1 // Copyright 2022 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef CONTRIB_ZOPFLI_SANDBOXED_ 16 #define CONTRIB_ZOPFLI_SANDBOXED_ 17 18 #include <libgen.h> 19 #include <syscall.h> 20 21 #include <cerrno> 22 #include <memory> 23 24 #include "sapi_zopfli.sapi.h" // NOLINT(build/include) 25 26 class ZopfliSapiSandbox : public ZopfliSandbox { 27 public: ModifyPolicy(sandbox2::PolicyBuilder *)28 std::unique_ptr<sandbox2::Policy> ModifyPolicy( 29 sandbox2::PolicyBuilder *) override { 30 return sandbox2::PolicyBuilder() 31 .AllowDynamicStartup() 32 .AllowWrite() 33 .AllowExit() 34 .AllowMmapWithoutExec() 35 .AllowSystemMalloc() 36 .AllowSyscalls({ 37 __NR_recvmsg, 38 __NR_sysinfo, 39 }) 40 #ifdef __NR_open 41 .BlockSyscallWithErrno(__NR_open, ENOENT) 42 #endif 43 #ifdef __NR_openat 44 .BlockSyscallWithErrno(__NR_openat, ENOENT) 45 #endif 46 .BuildOrDie(); 47 } 48 }; 49 50 #endif // CONTRIB_ZOPFLI_SANDBOXED_ 51