From 753eacd3142127c8bd493bc0e81242c4d3cd2f33 Mon Sep 17 00:00:00 2001
From: Martijn Vels <mvels@google.com>
Date: Tue, 9 Mar 2021 04:33:01 -0800
Subject: [PATCH] Reduce requirements for restartable sequences

PiperOrigin-RevId: 361780465
Change-Id: I299bc55c94d60575e16f0ea6b5f82b8b793af1cb
---
 sandboxed_api/sandbox2/policybuilder.cc | 22 +++++++---------------
 sandboxed_api/sandbox2/policybuilder.h  |  4 ----
 2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index fc37685..1aa69fd 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -127,13 +127,10 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {
 
 PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
   AllowTime();
+  AllowRestartableSequences();
   AllowSyscalls(
       {__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier});
-  AllowFutexOp(FUTEX_WAKE);
   AllowLimitedMadvise();
-#ifdef __NR_rseq
-  AllowSyscall(__NR_rseq);
-#endif
 
   AddPolicyOnSyscall(__NR_mprotect, {
                                         ARG_32(2),
@@ -436,7 +433,6 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
     };
   });
 
-  AddFile("/proc/self/cpuset");
 #ifdef __NR_rseq
   AllowSyscall(__NR_rseq);
 #endif
@@ -446,8 +442,7 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
                                               ARG_32(0),
                                               JEQ32(SIG_SETMASK, ALLOW),
                                           });
-  return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity,
-                        __NR_sched_setaffinity});
+  return AllowSyscalls({__NR_membarrier, __NR_getcpu});
 }
 
 PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
@@ -810,14 +805,11 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
   auto fixed_outside = std::move(fixed_outside_or).value();
 
   if (absl::StartsWith(fixed_outside, "/proc/self")) {
-    // exception: /proc/self/cpuset
-    if (outside != "/proc/self/cpuset") {
-      SetError(absl::InvalidArgumentError(
-          absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
-                       "whole /proc instead. You tried to mount ",
-                       outside)));
-      return *this;
-    }
+    SetError(absl::InvalidArgumentError(
+        absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
+                     "whole /proc instead. You tried to mount ",
+                     outside)));
+    return *this;
   }
 
   if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h
index 44bce4b..c595614 100644
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@@ -118,12 +118,8 @@ class PolicyBuilder final {
   // - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
   // - getcpu,
   // - membarrier
-  // - sched_getaffinity
-  // - sched_setaffinity
   // - futex(WAIT) and futex(WAKE)
   // - sigmask(SET_MASK)
-  // Allows these files (which will enable namespaces):
-  // - "/proc/self/cpuset"
   PolicyBuilder& AllowRestartableSequences();
 
   // Appends code to allow the scudo version of malloc, free and