Internal change

PiperOrigin-RevId: 374874118
Change-Id: Id669e3f099e058ada3effa62f9569daaf5b36f63

sandboxed_api/config.h

@@ -90,7 +90,7 @@ constexpr bool Is64Bit() { return sizeof(uintptr_t) == 8; }
 
 static_assert(host_cpu::Architecture() != cpu::kUnknown,
               "Host CPU architecture is not supported: One of x86-64, POWER64 "
-              "(little endian), Arm or AArch64 is required.");
+              "(little endian), ARM or AArch64 is required.");
 
 namespace sanitizers {
 

sandboxed_api/sandbox2/BUILD.bazel

@@ -161,6 +161,7 @@ cc_library(
         ":regs",
         ":syscall",
         ":violation_cc_proto",
+        "//sandboxed_api:config",
         "//sandboxed_api/sandbox2/network_proxy:filtering",
         "//sandboxed_api/sandbox2/util:bpf_helper",
         "//sandboxed_api/util:flags",

sandboxed_api/sandbox2/CMakeLists.txt

@@ -160,6 +160,7 @@ target_link_libraries(sandbox2_policy PRIVATE
   sandbox2::syscall
   sandbox2::violation_proto
   sapi::base
+  sapi::config
   sapi::flags
 )
 

sandboxed_api/sandbox2/monitor.h

@@ -55,8 +55,8 @@ class Monitor final {
   friend class Sandbox2;
 
   // Timeout used with sigtimedwait (0.5s).
-  static const int kWakeUpPeriodSec = 0L;
-  static const int kWakeUpPeriodNSec = (500L * 1000L * 1000L);
+  static constexpr int kWakeUpPeriodSec = 0L;
+  static constexpr int kWakeUpPeriodNSec = (500L * 1000L * 1000L);
 
   // Starts the Monitor.
   void Run();

sandboxed_api/sandbox2/policy.cc

@@ -27,6 +27,7 @@
 
 #include <glog/logging.h>
 #include "sandboxed_api/util/flag.h"
+#include "sandboxed_api/config.h"
 #include "sandboxed_api/sandbox2/bpfdisassembler.h"
 #include "sandboxed_api/sandbox2/comms.h"
 #include "sandboxed_api/sandbox2/regs.h"

sandboxed_api/sandbox2/policy.h

@@ -29,6 +29,7 @@
 
 #include "absl/base/macros.h"
 #include "absl/types/optional.h"
+#include "sandboxed_api/config.h"
 #include "sandboxed_api/sandbox2/namespace.h"
 #include "sandboxed_api/sandbox2/network_proxy/filtering.h"
 #include "sandboxed_api/sandbox2/syscall.h"
@@ -82,6 +83,12 @@ class Policy final {
     return capabilities_.get();
   }
 
+  // Returns the default policy, which blocks certain dangerous syscalls and
+  // mismatched syscall tables.
+  std::vector<sock_filter> GetDefaultPolicy() const;
+  // Returns a policy allowing the Monitor module to track all syscalls.
+  std::vector<sock_filter> GetTrackingPolicy() const;
+
   // The Namespace object, defines ways of putting sandboxee into namespaces.
   std::unique_ptr<Namespace> namespace_;
 
@@ -102,12 +109,6 @@ class Policy final {
   std::vector<sock_filter> user_policy_;
   bool user_policy_handles_bpf_ = false;
 
-  // Get the default policy, which blocks certain dangerous syscalls and
-  // mismatched syscall tables.
-  std::vector<sock_filter> GetDefaultPolicy() const;
-  // Get a policy which would allow the Monitor module to track all syscalls.
-  std::vector<sock_filter> GetTrackingPolicy() const;
-
   // Contains a list of hosts the sandboxee is allowed to connect to.
   absl::optional<AllowedHosts> allowed_hosts_;
 };

sandboxed_api/sandbox2/policybuilder.h

@@ -334,10 +334,6 @@ class PolicyBuilder final {
   // - clock_gettime
   // - gettid
   // - close
-  //
-  // If you don't use namespaces you should also add this to your policy:
-  // - policy->GetFs()->EnableSyscall(__NR_open);
-  // - policy->GetFs()->AddRegexpToGreyList("/usr/share/zoneinfo/.*");
   PolicyBuilder& AllowLogForwarding();
 
   // Enables the syscalls necessary to start a statically linked binary