Update clients of PolicyBuilder to support architectures other than x86_64.

PiperOrigin-RevId: 500181306 Change-Id: Ibf3e5e3ac6214394f2d9ab10cf30de6d8396988d
2024-03-22 13:11:30 +08:00 · 2023-01-06 08:24:34 -08:00 · 2023-01-06 08:24:34 -08:00 · f086c39f42
commit f086c39f42
parent 1871b173c4
7 changed files with 83 additions and 93 deletions
--- a/oss-internship-2020/curl/sandbox.h
+++ b/oss-internship-2020/curl/sandbox.h
@ -43,26 +43,24 @@ class CurlSapiSandbox : public curl::CurlSandbox {
        .AllowSafeFcntl()
        .AllowWrite()
        .AllowAccess()
-        .AllowSyscalls({
-            __NR_accept,
-            __NR_bind,
-            __NR_connect,
-            __NR_getpeername,
-            __NR_getsockname,
-            __NR_getsockopt,
-            __NR_ioctl,
-            __NR_listen,
-            __NR_madvise,
-            __NR_poll,
-            __NR_recvfrom,
-            __NR_recvmsg,
-            __NR_rt_sigaction,
-            __NR_sendmmsg,
-            __NR_sendto,
-            __NR_setsockopt,
-            __NR_socket,
-            __NR_sysinfo,
-        })
+        .AllowSyscall(__NR_accept)
+        .AllowSyscall(__NR_bind)
+        .AllowSyscall(__NR_connect)
+        .AllowSyscall(__NR_getpeername)
+        .AllowSyscall(__NR_getsockname)
+        .AllowSyscall(__NR_getsockopt)
+        .AllowSyscall(__NR_ioctl)
+        .AllowSyscall(__NR_listen)
+        .AllowSyscall(__NR_madvise)
+        .AllowPoll()
+        .AllowSyscall(__NR_recvfrom)
+        .AllowSyscall(__NR_recvmsg)
+        .AllowSyscall(__NR_rt_sigaction)
+        .AllowSyscall(__NR_sendmmsg)
+        .AllowSyscall(__NR_sendto)
+        .AllowSyscall(__NR_setsockopt)
+        .AllowSyscall(__NR_socket)
+        .AllowSyscall(__NR_sysinfo)
        .AddDirectory("/lib")
        .AllowUnrestrictedNetworking()
        .BuildOrDie();
--- a/oss-internship-2020/gdal/raster.cc
+++ b/oss-internship-2020/gdal/raster.cc
@ -37,18 +37,16 @@ class GdalSapiSandbox : public GDALSandbox {
        .AllowExit()
        .AllowStat()
        .AllowOpen()
-        .AllowSyscalls({
-            __NR_futex,
-            __NR_close,
-            __NR_recvmsg,
-            __NR_getdents64,
-            __NR_lseek,
-            __NR_getpid,
-            __NR_sysinfo,
-            __NR_prlimit64,
-            __NR_ftruncate,
-            __NR_unlink,
-        })
+        .AllowSyscall(__NR_futex)
+        .AllowSyscall(__NR_close)
+        .AllowSyscall(__NR_recvmsg)
+        .AllowSyscall(__NR_getdents64)
+        .AllowSyscall(__NR_lseek)
+        .AllowSyscall(__NR_getpid)
+        .AllowSyscall(__NR_sysinfo)
+        .AllowSyscall(__NR_prlimit64)
+        .AllowSyscall(__NR_ftruncate)
+        .AllowUnlink()
        .AddFile(file_path_)
        .BuildOrDie();
  }
--- a/oss-internship-2020/gdal/raster_to_gtiff/gdal_sandbox.h
+++ b/oss-internship-2020/gdal/raster_to_gtiff/gdal_sandbox.h
@ -42,16 +42,14 @@ class GdalSapiSandbox : public GdalSandbox {
        .AllowWrite()
        .AllowExit()
        .AllowOpen()
-        .AllowSyscalls({
-            __NR_futex,
-            __NR_getdents64,  // DriverRegisterAll()
-            __NR_lseek,       // GDALCreate()
-            __NR_getpid,      // GDALCreate()
-            __NR_sysinfo,     // VSI_TIFFOpen_common()
-            __NR_prlimit64,   // CPLGetUsablePhysicalRAM()
-            __NR_ftruncate,   // GTiffDataset::FillEmptyTiles()
-            __NR_unlink,      // GDALDriver::Delete()
-        })
+        .AllowSyscall(__NR_futex)
+        .AllowSyscall(__NR_getdents64)  // DriverRegisterAll()
+        .AllowSyscall(__NR_lseek)       // GDALCreate()
+        .AllowSyscall(__NR_getpid)      // GDALCreate()
+        .AllowSyscall(__NR_sysinfo)     // VSI_TIFFOpen_common()
