From 5f34d11e77da2f795269c3a71851ac300f362cf5 Mon Sep 17 00:00:00 2001
From: Wiktor Garbacz <wiktorg@google.com>
Date: Fri, 4 Mar 2022 01:24:22 -0800
Subject: [PATCH] Add a helper for allowing epoll

PiperOrigin-RevId: 432387441
Change-Id: I52865ab4abd4ebaf9842859b5f2718b204f4c6ea
---
 sandboxed_api/sandbox2/policybuilder.cc | 13 +++++++++++++
 sandboxed_api/sandbox2/policybuilder.h  | 10 ++++++++++
 2 files changed, 23 insertions(+)

diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index 14fadc2..0a29714 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -113,6 +113,19 @@ PolicyBuilder& PolicyBuilder::OverridableBlockSyscallWithErrno(uint32_t num,
   return *this;
 }
 
+PolicyBuilder& PolicyBuilder::AllowEpoll() {
+  return AllowSyscalls({
+      __NR_epoll_create,
+      __NR_epoll_create1,
+      __NR_epoll_ctl,
+      __NR_epoll_wait,
+      __NR_epoll_pwait,
+#ifdef __NR_epoll_pwait2
+      __NR_epoll_pwait2,
+#endif
+  });
+}
+
 PolicyBuilder& PolicyBuilder::AllowExit() {
   return AllowSyscalls({__NR_exit, __NR_exit_group});
 }
diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h
index 345bada..eccff24 100644
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@@ -120,6 +120,16 @@ class PolicyBuilder final {
   // Appends code to block a specific syscall and setting errno.
   PolicyBuilder& BlockSyscallWithErrno(uint32_t num, int error);
 
+  // Appends code to allow using epoll.
+  // Allows these syscalls:
+  // - epoll_create
+  // - epoll_create1
+  // - epoll_ctl
+  // - epoll_wait
+  // - epoll_pwait
+  // - epoll_pwait2
+  PolicyBuilder& AllowEpoll();
+
   // Appends code to allow exiting.
   // Allows these syscalls:
   // - exit