StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

Adjust sandboxed_api default policy

Browse Source 
PiperOrigin-RevId: 557762512
Change-Id: I600c8126ee09b8bab927013de25fcb836c78ac9a
This commit is contained in:
Wiktor Garbacz 2023-08-17 02:51:24 -07:00 committed by Copybara-Service
parent f378d22405
commit 18c64ae10f
1 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
sandboxed_api/sandbox.cc
View File

@ -70,21 +70,20 @@ void InitDefaultPolicyBuilder(sandbox2::PolicyBuilder* builder) {
.AllowHandleSignals() .AllowHandleSignals()
.AllowSystemMalloc() .AllowSystemMalloc()
.AllowSafeFcntl() .AllowSafeFcntl()
.AllowSyscall(__NR_recvmsg) .AllowGetPIDs()
.AllowSyscall(__NR_sendmsg)
.AllowSyscall(__NR_futex)
.AllowSyscall(__NR_close)
.AllowSyscall(__NR_lseek)
.AllowSyscall(__NR_getpid)
.AllowSyscall(__NR_getppid)
.AllowSyscall(__NR_gettid)
.AllowSleep() .AllowSleep()
.AllowSyscall(__NR_uname) .AllowReadlink()
.AllowSyscall(__NR_getrandom) .AllowSyscalls({
.AllowSyscall(__NR_kill) __NR_recvmsg,
.AllowSyscall(__NR_tgkill) __NR_sendmsg,
.AllowSyscall(__NR_tkill) __NR_futex,
.AllowReadlink(); __NR_close,
__NR_lseek,
__NR_uname,
__NR_kill,
__NR_tgkill,
__NR_tkill,
});
#ifdef __NR_arch_prctl // x86-64 only #ifdef __NR_arch_prctl // x86-64 only
builder->AllowSyscall(__NR_arch_prctl); builder->AllowSyscall(__NR_arch_prctl);