Change the default action instead of appending ALLOW

Also create a visibility restricted version of the function.

PiperOrigin-RevId: 513209752
Change-Id: I031fe62d5ccd81995536479b9af890ad111e336c

sandboxed_api/sandbox2/BUILD.bazel

@@ -24,6 +24,24 @@ package(
 
 licenses(["notice"])
 
+cc_library(
+    name = "allow_all_syscalls",
+    hdrs = ["allow_all_syscalls.h"],
+    copts = sapi_platform_copts(),
+    visibility = [
+        "//sandboxed_api/sandbox2:__pkg__",
+        "//sandboxed_api/sandbox2/examples/tool:__pkg__",
+    ],
+)
+
+cc_library(
+    name = "testonly_allow_all_syscalls",
+    testonly = True,
+    hdrs = ["allow_all_syscalls.h"],
+    copts = sapi_platform_copts(),
+    visibility = ["//visibility:public"],
+)
+
 cc_library(
     name = "bpfdisassembler",
     srcs = ["bpfdisassembler.cc"],
@@ -472,6 +490,7 @@ cc_library(
     hdrs = ["policybuilder.h"],
     copts = sapi_platform_copts(),
     deps = [
+        ":allow_all_syscalls",
         ":mounts",
         ":namespace",
         ":policy",
@@ -652,6 +671,7 @@ cc_test(
         ":comms",
         ":namespace",
         ":sandbox2",
+        ":testonly_allow_all_syscalls",
         "//sandboxed_api:config",
         "//sandboxed_api:testing",
         "//sandboxed_api/util:fileops",
@@ -822,6 +842,7 @@ cc_test(
     deps = [
         ":limits",
         ":sandbox2",
+        ":testonly_allow_all_syscalls",
         "//sandboxed_api:config",
         "//sandboxed_api:testing",
         "//sandboxed_api/util:status_matchers",
@@ -890,6 +911,7 @@ cc_test(
     ],
     deps = [
         ":sandbox2",
+        ":testonly_allow_all_syscalls",
         "//sandboxed_api:config",
         "//sandboxed_api:testing",
         "//sandboxed_api/util:status_matchers",
@@ -911,6 +933,7 @@ cc_test(
         ":comms",
         ":sandbox2",
         ":sanitizer",
+        ":testonly_allow_all_syscalls",
         ":util",
         "//sandboxed_api:testing",
         "//sandboxed_api/util:status_matchers",
@@ -945,6 +968,7 @@ cc_test(
         ":regs",
         ":sandbox2",
         ":stack_trace",
+        ":testonly_allow_all_syscalls",
         "//sandboxed_api:testing",
         "//sandboxed_api/sandbox2/util:bpf_helper",
         "//sandboxed_api/util:fileops",
@@ -968,6 +992,7 @@ cc_test(
     deps = [
         ":comms",
         ":sandbox2",
+        ":testonly_allow_all_syscalls",
         "//sandboxed_api:testing",
         "//sandboxed_api/sandbox2/util:bpf_helper",
         "//sandboxed_api/util:status_matchers",
@@ -1002,6 +1027,7 @@ cc_test(
         ":comms",
         ":policybuilder",
         ":sandbox2",
+        ":testonly_allow_all_syscalls",
         "//sandboxed_api:config",
         "//sandboxed_api:testing",
         "//sandboxed_api/sandbox2/util:bpf_helper",

sandboxed_api/sandbox2/CMakeLists.txt

@@ -17,6 +17,15 @@ add_subdirectory(unwind)
 add_subdirectory(util)
 add_subdirectory(network_proxy)
 
