From 2300141bdb097d0882222aa33eb1e68a14ec1945 Mon Sep 17 00:00:00 2001
From: Wiktor Garbacz <wiktorg@google.com>
Date: Thu, 18 Jul 2019 02:17:57 -0700
Subject: [PATCH] Require namespaces to be disabled explicitly

PiperOrigin-RevId: 258730797
Change-Id: I5a1df23c5176a3cecd5a343483500550f27adf44
---
 sandboxed_api/sandbox2/policybuilder.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index 56bc6e1..e70636e 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -660,6 +660,9 @@ std::vector<sock_filter> PolicyBuilder::ResolveBpfFunc(BpfFunc f) {
 }
 
 ::sapi::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
+  CHECK_NE(use_namespaces_, disable_namespaces_)
+      << "Namespaces should either be enabled (by calling EnableNamespaces(), "
+         "AddFile(), etc.) or disabled (by calling DisableNamespaces())";
   if (!last_status_.ok()) {
     return last_status_;
   }