From 2c4265433332b9d0b6a8453b6aa5e03ffe3d8b0c Mon Sep 17 00:00:00 2001
From: Christian Blichmann <cblichmann@google.com>
Date: Mon, 11 Oct 2021 07:50:01 -0700
Subject: [PATCH] Improve examples

- CRC4: More readable policy, added explanatory comment
- Use `AllowLlvmSaniters()` in policies

PiperOrigin-RevId: 402296504
Change-Id: I6853199abedf2441eaffff9186d4d354c142e485
---
 .../sandbox2/examples/crc4/crc4sandbox.cc     | 28 +++++++++++--------
 .../custom_fork/custom_fork_sandbox.cc        | 13 +++------
 2 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc b/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
index e20419e..3e862ac 100644
--- a/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
+++ b/sandboxed_api/sandbox2/examples/crc4/crc4sandbox.cc
@@ -50,23 +50,27 @@ ABSL_FLAG(bool, call_syscall_not_allowed, false,
 namespace {
 
 std::unique_ptr<sandbox2::Policy> GetPolicy() {
-  sandbox2::PolicyBuilder builder;
-  builder.DisableNamespaces().AllowExit().AddPolicyOnSyscalls(
-      {__NR_read, __NR_write, __NR_close},
-      {
-          ARG_32(0),
-          JEQ32(sandbox2::Comms::kSandbox2ClientCommsFD, ALLOW),
-      });
-  if constexpr (sapi::sanitizers::IsAny()) {
-    builder.AllowSyscall(__NR_mmap);
-  }
-  return builder.BuildOrDie();
+  return sandbox2::PolicyBuilder()
+      .DisableNamespaces()  // Safe, as we only allow I/O on existing FDs.
+      .AllowExit()
+      .AddPolicyOnSyscalls(
+          {
+              __NR_read,
+              __NR_write,
+              __NR_close,
+          },
+          {
+              ARG_32(0),
+              JEQ32(sandbox2::Comms::kSandbox2ClientCommsFD, ALLOW),
+          })
+      .AllowLlvmSanitizers()  // Will be a no-op when not using sanitizers.
+      .BuildOrDie();
 }
 
 bool SandboxedCRC4(sandbox2::Comms* comms, uint32_t* crc4) {
   const std::string input = absl::GetFlag(FLAGS_input);
 
-  const uint8_t* buf = reinterpret_cast<const uint8_t*>(input.data());
+  auto* buf = reinterpret_cast<const uint8_t*>(input.data());
   size_t buf_size = input.size();
 
   if (!comms->SendBytes(buf, buf_size)) {
diff --git a/sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox.cc b/sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox.cc
index 28ab276..5bec656 100644
--- a/sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox.cc
+++ b/sandboxed_api/sandbox2/examples/custom_fork/custom_fork_sandbox.cc
@@ -38,10 +38,7 @@
 #include "sandboxed_api/util/runfiles.h"
 
 std::unique_ptr<sandbox2::Policy> GetPolicy() {
-  sandbox2::PolicyBuilder builder;
-  builder
-      // The most frequent syscall should go first in this
-      // sequence (to make it fast).
+  return sandbox2::PolicyBuilder()
       .AllowRead()
       .AllowWrite()
       .AllowExit()
@@ -52,11 +49,9 @@ std::unique_ptr<sandbox2::Policy> GetPolicy() {
             // Not defined with every CPU architecture in prod.
             __NR_arch_prctl,
 #endif
-      });
-  if constexpr (sapi::sanitizers::IsAny()) {
-    builder.AllowMmap();
-  }
-  return builder.BuildOrDie();
+      })
+      .AllowLlvmSanitizers()  // Will be a no-op when not using sanitizers.
+      .BuildOrDie();
 }
 
 static int SandboxIteration(sandbox2::ForkClient* fork_client, int32_t i) {