+# sandboxed_api/sandbox2:allow_all_syscalls
+add_library(sandbox2_allow_all_syscalls ${SAPI_LIB_TYPE}
+  allow_all_syscalls.h
+)
+add_library(sandbox2::allow_all_syscalls ALIAS sandbox2_allow_all_syscalls)
+target_link_libraries(sandbox2_allow_all_syscalls PRIVATE
+  sapi::base
+)
+
 # sandboxed_api/sandbox2:bpfdisassembler
 add_library(sandbox2_bpfdisassembler ${SAPI_LIB_TYPE}
   bpfdisassembler.cc
@@ -796,6 +805,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   )
   target_link_libraries(sandbox2_namespace_test PRIVATE
     absl::strings
+    sandbox2::allow_all_syscalls
     sandbox2::comms
     sapi::config
     sapi::fileops
@@ -905,6 +915,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     sandbox2::testcase_minimal
   )
   target_link_libraries(sandbox2_limits_test PRIVATE
+    sandbox2::allow_all_syscalls
     sandbox2::bpf_helper
     sapi::config
     sandbox2::limits
@@ -987,6 +998,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   )
   target_link_libraries(sandbox2_sandbox2_test PRIVATE
     absl::strings
+    sandbox2::allow_all_syscalls
     sapi::config
     sandbox2::sandbox2
     sapi::testing
@@ -1011,6 +1023,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   )
   target_link_libraries(sandbox2_sanitizer_test PRIVATE
     absl::strings
+    sandbox2::allow_all_syscalls
     sandbox2::bpf_helper
     sandbox2::client
     sandbox2::comms
@@ -1054,6 +1067,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     absl::flags
     absl::status
     absl::strings
+    sandbox2::allow_all_syscalls
     sandbox2::bpf_helper
     sandbox2::global_forkserver
     sandbox2::namespace
@@ -1082,6 +1096,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
     sandbox2::testcase_ipc
   )
   target_link_libraries(sandbox2_ipc_test PRIVATE
+    sandbox2::allow_all_syscalls
     sandbox2::bpf_helper
     sandbox2::comms
     sandbox2::ipc
@@ -1104,6 +1119,7 @@ if(BUILD_TESTING AND SAPI_BUILD_TESTING)
   )
   target_link_libraries(sandbox2_policybuilder_test
     PRIVATE absl::strings
+            sandbox2::allow_all_syscalls
             sandbox2::bpf_helper
             sandbox2::comms
             sandbox2::policybuilder

sandboxed_api/sandbox2/allow_all_syscalls.h

@@ -0,0 +1,27 @@
+// Copyright 2013 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
+#define SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_
+
+namespace sandbox2 {
+
+class AllowAllSyscalls {
+ public:
+  explicit AllowAllSyscalls() = default;
+};
+
+}  // namespace sandbox2
+
+#endif  // SANDBOXED_API_SANDBOX2_ALLOW_ALL_SYSCALLS_H_

sandboxed_api/sandbox2/examples/tool/BUILD.bazel

@@ -31,6 +31,7 @@ cc_binary(
     copts = sapi_platform_copts(),
     deps = [
         "//sandboxed_api/sandbox2",
+        "//sandboxed_api/sandbox2:allow_all_syscalls",
         "//sandboxed_api/sandbox2:util",
         "//sandboxed_api/sandbox2/util:bpf_helper",
         "//sandboxed_api/util:fileops",

sandboxed_api/sandbox2/examples/tool/CMakeLists.txt

@@ -27,6 +27,7 @@ target_link_libraries(sandbox2_sandbox2tool PRIVATE
   absl::log_initialize
   absl::strings
   absl::time
+  sandbox2::allow_all_syscalls
   sandbox2::bpf_helper
   sandbox2::sandbox2
   sandbox2::util

sandboxed_api/sandbox2/examples/tool/sandbox2tool.cc

@@ -43,6 +43,7 @@
 #include "absl/strings/str_format.h"
 #include "absl/strings/str_split.h"
 #include "absl/time/time.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/ipc.h"
 #include "sandboxed_api/sandbox2/limits.h"
@@ -162,7 +163,7 @@ int main(int argc, char* argv[]) {
 
   sandbox2::PolicyBuilder builder;
   builder.AddPolicyOnSyscall(__NR_tee, {KILL});
-  builder.DangerDefaultAllowAll();
+  builder.DefaultAction(sandbox2::AllowAllSyscalls());
 
   if (absl::GetFlag(FLAGS_sandbox2tool_need_networking)) {
     builder.AllowUnrestrictedNetworking();

sandboxed_api/sandbox2/ipc_test.cc

@@ -19,6 +19,7 @@
 
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
@@ -52,7 +53,7 @@ TEST_P(IPCTest, MapFDByNamePreExecve) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
 
   Sandbox2 s2(std::move(executor), std::move(policy));
@@ -89,7 +90,7 @@ TEST_P(IPCTest, MapFDByNamePostExecve) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
 
   Sandbox2 s2(std::move(executor), std::move(policy));
@@ -121,7 +122,7 @@ TEST(IPCTest, NoMappedFDsPreExecve) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
 
