Default security policy

[הדס מרזוק‎]

Hello, 

I have some questions regarding the default security policy

What are the default security policies (syscalls and resources limit) that SAPI and Sandbox2 support?

Does defining new policy override the default policy in case of contradiction?

Thank you

[Robert Swiecki]

Hi,

‬

For Sandbox2, there's only a very small default policy, which doesn't have too much in common with commonly used syscalls - it mostly enforces CPU arch, and other internal things. Your policy will be appended to it:

https://github.com/google/sandboxed-api/blob/39026f76782007d2dc3f156d561634f0a6ab3e0e/sandboxed_api/sandbox2/policy.cc#L98

For SAPI - there's a default policy included

https://github.com/google/sandboxed-api/blob/39026f76782007d2dc3f156d561634f0a6ab3e0e/sandboxed_api/sandbox.cc#L59

It can be both amended, left unchanged or replaced by a new one depending on the contents of ModifyPolicy, eg:

https://github.com/google/sandboxed-api/blob/39026f76782007d2dc3f156d561634f0a6ab3e0e/contrib/zstd/sandboxed.h#L27

HTH

--

Robert Święcki