Add an AllowAccess() convenience function to PolicyBuilder

Drive-by: Apply convenience functions in policies.
PiperOrigin-RevId: 340404977
Change-Id: I906106b61c1837d23ddaff15d8792ec79d3d3189

oss-internship-2020/curl/sandbox.h

@@ -41,9 +41,9 @@ class CurlSapiSandbox : public curl::CurlSandbox {
         .AllowRead()
         .AllowSafeFcntl()
         .AllowWrite()
+        .AllowAccess()
         .AllowSyscalls({
             __NR_accept,
-            __NR_access,
             __NR_bind,
             __NR_connect,
             __NR_getpeername,

sandboxed_api/sandbox2/policybuilder.cc

@@ -269,6 +269,16 @@ PolicyBuilder& PolicyBuilder::AllowStat() {
   return *this;
 }
 
+PolicyBuilder& PolicyBuilder::AllowAccess() {
+#ifdef __NR_access
+  AllowSyscall(__NR_access);
+#endif
+#ifdef __NR_faccessat
+  AllowSyscall(__NR_faccessat);
+#endif
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowRead() {
   return AllowSyscalls({
       __NR_read,

sandboxed_api/sandbox2/policybuilder.h

@@ -181,6 +181,12 @@ class PolicyBuilder final {
   // - ustat
   PolicyBuilder& AllowStat();
 
+  // Appends code to allow checking file permissions.
+  // Allows these syscalls:
+  // - access
+  // - faccessat
+  PolicyBuilder& AllowAccess();
+
   // Appends code to the policy to allow reading from file descriptors.
   // Allows these sycalls:
   // - read