Disable compress_stack_depot in sandbox

The feature is pure optimization, but it requires
additional syscalls.

PiperOrigin-RevId: 432954277
Change-Id: I1f345f8a26c86e09611fd575cb6ee080f24cc717

sandboxed_api/sandbox2/BUILD.bazel

@@ -286,6 +286,7 @@ cc_library(
         ":limits",
         ":namespace",
         ":util",
+        "//sandboxed_api:config",
         "//sandboxed_api/util:fileops",
         "@com_google_absl//absl/base:core_headers",
         "@com_google_absl//absl/memory",

sandboxed_api/sandbox2/CMakeLists.txt

@@ -284,6 +284,7 @@ target_link_libraries(sandbox2_executor
   PUBLIC absl::span
          absl::strings
          glog::glog
+         sapi::config
          sapi::fileops
          sandbox2::fork_client
          sandbox2::global_forkserver

sandboxed_api/sandbox2/executor.cc

@@ -23,9 +23,13 @@
 
 #include <climits>
 #include <cstddef>
+#include <string_view>
 
 #include "absl/memory/memory.h"
+#include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
+#include "absl/strings/string_view.h"
+#include "sandboxed_api/config.h"
 #include "sandboxed_api/sandbox2/fork_client.h"
 #include "sandboxed_api/sandbox2/forkserver.pb.h"
 #include "sandboxed_api/sandbox2/global_forkclient.h"
@@ -37,6 +41,41 @@ namespace sandbox2 {
 
 namespace file_util = ::sapi::file_util;
 
+namespace {
+void DisableCompressStackDepot(ForkRequest& request) {
+  auto disable_compress_stack_depot = [&request](absl::string_view sanitizer) {
+    auto prefix = absl::StrCat(sanitizer, "_OPTIONS=");
+    auto it = std::find_if(request.mutable_envs()->begin(),
+                           request.mutable_envs()->end(),
+                           [&prefix](const std::string& env) {
+                             return absl::StartsWith(env, prefix);
+                           });
+    constexpr absl::string_view option = "compress_stack_depot=0";
+    if (it != request.mutable_envs()->end()) {
+      // If it's already there, the last value will be used.
+      absl::StrAppend(&*it, ":", option);
+      return;
+    }
+    request.add_envs(absl::StrCat(prefix, option));
+  };
+  if constexpr (sapi::sanitizers::IsASan()) {
+    disable_compress_stack_depot("ASAN");
+  }
+  if constexpr (sapi::sanitizers::IsMSan()) {
+    disable_compress_stack_depot("MSAN");
+  }
+  if constexpr (sapi::sanitizers::IsLSan()) {
+    disable_compress_stack_depot("LSAN");
+  }
+  if constexpr (sapi::sanitizers::IsHwASan()) {
+    disable_compress_stack_depot("HWSAN");
+  }
+  if constexpr (sapi::sanitizers::IsTSan()) {
+    disable_compress_stack_depot("TSAN");
+  }
+}
+}  // namespace
+
 std::vector<std::string> Executor::CopyEnviron() {
   return util::CharPtrArray(environ).ToStringVector();
 }
@@ -78,6 +117,11 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
                                   file_util::fileops::StripBasename(path_)));
   }
 
+  // Disable optimization to avoid related syscalls.
+  if constexpr (sapi::sanitizers::IsAny()) {
+    DisableCompressStackDepot(request);
+  }
+
   // If neither the path, nor exec_fd is specified, just assume that we need to
   // send a fork request.
   //