From daa1c7a64e99c953091723ffd4a4a22796f8a1de Mon Sep 17 00:00:00 2001
From: Sandboxed API Team <sandboxed-api@google.com>
Date: Thu, 30 Jan 2020 09:30:05 -0800
Subject: [PATCH] Allow sandboxee to read from /proc when sanitizers are
 allowed.

Sanitizers read from /proc. For example:
https://github.com/llvm-mirror/compiler-rt/blob/69445f095c22aac2388f939bedebf224a6efcdaf/lib/sanitizer_common/sanitizer_linux.cpp#L1101

PiperOrigin-RevId: 292363903
Change-Id: Icc383ededcad363b4e96f5551f140f012b07b495
---
 sandboxed_api/sandbox2/policybuilder.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
index 5280637..c731e97 100644
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@@ -181,6 +181,9 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
                                        JEQ32(MADV_DONTDUMP, ALLOW),
                                        JEQ32(MADV_NOHUGEPAGE, ALLOW),
                                    });
+  // Sanitizers read from /proc. For example:
+  // https://github.com/llvm-mirror/compiler-rt/blob/69445f095c22aac2388f939bedebf224a6efcdaf/lib/sanitizer_common/sanitizer_linux.cpp#L1101
+  AddDirectory("/proc");
 #endif
   return *this;
 }