From a2daa0a275a3d6ca6edc676d10a99c9a247f5a9e Mon Sep 17 00:00:00 2001
From: Wiktor Garbacz <wiktorg@google.com>
Date: Mon, 21 Feb 2022 00:46:16 -0800
Subject: [PATCH] Fix BlockSyscallsWithErrno

PiperOrigin-RevId: 429982218
Change-Id: I42b187e678542b295542ca44882945c7695178e1
---
 sandboxed_api/sandbox2/buffer_test.cc   | 5 +----
 sandboxed_api/sandbox2/policybuilder.cc | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/sandboxed_api/sandbox2/buffer_test.cc b/sandboxed_api/sandbox2/buffer_test.cc
index 8ed8b4f..3039359 100644
--- a/sandboxed_api/sandbox2/buffer_test.cc
+++ b/sandboxed_api/sandbox2/buffer_test.cc
@@ -75,6 +75,7 @@ std::unique_ptr<Policy> BufferTestcasePolicy() {
                  .AllowWrite()
                  .AllowMmap()
                  .AllowStat()
+                 .AllowOpen()
                  .AllowSyscalls({
                      __NR_dup,
                      __NR_futex,
@@ -88,10 +89,6 @@ std::unique_ptr<Policy> BufferTestcasePolicy() {
                  })
                  .BlockSyscallsWithErrno(
                      {
-#ifdef __NR_open
-                         __NR_open,
-#endif
-                         __NR_openat,
 #ifdef __NR_access
                          // On Debian, even static binaries check existence of
                          // /etc/ld.so.nohwcap.
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index 0dc34b7..bfe2310 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -91,7 +91,7 @@ PolicyBuilder& PolicyBuilder::AllowSyscalls(absl::Span<const uint32_t> nums) {
 PolicyBuilder& PolicyBuilder::BlockSyscallsWithErrno(
     absl::Span<const uint32_t> nums, int error) {
   for (auto num : nums) {
-    AllowSyscall(num);
+    BlockSyscallWithErrno(num, error);
   }
   return *this;
 }