021-05-20 08:16:45 -07:00 committed by Copybara-Service
parent 78d749380b
commit ab469deac3
7 changed files with 13 additions and 13 deletions

View File

@ -90,7 +90,7 @@ constexpr bool Is64Bit() { return sizeof(uintptr_t) == 8; }
static_assert(host_cpu::Architecture() != cpu::kUnknown,
"Host CPU architecture is not supported: One of x86-64, POWER64 "
"(little endian), Arm or AArch64 is required.");
"(little endian), ARM or AArch64 is required.");
namespace sanitizers {

View File

@ -161,6 +161,7 @@ cc_library(
":regs",
":syscall",
":violation_cc_proto",
"//sandboxed_api:config",
"//sandboxed_api/sandbox2/network_proxy:filtering",
"//sandboxed_api/sandbox2/util:bpf_helper",
"//sandboxed_api/util:flags",

View File

@ -160,6 +160,7 @@ target_link_libraries(sandbox2_policy PRIVATE
sandbox2::syscall
sandbox2::violation_proto
sapi::base
sapi::config
sapi::flags
)

View File

@ -55,8 +55,8 @@ class Monitor final {
friend class Sandbox2;
// Timeout used with sigtimedwait (0.5s).
static const int kWakeUpPeriodSec = 0L;
static const int kWakeUpPeriodNSec = (500L * 1000L * 1000L);
static constexpr int kWakeUpPeriodSec = 0L;
static constexpr int kWakeUpPeriodNSec = (500L * 1000L * 1000L);
// Starts the Monitor.
void Run();

View File

@ -27,6 +27,7 @@
#include <glog/logging.h>
#include "sandboxed_api/util/flag.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/bpfdisassembler.h"
#include "sandboxed_api/sandbox2/comms.h"
#include "sandboxed_api/sandbox2/regs.h"

View File

@ -29,6 +29,7 @@
#include "absl/base/macros.h"
#include "absl/types/optional.h"
#include "sandboxed_api/config.h"
#include "sandboxed_api/sandbox2/namespace.h"
#include "sandboxed_api/sandbox2/network_proxy/filtering.h"
#include "sandboxed_api/sandbox2/syscall.h"
@ -82,6 +83,12 @@ class Policy final {
return capabilities_.get();
}
// Returns the default policy, which blocks certain dangerous syscalls and
// mismatched syscall tables.
std::vector<sock_filter> GetDefaultPolicy() const;
// Returns a policy allowing the Monitor module to track all syscalls.
std::vector<sock_filter> GetTrackingPolicy() const;
// The Namespace object, defines ways of putting sandboxee into namespaces.
std::unique_ptr<Namespace> namespace_;
@ -102,12 +109,6 @@ class Policy final {
std::vector<sock_filter> user_policy_;
bool user_policy_handles_bpf_ = false;
// Get the default policy, which blocks certain dangerous syscalls and
// mismatched syscall tables.
std::vector<sock_filter> GetDefaultPolicy() const;
// Get a policy which would allow the Monitor module to track all syscalls.
std::vector<sock_filter> GetTrackingPolicy() const;
// Contains a list of hosts the sandboxee is allowed to connect to.
absl::optional<AllowedHosts> allowed_hosts_;
};

View File

@ -334,10 +334,6 @@ class PolicyBuilder final {
// - clock_gettime
// - gettid
// - close
//
// If you don't use namespaces you should also add this to your policy:
// - policy->GetFs()->EnableSyscall(__NR_open);
// - policy->GetFs()->AddRegexpToGreyList("/usr/share/zoneinfo/.*");
PolicyBuilder& AllowLogForwarding();
// Enables the syscalls necessary to start a statically linked binary