From 9d1d4b7fd38270e825bdc1cda80cbda51ed46d17 Mon Sep 17 00:00:00 2001
From: Wiktor Garbacz <wiktorg@google.com>
Date: Fri, 21 Jul 2023 02:24:03 -0700
Subject: [PATCH] Disallow AddPolicyForSyscalls with an empty list

PiperOrigin-RevId: 549887306
Change-Id: I05a97b39a2c92ad5ab2002c7af7e83a8184392cf
---
 sandboxed_api/sandbox2/policybuilder.cc      | 5 +++++
 sandboxed_api/sandbox2/policybuilder_test.cc | 1 -
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index bf6d4bf..8f6134c 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -1068,6 +1068,11 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnSyscall(uint32_t num, BpfFunc f) {
 
 PolicyBuilder& PolicyBuilder::AddPolicyOnSyscalls(
     absl::Span<const uint32_t> nums, absl::Span<const sock_filter> policy) {
+  if (nums.empty()) {
+    SetError(absl::InvalidArgumentError(
+        "Cannot add a policy for empty list of syscalls"));
+    return *this;
+  }
   std::deque<sock_filter> out;
   // Insert and verify the policy.
   out.insert(out.end(), policy.begin(), policy.end());
diff --git a/sandboxed_api/sandbox2/policybuilder_test.cc b/sandboxed_api/sandbox2/policybuilder_test.cc
index c328562..8fcd7e1 100644
--- a/sandboxed_api/sandbox2/policybuilder_test.cc
+++ b/sandboxed_api/sandbox2/policybuilder_test.cc
@@ -96,7 +96,6 @@ TEST(PolicyBuilderTest, Testpolicy_size) {
   assert_increased();
   builder.AddPolicyOnSyscalls({ __NR_fchmod, __NR_chdir }, { ALLOW });
   assert_increased();
-  builder.AddPolicyOnSyscalls({ }, { ALLOW }); assert_increased();
 
   // This might change in the future if we implement an optimization.
   builder.AddPolicyOnSyscall(__NR_umask, { ALLOW }); assert_increased();