StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Provide sealing flags if not defined in the headers

Browse Source 
Also adjust naming of MFD_ constants

PiperOrigin-RevId: 559091482
Change-Id: I74271aee443a6d174950fd258bd238587cb4c75e
This commit is contained in:
Wiktor Garbacz 2023-08-22 06:20:49 -07:00 committed by Copybara-Service
parent e75be07bb0
commit c4660f8a6e
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sandboxed_api/embed_file.cc
View File

@ -31,6 +31,14 @@ namespace sapi {
namespace { namespace {
#ifndef F_ADD_SEALS
#define F_ADD_SEALS 1033
#define F_SEAL_SEAL 0x0001
#define F_SEAL_SHRINK 0x0002
#define F_SEAL_GROW 0x0004
#define F_SEAL_WRITE 0x0008
#endif
bool SealFile(int fd) { bool SealFile(int fd) {
constexpr int kMaxRetries = 10; constexpr int kMaxRetries = 10;
for (int i = 0; i < kMaxRetries; ++i) { for (int i = 0; i < kMaxRetries; ++i) {

6
sandboxed_api/sandbox2/util.cc
View File

@ -248,10 +248,10 @@ pid_t ForkWithFlags(int flags) {
bool CreateMemFd(int* fd, const char* name) { bool CreateMemFd(int* fd, const char* name) {
// Usually defined in linux/memfd.h. Define it here to avoid dependency on // Usually defined in linux/memfd.h. Define it here to avoid dependency on
// UAPI headers. // UAPI headers.
constexpr uintptr_t MFD_CLOEXEC = 0x0001; constexpr uintptr_t kMfdCloseOnExec = 0x0001;
constexpr uintptr_t MFD_ALLOW_SEALING = 0x0002; constexpr uintptr_t kMfdAllowSealing = 0x0002;
int tmp_fd = Syscall(__NR_memfd_create, reinterpret_cast<uintptr_t>(name), int tmp_fd = Syscall(__NR_memfd_create, reinterpret_cast<uintptr_t>(name),
MFD_CLOEXEC | MFD_ALLOW_SEALING); kMfdCloseOnExec | kMfdAllowSealing);
if (tmp_fd < 0) { if (tmp_fd < 0) {
if (errno == ENOSYS) { if (errno == ENOSYS) {
SAPI_RAW_LOG(ERROR, SAPI_RAW_LOG(ERROR,