   Sandbox2 s2(std::move(executor), std::move(policy));

sandboxed_api/sandbox2/limits_test.cc

@@ -23,6 +23,7 @@
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "sandboxed_api/config.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
 #include "sandboxed_api/sandbox2/policybuilder.h"
@@ -45,7 +46,7 @@ TEST(LimitsTest, RLimitASMmapUnderLimit) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             sandbox2::PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
@@ -63,7 +64,7 @@ TEST(LimitsTest, RLimitASMmapAboveLimit) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             sandbox2::PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
@@ -81,7 +82,7 @@ TEST(LimitsTest, RLimitASAllocaSmallUnderLimit) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             sandbox2::PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
@@ -99,7 +100,7 @@ TEST(LimitsTest, RLimitASAllocaBigUnderLimit) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             sandbox2::PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();
@@ -117,7 +118,7 @@ TEST(LimitsTest, RLimitASAllocaBigAboveLimit) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             sandbox2::PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
   sandbox2::Sandbox2 s2(std::move(executor), std::move(policy));
   auto result = s2.Run();

sandboxed_api/sandbox2/namespace_test.cc

@@ -29,6 +29,7 @@
 #include "absl/strings/numbers.h"
 #include "absl/strings/str_cat.h"
 #include "sandboxed_api/config.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
@@ -73,7 +74,7 @@ TEST(NamespaceTest, FileNamespaceWorks) {
   int reason_code = RunSandboxeeWithArgsAndPolicy(
       path, {path, "0", "/binary_path", "/etc/passwd"},
       PolicyBuilder()
-          .DangerDefaultAllowAll()  // Do not restrict syscalls
+          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
           .AddFileAt(path, "/binary_path")
           .BuildOrDie());
   EXPECT_THAT(reason_code, Eq(2));
@@ -90,7 +91,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
     int reason_code = RunSandboxeeWithArgsAndPolicy(
         path, {path, "0", "/temp_file"},
         PolicyBuilder()
-            .DangerDefaultAllowAll()  // Do not restrict syscalls
+            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
             .AddFileAt(name, "/temp_file")
             .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(0));
@@ -100,7 +101,7 @@ TEST(NamespaceTest, ReadOnlyIsRespected) {
     int reason_code = RunSandboxeeWithArgsAndPolicy(
         path, {path, "1", "/temp_file"},
         PolicyBuilder()
-            .DangerDefaultAllowAll()  // Do not restrict syscalls
+            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
             .AddFileAt(name, "/temp_file")
             .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(1));
@@ -115,7 +116,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
     int reason_code = RunSandboxeeWithArgsAndPolicy(
         path, {path, "2"},
         PolicyBuilder()
-            .DangerDefaultAllowAll()  // Do not restrict syscalls
+            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
             .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(0));
   }
@@ -126,7 +127,7 @@ TEST(NamespaceTest, UserNamespaceWorks) {
         path, {path, "2"},
         PolicyBuilder()
             .DisableNamespaces()
-            .DangerDefaultAllowAll()  // Do not restrict syscalls
+            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
             .BuildOrDie());
     EXPECT_THAT(reason_code, Ne(0));
   }
@@ -140,7 +141,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
     int reason_code = RunSandboxeeWithArgsAndPolicy(
         path, {path, "3", "1000", "1000"},
         PolicyBuilder()
-            .DangerDefaultAllowAll()  // Do not restrict syscalls
+            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
             .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(0));
   }
@@ -151,7 +152,7 @@ TEST(NamespaceTest, UserNamespaceIDMapWritten) {
         path, {path, "3", absl::StrCat(getuid()), absl::StrCat(getgid())},
         PolicyBuilder()
             .DisableNamespaces()
-            .DangerDefaultAllowAll()  // Do not restrict syscalls
+            .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
             .BuildOrDie());
     EXPECT_THAT(reason_code, Eq(0));
   }
@@ -164,7 +165,7 @@ TEST(NamespaceTest, RootReadOnly) {
   int reason_code = RunSandboxeeWithArgsAndPolicy(
       path, {path, "4", "/tmp/testfile", "/testfile"},
       PolicyBuilder()
-          .DangerDefaultAllowAll()  // Do not restrict syscalls
+          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
           .AddTmpfs("/tmp", /*size=*/4ULL << 20 /* 4 MiB */)
           .BuildOrDie());
   EXPECT_THAT(reason_code, Eq(2));
@@ -176,7 +177,7 @@ TEST(NamespaceTest, RootWritable) {
   int reason_code = RunSandboxeeWithArgsAndPolicy(
       path, {path, "4", "/testfile"},
       PolicyBuilder()
-          .DangerDefaultAllowAll()  // Do not restrict syscalls
+          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
           .SetRootWritable()
           .BuildOrDie());
   EXPECT_THAT(reason_code, Eq(0));
@@ -188,7 +189,7 @@ TEST(HostnameTest, None) {
       path, {path, "sandbox2"},
       PolicyBuilder()
           .DisableNamespaces()
-          .DangerDefaultAllowAll()  // Do not restrict syscalls
+          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
           .BuildOrDie());
   EXPECT_THAT(reason_code, Eq(1));
 }
@@ -198,7 +199,7 @@ TEST(HostnameTest, Default) {
   int reason_code = RunSandboxeeWithArgsAndPolicy(
       path, {path, "sandbox2"},
       PolicyBuilder()
-          .DangerDefaultAllowAll()  // Do not restrict syscalls
+          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
           .BuildOrDie());
   EXPECT_THAT(reason_code, Eq(0));
 }
@@ -208,7 +209,7 @@ TEST(HostnameTest, Configured) {
   int reason_code = RunSandboxeeWithArgsAndPolicy(
       path, {path, "configured"},
       PolicyBuilder()
-          .DangerDefaultAllowAll()  // Do not restrict syscalls
+          .DefaultAction(AllowAllSyscalls())  // Do not restrict syscalls
           .SetHostname("configured")
           .BuildOrDie());
   EXPECT_THAT(reason_code, Eq(0));

