Add an `AllowAccess()` convenience function to `PolicyBuilder`

Drive-by: Apply convenience functions in policies. PiperOrigin-RevId: 340404977 Change-Id: I906106b61c1837d23ddaff15d8792ec79d3d3189
2020-11-03 02:20:49 -08:00 · 2020-11-03 02:20:49 -08:00 · 2acec65a58
parent 8952d2ce04
commit 2acec65a58
3 changed files with 17 additions and 1 deletions
--- a/oss-internship-2020/curl/sandbox.h
+++ b/oss-internship-2020/curl/sandbox.h
@ -41,9 +41,9 @@ class CurlSapiSandbox : public curl::CurlSandbox {
        .AllowRead()
        .AllowSafeFcntl()
        .AllowWrite()
+        .AllowAccess()
        .AllowSyscalls({
            __NR_accept,
-            __NR_access,
            __NR_bind,
            __NR_connect,
            __NR_getpeername,
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -269,6 +269,16 @@ PolicyBuilder& PolicyBuilder::AllowStat() {
  return *this;
 }

+PolicyBuilder& PolicyBuilder::AllowAccess() {
+#ifdef __NR_access
+  AllowSyscall(__NR_access);
+#endif
+#ifdef __NR_faccessat
+  AllowSyscall(__NR_faccessat);
+#endif
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowRead() {
  return AllowSyscalls({
      __NR_read,
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -181,6 +181,12 @@ class PolicyBuilder final {
  // - ustat
  PolicyBuilder& AllowStat();

+  // Appends code to allow checking file permissions.
+  // Allows these syscalls:
+  // - access
+  // - faccessat
+  PolicyBuilder& AllowAccess();
+
  // Appends code to the policy to allow reading from file descriptors.
  // Allows these sycalls:
  // - read