Automated rollback of commit 9c2174446004e4f712cb566ade05721be6653ed0.

PiperOrigin-RevId: 559063479
Change-Id: I4ccf8d5717b8669921c5b580eb415975cd625eaf

sandboxed_api/embed_file.cc

@@ -29,6 +29,21 @@
 
 namespace sapi {
 
+namespace {
+
+bool SealFile(int fd) {
+  constexpr int kMaxRetries = 10;
+  for (int i = 0; i < kMaxRetries; ++i) {
+    if (fcntl(fd, F_ADD_SEALS,
+              F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) == 0) {
+      return true;
+    }
+  }
+  return false;
+}
+
+}  // namespace
+
 EmbedFile* EmbedFile::instance() {
   static auto* embed_file_instance = new EmbedFile();
   return embed_file_instance;
@@ -57,13 +72,11 @@ int EmbedFile::CreateFdForFileToc(const FileToc* toc) {
     return -1;
   }
 
-  // Ideally, we'd seal the file here using fcntl(). However, in rare cases,
+  // Seal the file
-  // adding the file seals F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW |
+  if (!SealFile(embed_fd.get())) {
-  // F_SEAL_WRITE results in EBUSY errors.
+    SAPI_RAW_PLOG(ERROR, "Couldn't apply file seals to FD=%d", embed_fd.get());
-  // This is likely because of an interaction of SEAL_WRITE with pending writes
+    return -1;
-  // to the mapped memory region (see memfd_wait_for_pins() in Linux'
+  }
-  // mm/memfd.c). Since fsync() is a no-op on memfds, it doesn't help to
-  // ameliorate the problem.
 
   // Instead of working around problems with CRIU we reopen the file as
   // read-only.

sandboxed_api/sandbox2/util.cc

@@ -249,8 +249,9 @@ bool CreateMemFd(int* fd, const char* name) {
   // Usually defined in linux/memfd.h. Define it here to avoid dependency on
   // UAPI headers.
   constexpr uintptr_t MFD_CLOEXEC = 0x0001;
+  constexpr uintptr_t MFD_ALLOW_SEALING = 0x0002;
   int tmp_fd = Syscall(__NR_memfd_create, reinterpret_cast<uintptr_t>(name),
-                       MFD_CLOEXEC);
+                       MFD_CLOEXEC | MFD_ALLOW_SEALING);
   if (tmp_fd < 0) {
     if (errno == ENOSYS) {
       SAPI_RAW_LOG(ERROR,