sandboxed_api/sandbox2/policybuilder.cc

@@ -44,6 +44,7 @@
 #include "absl/strings/match.h"
 #include "absl/strings/string_view.h"
 #include "sandboxed_api/config.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/namespace.h"
 #include "sandboxed_api/sandbox2/policy.h"
 #include "sandboxed_api/sandbox2/util/bpf_helper.h"
@@ -1112,7 +1113,12 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) {
 }
 
 PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() {
-  user_policy_.push_back(ALLOW);
+  default_action_ = ALLOW;
+  return *this;
+}
+
+PolicyBuilder& PolicyBuilder::DefaultAction(AllowAllSyscalls) {
+  default_action_ = ALLOW;
   return *this;
 }
 
@@ -1185,6 +1191,9 @@ absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
   output->collect_stacktrace_on_kill_ = collect_stacktrace_on_kill_;
   output->collect_stacktrace_on_exit_ = collect_stacktrace_on_exit_;
   output->user_policy_ = std::move(user_policy_);
+  if (default_action_) {
+    output->user_policy_.push_back(*default_action_);
+  }
   output->user_policy_.insert(output->user_policy_.end(),
                               overridable_policy_.begin(),
                               overridable_policy_.end());

sandboxed_api/sandbox2/policybuilder.h

@@ -40,6 +40,8 @@ struct bpf_labels;
 
 namespace sandbox2 {
 
+class AllowAllSyscalls;
+
 // PolicyBuilder is a helper class to simplify creation of policies. The builder
 // uses fluent interface for convenience and increased readability of policies.
 //
@@ -666,10 +668,13 @@ class PolicyBuilder final {
   // Enables/disables stack trace collection on normal process exit.
   PolicyBuilder& CollectStacktracesOnExit(bool enable);
 
-  // Appends an unconditional ALLOW action for all syscalls.
+  // Changes the default action to ALLOW.
+  // All syscalls not handled explicitly by the policy will thus be allowed.
   // Do not use in environment with untrusted code and/or data, ask
   // sandbox-team@ first if unsure.
+  ABSL_DEPRECATED("Use DefaultAction(sandbox2::AllowAllSyscalls()) instead")
   PolicyBuilder& DangerDefaultAllowAll();
+  PolicyBuilder& DefaultAction(AllowAllSyscalls);
 
   // Allows syscalls that are necessary for the NetworkProxyClient
   PolicyBuilder& AddNetworkProxyPolicy();
@@ -739,6 +744,7 @@ class PolicyBuilder final {
   // Seccomp fields
   std::vector<sock_filter> user_policy_;
   std::vector<sock_filter> overridable_policy_;
+  std::optional<sock_filter> default_action_;
   bool user_policy_handles_bpf_ = false;
   bool user_policy_handles_ptrace_ = false;
   absl::flat_hash_set<uint32_t> handled_syscalls_;

sandboxed_api/sandbox2/policybuilder_test.cc

@@ -30,6 +30,7 @@
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_split.h"
 #include "sandboxed_api/config.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/ipc.h"
@@ -109,8 +110,6 @@ TEST_F(PolicyBuilderTest, Testpolicy_size) {
   builder.AllowTCGETS(); assert_increased();
   builder.AllowTCGETS(); assert_increased();
 
