policybuilder: Remove deprecated DisableNamespaces()

The functionality is now guarded with `sandbox2::NamespacesToken()`. An example usage can be found in `//sandboxed_api/sandbox2/stack_trace_test.cc`. PiperOrigin-RevId: 723833699 Change-Id: Ie8d7e0eec65dfa65743f5090f18331d04f6a28b8
google · Feb 6, 2025 · 50f75d0 · 50f75d0
1 parent 05512ae
commit 50f75d0
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 14 deletions.
diff --git a/oss-internship-2020/libuv/tests/CMakeLists.txt b/oss-internship-2020/libuv/tests/CMakeLists.txt
@@ -29,6 +29,7 @@ target_link_libraries(tests
   uv_a
   uv_sapi
   sapi::sapi
+  sandbox2::allowlists_namespaces
 )
 
 gtest_discover_tests(tests)
diff --git a/oss-internship-2020/libuv/tests/test_os.cc b/oss-internship-2020/libuv/tests/test_os.cc
@@ -36,7 +36,7 @@ class UVTestOSSapiSandbox : public uv::UVSandbox {
         .AllowOpen()
         .AllowWrite()
         .AllowSyscalls({__NR_connect, __NR_socket})
-        .DisableNamespaces()
+        .DisableNamespaces(NamespacesToken())
         .BuildOrDie();
   }
 };

diff --git a/sandboxed_api/sandbox2/BUILD b/sandboxed_api/sandbox2/BUILD
@@ -1042,6 +1042,7 @@ cc_test(
         "@com_google_googletest//:gtest_main",
         "@com_google_sandboxed_api//sandboxed_api:testing",
         "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:testonly_all_syscalls",
+        "@com_google_sandboxed_api//sandboxed_api/sandbox2/allowlists:testonly_namespaces",
         "@com_google_sandboxed_api//sandboxed_api/util:fileops",
         "@com_google_sandboxed_api//sandboxed_api/util:status_matchers",
     ],

diff --git a/sandboxed_api/sandbox2/CMakeLists.txt b/sandboxed_api/sandbox2/CMakeLists.txt
@@ -1167,6 +1167,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     absl::strings
     absl::time
     sandbox2::allowlists_all_syscalls
+    sandbox2::allowlists_namespaces
     sandbox2::global_forkserver
     sandbox2::sandbox2
     sandbox2::stack_trace

diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
@@ -179,10 +179,6 @@ PolicyBuilder& PolicyBuilder::DisableNamespaces(NamespacesToken) {
   return *this;
 }
 
-PolicyBuilder& PolicyBuilder::DisableNamespaces() {
-  return DisableNamespaces(NamespacesToken());
-}
-
 PolicyBuilder& PolicyBuilder::Allow(MapExec) {
   allow_map_exec_ = true;
   return *this;

diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h
@@ -855,14 +855,6 @@ class PolicyBuilder final {
     return *this;
   }
 
-  // Disables the use of namespaces.
-  //
-  // This will disable *all* namespaces.
-  //
-  // IMPORTANT: This is not recommended.
-  ABSL_DEPRECATED("Use DisableNamespaces(NamespacesToken()) instead.")
-  PolicyBuilder& DisableNamespaces();
-
   // Set hostname in the network namespace.
   //
   // The default hostname is "sandbox2".

diff --git a/sandboxed_api/sandbox2/stack_trace_test.cc b/sandboxed_api/sandbox2/stack_trace_test.cc
@@ -31,6 +31,7 @@
 #include "absl/strings/str_cat.h"
 #include "absl/time/time.h"
 #include "sandboxed_api/sandbox2/allowlists/all_syscalls.h"
+#include "sandboxed_api/sandbox2/allowlists/namespaces.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/global_forkclient.h"
 #include "sandboxed_api/sandbox2/policy.h"
@@ -162,7 +163,8 @@ TEST_P(StackTraceTest, SymbolizationWorksWithoutnNamespaces) {
   auto old_modify_policy = test_case.modify_policy;
   test_case.modify_policy = [old_modify_policy](PolicyBuilder* builder) {
     *builder = PolicyBuilder();
-    builder->DefaultAction(AllowAllSyscalls()).DisableNamespaces();
+    builder->DefaultAction(AllowAllSyscalls())
+        .DisableNamespaces(NamespacesToken());
     if (old_modify_policy) {
       old_modify_policy(builder);
     }