mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Internal change
PiperOrigin-RevId: 374874118 Change-Id: Id669e3f099e058ada3effa62f9569daaf5b36f63
This commit is contained in:
parent
78d749380b
commit
ab469deac3
|
@ -90,7 +90,7 @@ constexpr bool Is64Bit() { return sizeof(uintptr_t) == 8; }
|
|||
|
||||
static_assert(host_cpu::Architecture() != cpu::kUnknown,
|
||||
"Host CPU architecture is not supported: One of x86-64, POWER64 "
|
||||
"(little endian), Arm or AArch64 is required.");
|
||||
"(little endian), ARM or AArch64 is required.");
|
||||
|
||||
namespace sanitizers {
|
||||
|
||||
|
|
|
@ -161,6 +161,7 @@ cc_library(
|
|||
":regs",
|
||||
":syscall",
|
||||
":violation_cc_proto",
|
||||
"//sandboxed_api:config",
|
||||
"//sandboxed_api/sandbox2/network_proxy:filtering",
|
||||
"//sandboxed_api/sandbox2/util:bpf_helper",
|
||||
"//sandboxed_api/util:flags",
|
||||
|
|
|
@ -160,6 +160,7 @@ target_link_libraries(sandbox2_policy PRIVATE
|
|||
sandbox2::syscall
|
||||
sandbox2::violation_proto
|
||||
sapi::base
|
||||
sapi::config
|
||||
sapi::flags
|
||||
)
|
||||
|
||||
|
|
|
@ -55,8 +55,8 @@ class Monitor final {
|
|||
friend class Sandbox2;
|
||||
|
||||
// Timeout used with sigtimedwait (0.5s).
|
||||
static const int kWakeUpPeriodSec = 0L;
|
||||
static const int kWakeUpPeriodNSec = (500L * 1000L * 1000L);
|
||||
static constexpr int kWakeUpPeriodSec = 0L;
|
||||
static constexpr int kWakeUpPeriodNSec = (500L * 1000L * 1000L);
|
||||
|
||||
// Starts the Monitor.
|
||||
void Run();
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
|
||||
#include <glog/logging.h>
|
||||
#include "sandboxed_api/util/flag.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
#include "sandboxed_api/sandbox2/bpfdisassembler.h"
|
||||
#include "sandboxed_api/sandbox2/comms.h"
|
||||
#include "sandboxed_api/sandbox2/regs.h"
|
||||
|
|
|
@ -29,6 +29,7 @@
|
|||
|
||||
#include "absl/base/macros.h"
|
||||
#include "absl/types/optional.h"
|
||||
#include "sandboxed_api/config.h"
|
||||
#include "sandboxed_api/sandbox2/namespace.h"
|
||||
#include "sandboxed_api/sandbox2/network_proxy/filtering.h"
|
||||
#include "sandboxed_api/sandbox2/syscall.h"
|
||||
|
@ -82,6 +83,12 @@ class Policy final {
|
|||
return capabilities_.get();
|
||||
}
|
||||
|
||||
// Returns the default policy, which blocks certain dangerous syscalls and
|
||||
// mismatched syscall tables.
|
||||
std::vector<sock_filter> GetDefaultPolicy() const;
|
||||
// Returns a policy allowing the Monitor module to track all syscalls.
|
||||
std::vector<sock_filter> GetTrackingPolicy() const;
|
||||
|
||||
// The Namespace object, defines ways of putting sandboxee into namespaces.
|
||||
std::unique_ptr<Namespace> namespace_;
|
||||
|
||||
|
@ -102,12 +109,6 @@ class Policy final {
|
|||
std::vector<sock_filter> user_policy_;
|
||||
bool user_policy_handles_bpf_ = false;
|
||||
|
||||
// Get the default policy, which blocks certain dangerous syscalls and
|
||||
// mismatched syscall tables.
|
||||
std::vector<sock_filter> GetDefaultPolicy() const;
|
||||
// Get a policy which would allow the Monitor module to track all syscalls.
|
||||
std::vector<sock_filter> GetTrackingPolicy() const;
|
||||
|
||||
// Contains a list of hosts the sandboxee is allowed to connect to.
|
||||
absl::optional<AllowedHosts> allowed_hosts_;
|
||||
};
|
||||
|
|
|
@ -334,10 +334,6 @@ class PolicyBuilder final {
|
|||
// - clock_gettime
|
||||
// - gettid
|
||||
// - close
|
||||
//
|
||||
// If you don't use namespaces you should also add this to your policy:
|
||||
// - policy->GetFs()->EnableSyscall(__NR_open);
|
||||
// - policy->GetFs()->AddRegexpToGreyList("/usr/share/zoneinfo/.*");
|
||||
PolicyBuilder& AllowLogForwarding();
|
||||
|
||||
// Enables the syscalls necessary to start a statically linked binary
|
||||
|
|
Loading…
Reference in New Issue
Block a user