-  builder.DangerDefaultAllowAll(); assert_increased();
-  builder.DangerDefaultAllowAll(); assert_increased();
   builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased();
   builder.AddPolicyOnSyscall(__NR_fchmod, { ALLOW }); assert_increased();
 
@@ -160,7 +159,7 @@ std::string PolicyBuilderTest::Run(const std::vector<std::string>& args,
                                    bool network) {
   PolicyBuilder builder;
   // Don't restrict the syscalls at all.
-  builder.DangerDefaultAllowAll();
+  builder.DefaultAction(AllowAllSyscalls());
 
   if constexpr (sapi::host_os::IsAndroid()) {
     builder.DisableNamespaces();
@@ -206,14 +205,15 @@ TEST_F(PolicyBuilderTest, TestCanOnlyBuildOnce) {
 
 TEST_F(PolicyBuilderTest, TestIsCopyable) {
   PolicyBuilder builder;
-  builder.DangerDefaultAllowAll();
+  builder.AllowSyscall(__NR_getpid);
 
   PolicyBuilder copy = builder;
-  ASSERT_EQ(PolicyBuilderPeer(&copy).policy_size(), 1);
+  ASSERT_EQ(PolicyBuilderPeer(&copy).policy_size(),
+            PolicyBuilderPeer(&builder).policy_size());
 
-  // Building both does not crash.
+  // Both can be built.
-  builder.BuildOrDie();
+  EXPECT_THAT(builder.TryBuild(), IsOk());
-  copy.BuildOrDie();
+  EXPECT_THAT(copy.TryBuild(), IsOk());
 }
 
 TEST_F(PolicyBuilderTest, TestEcho) {

sandboxed_api/sandbox2/sandbox2_test.cc

@@ -27,6 +27,7 @@
 #include "gtest/gtest.h"
 #include "absl/strings/str_cat.h"
 #include "sandboxed_api/config.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
 #include "sandboxed_api/sandbox2/policybuilder.h"
@@ -40,7 +41,7 @@ namespace {
 PolicyBuilder CreateDefaultPolicyBuilder(absl::string_view path) {
   PolicyBuilder builder;
   // Don't restrict the syscalls at all.
-  builder.DangerDefaultAllowAll();
+  builder.DefaultAction(AllowAllSyscalls());
   if constexpr (sapi::sanitizers::IsAny()) {
     builder.AddLibrariesForBinary(path);
   }

sandboxed_api/sandbox2/sanitizer_test.cc

@@ -29,6 +29,7 @@
 #include "absl/container/flat_hash_set.h"
 #include "absl/log/log.h"
 #include "absl/strings/str_cat.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/policy.h"
@@ -119,7 +120,7 @@ TEST(SanitizerTest, TestSandboxedBinary) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .TryBuild());
 
   Sandbox2 s2(std::move(executor), std::move(policy));

sandboxed_api/sandbox2/stack_trace_test.cc

@@ -30,6 +30,7 @@
 #include "absl/flags/reflection.h"
 #include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
+#include "sandboxed_api/sandbox2/allow_all_syscalls.h"
 #include "sandboxed_api/sandbox2/executor.h"
 #include "sandboxed_api/sandbox2/global_forkclient.h"
 #include "sandboxed_api/sandbox2/policy.h"
@@ -74,7 +75,7 @@ void SymbolizationWorksCommon(
 
   auto policybuilder = PolicyBuilder()
                            // Don't restrict the syscalls at all.
-                           .DangerDefaultAllowAll()
+                           .DefaultAction(AllowAllSyscalls())
                            .AddFile(path)
                            .AddLibrariesForBinary(path)
                            .AddFileAt(temp_filename, "/proc/cpuinfo");
@@ -186,7 +187,7 @@ TEST(StackTraceTest, SymbolizationTrustedFilesOnly) {
   SAPI_ASSERT_OK_AND_ASSIGN(auto policy,
                             PolicyBuilder()
                                 // Don't restrict the syscalls at all.
-                                .DangerDefaultAllowAll()
+                                .DefaultAction(AllowAllSyscalls())
                                 .AddFile(path)
                                 .AddLibrariesForBinary(path)
                                 .TryBuild());