From 1db315207a08d9673a5a8aa4e94ffdbb337c5126 Mon Sep 17 00:00:00 2001
From: Sandboxed API Team <sandboxed-api@google.com>
Date: Tue, 5 Apr 2022 00:28:44 -0700
Subject: [PATCH] Allow access to /sys/devices/system/cpu/

PiperOrigin-RevId: 439506287
Change-Id: I5d41ed234860f02329c960144b1da725e24549dd
---
 sandboxed_api/sandbox2/policybuilder.cc | 1 +
 sandboxed_api/sandbox2/policybuilder.h  | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index d9180ef..1d675ae 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -502,6 +502,7 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequencesWithProcFiles(
   AllowRestartableSequences(cpu_fence_mode);
   AddFile("/proc/cpuinfo");
   AddFile("/proc/stat");
+  AddDirectory("/sys/devices/system/cpu");
   if (cpu_fence_mode == kAllowSlowFences) {
     AddFile("/proc/self/cpuset");
   }
diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h
index 48ddcee..a8969f6 100644
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@@ -148,6 +148,8 @@ class PolicyBuilder final {
   // Allows these files:
   // - "/proc/cpuinfo"
   // - "/proc/stat"
+  // And this directory (including subdirs/files):
+  // - "/sys/devices/system/cpu/"
   //
   // If `cpu_fence_mode` is `kAllowSlowFences`, also permits slow CPU fences.
   // Allows these syscalls: