Improve examples

- CRC4: More readable policy, added explanatory comment - Use `AllowLlvmSaniters()` in policies PiperOrigin-RevId: 402296504 Change-Id: I6853199abedf2441eaffff9186d4d354c142e485
2024-03-22 13:11:30 +08:00 · 2021-10-11 07:50:01 -07:00 · 2021-10-11 07:50:01 -07:00 · 2c42654333
commit 2c42654333
parent d05dc7ba02
2 changed files with 20 additions and 21 deletions
--- a/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
+++ b/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
@ -50,23 +50,27 @@ ABSL_FLAG(bool, call_syscall_not_allowed, false,
 namespace {

 std::unique_ptr<sandbox2::Policy> GetPolicy() {
-  sandbox2::PolicyBuilder builder;
-  builder.DisableNamespaces().AllowExit().AddPolicyOnSyscalls(
-      {__NR_read, __NR_write, __NR_close},
-      {
-          ARG_32(0),
-          JEQ32(sandbox2::Comms::kSandbox2ClientCommsFD, ALLOW),
-      });
-  if constexpr (sapi::sanitizers::IsAny()) {
-    builder.AllowSyscall(__NR_mmap);
-  }
-  return builder.BuildOrDie();
+  return sandbox2::PolicyBuilder()
+      .DisableNamespaces()  // Safe, as we only allow I/O on existing FDs.
+      .AllowExit()
+      .AddPolicyOnSyscalls(
+          {
+              __NR_read,
+              __NR_write,
+              __NR_close,
+          },
+          {
+              ARG_32(0),
+              JEQ32(sandbox2::Comms::kSandbox2ClientCommsFD, ALLOW),
+          })
+      .AllowLlvmSanitizers()  // Will be a no-op when not using sanitizers.
+      .BuildOrDie();
 }

 bool SandboxedCRC4(sandbox2::Comms* comms, uint32_t* crc4) {
  const std::string input = absl::GetFlag(FLAGS_input);

-  const uint8_t* buf = reinterpret_cast<const uint8_t*>(input.data());
+  auto* buf = reinterpret_cast<const uint8_t*>(input.data());
  size_t buf_size = input.size();

  if (!comms->SendBytes(buf, buf_size)) {
--- a/sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox.cc
+++ b/sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox.cc
@ -38,10 +38,7 @@
 #include "sandboxed_api/util/runfiles.h"

 std::unique_ptr<sandbox2::Policy> GetPolicy() {
-  sandbox2::PolicyBuilder builder;
-  builder
-      // The most frequent syscall should go first in this
-      // sequence (to make it fast).
+  return sandbox2::PolicyBuilder()
      .AllowRead()
      .AllowWrite()
      .AllowExit()
@ -52,11 +49,9 @@ std::unique_ptr<sandbox2::Policy> GetPolicy() {
            // Not defined with every CPU architecture in prod.
            __NR_arch_prctl,
 #endif
-      });
-  if constexpr (sapi::sanitizers::IsAny()) {
-    builder.AllowMmap();
-  }
-  return builder.BuildOrDie();
+      })
+      .AllowLlvmSanitizers()  // Will be a no-op when not using sanitizers.
+      .BuildOrDie();
 }

 static int SandboxIteration(sandbox2::ForkClient* fork_client, int32_t i) {