diff --git a/sandboxed_api/config.h b/sandboxed_api/config.h index a1857d0..a6b0331 100644 --- a/sandboxed_api/config.h +++ b/sandboxed_api/config.h @@ -90,7 +90,7 @@ constexpr bool Is64Bit() { return sizeof(uintptr_t) == 8; } static_assert(host_cpu::Architecture() != cpu::kUnknown, "Host CPU architecture is not supported: One of x86-64, POWER64 " - "(little endian), Arm or AArch64 is required."); + "(little endian), ARM or AArch64 is required."); namespace sanitizers { diff --git a/sandboxed_api/sandbox2/BUILD.bazel b/sandboxed_api/sandbox2/BUILD.bazel index de31317..b677e70 100644 --- a/sandboxed_api/sandbox2/BUILD.bazel +++ b/sandboxed_api/sandbox2/BUILD.bazel @@ -161,6 +161,7 @@ cc_library( ":regs", ":syscall", ":violation_cc_proto", + "//sandboxed_api:config", "//sandboxed_api/sandbox2/network_proxy:filtering", "//sandboxed_api/sandbox2/util:bpf_helper", "//sandboxed_api/util:flags", diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt index 04d38d8..f8f58ab 100644 --- a/sandboxed_api/sandbox2/CMakeLists.txt +++ b/sandboxed_api/sandbox2/CMakeLists.txt @@ -160,6 +160,7 @@ target_link_libraries(sandbox2_policy PRIVATE sandbox2::syscall sandbox2::violation_proto sapi::base + sapi::config sapi::flags ) diff --git a/sandboxed_api/sandbox2/monitor.h b/sandboxed_api/sandbox2/monitor.h index 4010abd..a985590 100644 --- a/sandboxed_api/sandbox2/monitor.h +++ b/sandboxed_api/sandbox2/monitor.h @@ -55,8 +55,8 @@ class Monitor final { friend class Sandbox2; // Timeout used with sigtimedwait (0.5s). - static const int kWakeUpPeriodSec = 0L; - static const int kWakeUpPeriodNSec = (500L * 1000L * 1000L); + static constexpr int kWakeUpPeriodSec = 0L; + static constexpr int kWakeUpPeriodNSec = (500L * 1000L * 1000L); // Starts the Monitor. void Run(); diff --git a/sandboxed_api/sandbox2/policy.cc b/sandboxed_api/sandbox2/policy.cc index b7a151f..bea54f6 100644 --- a/sandboxed_api/sandbox2/policy.cc +++ b/sandboxed_api/sandbox2/policy.cc @@ -27,6 +27,7 @@ #include #include "sandboxed_api/util/flag.h" +#include "sandboxed_api/config.h" #include "sandboxed_api/sandbox2/bpfdisassembler.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/regs.h" diff --git a/sandboxed_api/sandbox2/policy.h b/sandboxed_api/sandbox2/policy.h index 1246916..657a2b9 100644 --- a/sandboxed_api/sandbox2/policy.h +++ b/sandboxed_api/sandbox2/policy.h @@ -29,6 +29,7 @@ #include "absl/base/macros.h" #include "absl/types/optional.h" +#include "sandboxed_api/config.h" #include "sandboxed_api/sandbox2/namespace.h" #include "sandboxed_api/sandbox2/network_proxy/filtering.h" #include "sandboxed_api/sandbox2/syscall.h" @@ -82,6 +83,12 @@ class Policy final { return capabilities_.get(); } + // Returns the default policy, which blocks certain dangerous syscalls and + // mismatched syscall tables. + std::vector GetDefaultPolicy() const; + // Returns a policy allowing the Monitor module to track all syscalls. + std::vector GetTrackingPolicy() const; + // The Namespace object, defines ways of putting sandboxee into namespaces. std::unique_ptr namespace_; @@ -102,12 +109,6 @@ class Policy final { std::vector user_policy_; bool user_policy_handles_bpf_ = false; - // Get the default policy, which blocks certain dangerous syscalls and - // mismatched syscall tables. - std::vector GetDefaultPolicy() const; - // Get a policy which would allow the Monitor module to track all syscalls. - std::vector GetTrackingPolicy() const; - // Contains a list of hosts the sandboxee is allowed to connect to. absl::optional allowed_hosts_; }; diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index f6c250c..ce3e405 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -334,10 +334,6 @@ class PolicyBuilder final { // - clock_gettime // - gettid // - close - // - // If you don't use namespaces you should also add this to your policy: - // - policy->GetFs()->EnableSyscall(__NR_open); - // - policy->GetFs()->AddRegexpToGreyList("/usr/share/zoneinfo/.*"); PolicyBuilder& AllowLogForwarding(); // Enables the syscalls necessary to start a statically linked binary