Allow prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...) with tcmalloc

PiperOrigin-RevId: 540905937
Change-Id: I9275b193ff42b4741925c3cf825841ca9a4071db

sandboxed_api/sandbox2/policybuilder.cc

@@ -241,6 +241,7 @@ PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
   AllowSyscalls(
       {__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier});
   AllowLimitedMadvise();
+  AllowPrctlSetVma();
 
   AddPolicyOnSyscall(__NR_mprotect, {
                                         ARG_32(2),
@@ -866,6 +867,20 @@ PolicyBuilder& PolicyBuilder::AllowPrctlSetName() {
   return *this;
 }
 
+PolicyBuilder& PolicyBuilder::AllowPrctlSetVma() {
+  AddPolicyOnSyscall(__NR_prctl,
+                     [](bpf_labels& labels) -> std::vector<sock_filter> {
+                       return {
+                           ARG_32(0),
+                           JNE32(PR_SET_VMA, JUMP(&labels, prctlsetvma_end)),
+                           ARG_32(1),
+                           JEQ32(PR_SET_VMA_ANON_NAME, ALLOW),
+                           LABEL(&labels, prctlsetvma_end),
+                       };
+                     });
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowFutexOp(int op) {
   return AddPolicyOnSyscall(
       __NR_futex, {

sandboxed_api/sandbox2/policybuilder.h

@@ -512,6 +512,11 @@ class PolicyBuilder final {
   // - prctl(PR_SET_NAME, ...)
   PolicyBuilder& AllowPrctlSetName();
 
+  // Appends code to allow setting a name for an anonymous memory region.
+  // Allows the following
+  // - prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ...)
+  PolicyBuilder& AllowPrctlSetVma();
+
   // Enables the syscalls necessary to start a statically linked binary
   //
   // NOTE: This will call BlockSyscallWithErrno(__NR_readlink, ENOENT). If you