• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright 2019 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7#     https://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15# The 'tool' example demonstrates:
16# - a sandbox executor, sandboxee would be another program
17# - sandboxee sandboxed before execve
18# - very lax, separate sandbox policy written with BPFDSL
19# - expose file descriptors to executor with ReceiveFd
20# - set limits, wall time, filesystem checks, asynchronous run
21# - test to ensure sandbox executor runs sandboxee without issue
22
23load("@com_google_sandboxed_api//sandboxed_api/bazel:build_defs.bzl", "sapi_platform_copts")
24
25package(default_visibility = [
26    "@com_google_sandboxed_api//sandboxed_api/sandbox2:__subpackages__",
27])
28
29licenses(["notice"])
30
31# Executor
32cc_binary(
33    name = "sandbox2tool",
34    srcs = ["sandbox2tool.cc"],
35    copts = sapi_platform_copts(),
36    deps = [
37        "@com_google_absl//absl/base:log_severity",
38        "@com_google_absl//absl/flags:flag",
39        "@com_google_absl//absl/flags:parse",
40        "@com_google_absl//absl/flags:usage",
41        "@com_google_absl//absl/log",
42        "@com_google_absl//absl/log:check",
43        "@com_google_absl//absl/log:globals",
44        "@com_google_absl//absl/log:initialize",
45        "@com_google_absl//absl/strings",
46        "@com_google_absl//absl/strings:str_format",
47        "@com_google_absl//absl/time",
48        "@com_google_sandboxed_api//sandboxed_api/sandbox2",
49        "@com_google_sandboxed_api//sandboxed_api/sandbox2:util",
50        "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:all_syscalls",
51        "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:unrestricted_networking",
52        "@com_google_sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper",
53        "@com_google_sandboxed_api//sandboxed_api/util:fileops",
54    ],
55)
56
57# Test
58sh_test(
59    name = "sandbox2tool_test",
60    srcs = ["sandbox2tool_test.sh"],
61    data = [":sandbox2tool"],
62    tags = ["no_qemu_user_mode"],
63)
64