From cea046d3e29b86e04bd6ce7821ee1409cea2db37 Mon Sep 17 00:00:00 2001 From: Federico Stazi Date: Thu, 20 Aug 2020 17:46:30 +0000 Subject: [PATCH] Implement stricter policy --- .gitmodules | 3 ++ oss-internship-2020/curl/sandbox.h | 61 +++++++++++++++++++++++ oss-internship-2020/curl/tests/googletest | 1 + 3 files changed, 65 insertions(+) create mode 100644 oss-internship-2020/curl/sandbox.h create mode 160000 oss-internship-2020/curl/tests/googletest diff --git a/.gitmodules b/.gitmodules index ad0eddc..f809423 100644 --- a/.gitmodules +++ b/.gitmodules @@ -7,3 +7,6 @@ [submodule "oss-internship-2020/curl/curl_wrapper/curl"] path = oss-internship-2020/curl/curl_wrapper/curl url = https://github.com/curl/curl +[submodule "oss-internship-2020/curl/tests/googletest"] + path = oss-internship-2020/curl/tests/googletest + url = git@github.com:google/googletest.git diff --git a/oss-internship-2020/curl/sandbox.h b/oss-internship-2020/curl/sandbox.h new file mode 100644 index 0000000..8ba2c67 --- /dev/null +++ b/oss-internship-2020/curl/sandbox.h @@ -0,0 +1,61 @@ +// Copyright 2020 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include + +#include + +#include "curl_sapi.sapi.h" +#include "sandboxed_api/util/flag.h" + +class CurlSapiSandbox : public CurlSandbox { + protected: + std::unique_ptr ModifyPolicy( + sandbox2::PolicyBuilder* policy_builder) override { + // Return a new policy + return (*policy_builder) + .AllowDynamicStartup() + .AllowExit() + .AllowFork() + .AllowHandleSignals() + .AllowOpen() + .AllowRead() + .AllowSafeFcntl() + .AllowWrite() + .AllowSyscalls({ + __NR_accept, + __NR_access, + __NR_bind, + __NR_connect, + __NR_futex, + __NR_getpeername, + __NR_getsockname, + __NR_getsockopt, + __NR_ioctl, + __NR_listen, + __NR_madvise, + __NR_mmap, + __NR_poll, + __NR_recvfrom, + __NR_recvmsg, + __NR_sendmmsg, + __NR_sendto, + __NR_setsockopt, + __NR_socket + }) + .AllowUnrestrictedNetworking() + .AddDirectory("/lib") + .BuildOrDie(); + } +}; diff --git a/oss-internship-2020/curl/tests/googletest b/oss-internship-2020/curl/tests/googletest new file mode 160000 index 0000000..adeef19 --- /dev/null +++ b/oss-internship-2020/curl/tests/googletest @@ -0,0 +1 @@ +Subproject commit adeef192947fbc0f68fa14a6c494c8df32177508