Call DisableNamespaces where needed
PiperOrigin-RevId: 249637351
Change-Id: I5105d89ea0e8cfb2fca1e5ac342fa67e9caac930
diff --git a/sandboxed_api/sandbox2/buffer_test.cc b/sandboxed_api/sandbox2/buffer_test.cc
index 32c5c02..425032d 100644
--- a/sandboxed_api/sandbox2/buffer_test.cc
+++ b/sandboxed_api/sandbox2/buffer_test.cc
@@ -63,6 +63,7 @@
std::unique_ptr<Policy> BufferTestcasePolicy() {
auto s2p = PolicyBuilder()
+ .DisableNamespaces()
.AllowStaticStartup()
.AllowExit()
.AllowSafeFcntl()
diff --git a/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc b/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
index 7c2176f..ec87d4b 100644
--- a/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
+++ b/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
@@ -49,6 +49,7 @@
std::unique_ptr<sandbox2::Policy> GetPolicy() {
return sandbox2::PolicyBuilder()
+ .DisableNamespaces()
.AllowExit()
.AddPolicyOnSyscalls(
{__NR_read, __NR_write, __NR_close},
diff --git a/sandboxed_api/sandbox2/ipc_test.cc b/sandboxed_api/sandbox2/ipc_test.cc
index 97ce506..339dbdc 100644
--- a/sandboxed_api/sandbox2/ipc_test.cc
+++ b/sandboxed_api/sandbox2/ipc_test.cc
@@ -44,6 +44,7 @@
Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test"));
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -74,6 +75,7 @@
Comms comms(executor->ipc()->ReceiveFd(kPreferredIpcFd, "ipc_test"));
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -100,6 +102,7 @@
auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
diff --git a/sandboxed_api/sandbox2/limits_test.cc b/sandboxed_api/sandbox2/limits_test.cc
index 9b27b9c..ce04358 100644
--- a/sandboxed_api/sandbox2/limits_test.cc
+++ b/sandboxed_api/sandbox2/limits_test.cc
@@ -42,6 +42,7 @@
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -59,6 +60,7 @@
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -76,6 +78,7 @@
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -93,6 +96,7 @@
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -110,6 +114,7 @@
executor->limits()->set_rlimit_as(100ULL << 20); // 100 MiB
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, sandbox2::PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
diff --git a/sandboxed_api/sandbox2/namespace_test.cc b/sandboxed_api/sandbox2/namespace_test.cc
index 702570a..06c28cf 100644
--- a/sandboxed_api/sandbox2/namespace_test.cc
+++ b/sandboxed_api/sandbox2/namespace_test.cc
@@ -83,6 +83,7 @@
{
auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all
.DangerDefaultAllowAll()
.TryBuild());
@@ -103,6 +104,7 @@
std::vector<std::string> args = {path, "3", "1000", "1000"};
auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .EnableNamespaces()
// Don't restrict the syscalls at all
.DangerDefaultAllowAll()
.EnableNamespaces()
@@ -122,6 +124,7 @@
std::vector<std::string> args = {path, "3", uid, gid};
auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all
.DangerDefaultAllowAll()
.TryBuild());
@@ -151,6 +154,7 @@
TEST_F(HostnameTest, None) {
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all
.DangerDefaultAllowAll()
.TryBuild());
diff --git a/sandboxed_api/sandbox2/notify_test.cc b/sandboxed_api/sandbox2/notify_test.cc
index fb285fb..557f7f1 100644
--- a/sandboxed_api/sandbox2/notify_test.cc
+++ b/sandboxed_api/sandbox2/notify_test.cc
@@ -42,6 +42,7 @@
// chosen because unlikely to be called by a regular program.
std::unique_ptr<Policy> NotifyTestcasePolicy() {
return PolicyBuilder()
+ .DisableNamespaces()
.AllowStaticStartup()
.AllowExit()
.AllowRead()
diff --git a/sandboxed_api/sandbox2/policy_test.cc b/sandboxed_api/sandbox2/policy_test.cc
index b27be97..6f6758a 100644
--- a/sandboxed_api/sandbox2/policy_test.cc
+++ b/sandboxed_api/sandbox2/policy_test.cc
@@ -41,6 +41,7 @@
std::unique_ptr<Policy> PolicyTestcasePolicy() {
return PolicyBuilder()
+ .DisableNamespaces()
.AllowStaticStartup()
.AllowExit()
.AllowRead()
diff --git a/sandboxed_api/sandbox2/policybuilder_test.cc b/sandboxed_api/sandbox2/policybuilder_test.cc
index 1318b7c..68af600 100644
--- a/sandboxed_api/sandbox2/policybuilder_test.cc
+++ b/sandboxed_api/sandbox2/policybuilder_test.cc
@@ -194,6 +194,7 @@
TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) {
PolicyBuilder b;
+ b.EnableNamespaces();
ASSERT_THAT(b.BuildOrDie(), NotNull());
ASSERT_DEATH(b.BuildOrDie(), "Can only build policy once");
}
diff --git a/sandboxed_api/sandbox2/sandbox2_test.cc b/sandboxed_api/sandbox2/sandbox2_test.cc
index 6d29e8f..1a3f290 100644
--- a/sandboxed_api/sandbox2/sandbox2_test.cc
+++ b/sandboxed_api/sandbox2/sandbox2_test.cc
@@ -54,6 +54,7 @@
auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -75,6 +76,7 @@
executor->set_enable_sandbox_before_exec(false);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -101,6 +103,7 @@
auto executor = absl::make_unique<Executor>(fd, args, envs);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());
@@ -205,8 +208,9 @@
std::vector<std::string> envs;
auto executor = absl::make_unique<Executor>(path, args, envs);
- SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
- PolicyBuilder().DangerDefaultAllowAll().TryBuild());
+ SAPI_ASSERT_OK_AND_ASSIGN(
+ auto policy,
+ PolicyBuilder().DisableNamespaces().DangerDefaultAllowAll().TryBuild());
executor->limits()->set_walltime_limit(absl::Seconds(5));
Sandbox2 sandbox(std::move(executor), std::move(policy));
auto start = absl::Now();
diff --git a/sandboxed_api/sandbox2/sanitizer_test.cc b/sandboxed_api/sandbox2/sanitizer_test.cc
index 64f121e..4ba7fd8 100644
--- a/sandboxed_api/sandbox2/sanitizer_test.cc
+++ b/sandboxed_api/sandbox2/sanitizer_test.cc
@@ -130,6 +130,7 @@
auto executor = absl::make_unique<Executor>(path, args);
SAPI_ASSERT_OK_AND_ASSIGN(auto policy, PolicyBuilder()
+ .DisableNamespaces()
// Don't restrict the syscalls at all.
.DangerDefaultAllowAll()
.TryBuild());