+        .AllowSyscall(__NR_prlimit64)   // CPLGetUsablePhysicalRAM()
+        .AllowSyscall(__NR_ftruncate)   // GTiffDataset::FillEmptyTiles()
+        .AllowUnlink()                  // GDALDriver::Delete()
        .AddFile(proj_db_path_)  // proj.db is required for some projections
        .AddDirectory(out_directory_path_, /*is_ro=*/false)
        .BuildOrDie();
--- a/oss-internship-2020/libarchive/examples/sandbox.h
+++ b/oss-internship-2020/libarchive/examples/sandbox.h
@ -46,22 +46,20 @@ class SapiLibarchiveSandboxCreate : public LibarchiveSandbox {
            .AllowSafeFcntl()
            .AllowStat()
            .AllowExit()
-            .AllowSyscalls({
-                __NR_futex,
-                __NR_lseek,
-                __NR_close,
-                __NR_gettid,
-                __NR_umask,
-                __NR_utimensat,
-                __NR_unlink,
-                __NR_mkdir,
-                __NR_fstatfs,
-                __NR_socket,
-                __NR_connect,
-                __NR_flistxattr,
-                __NR_recvmsg,
-                __NR_getdents64,
-            })
+            .AllowSyscall(__NR_futex)
+            .AllowSyscall(__NR_lseek)
+            .AllowSyscall(__NR_close)
+            .AllowSyscall(__NR_gettid)
+            .AllowSyscall(__NR_umask)
+            .AllowSyscall(__NR_utimensat)
+            .AllowUnlink()
+            .AllowMkdir()
+            .AllowSyscall(__NR_fstatfs)
+            .AllowSyscall(__NR_socket)
+            .AllowSyscall(__NR_connect)
+            .AllowSyscall(__NR_flistxattr)
+            .AllowSyscall(__NR_recvmsg)
+            .AllowSyscall(__NR_getdents64)
            // Allow ioctl only for FS_IOC_GETFLAGS.
            .AddPolicyOnSyscall(__NR_ioctl,
                                {ARG(1), JEQ(FS_IOC_GETFLAGS, ALLOW)});
@ -118,16 +116,14 @@ class SapiLibarchiveSandboxExtract : public LibarchiveSandbox {
                                         .AllowSafeFcntl()
                                         .AllowStat()
                                         .AllowExit()
-                                         .AllowSyscalls({
-                                             __NR_futex,
-                                             __NR_lseek,
-                                             __NR_close,
-                                             __NR_gettid,
-                                             __NR_umask,
-                                             __NR_utimensat,
-                                             __NR_unlink,
-                                             __NR_mkdir,
-                                         })
+                                         .AllowSyscall(__NR_futex)
+                                         .AllowSyscall(__NR_lseek)
+                                         .AllowSyscall(__NR_close)
+                                         .AllowSyscall(__NR_gettid)
+                                         .AllowSyscall(__NR_umask)
+                                         .AllowSyscall(__NR_utimensat)
+                                         .AllowUnlink()
+                                         .AllowMkdir()
                                         .AddFile(archive_path_);

    if (do_extract_) {
--- a/oss-internship-2020/libuv/examples/idle-basic.cc
+++ b/oss-internship-2020/libuv/examples/idle-basic.cc
@ -32,8 +32,9 @@ class UVSapiIdleBasicSandbox : public uv::UVSandbox {
        .AllowDynamicStartup()
        .AllowExit()
        .AllowFutexOp(FUTEX_WAKE_PRIVATE)
-        .AllowSyscalls({__NR_epoll_create1, __NR_epoll_ctl, __NR_epoll_wait,
-                        __NR_eventfd2, __NR_pipe2})
+        .AllowEpoll()
+        .AllowSyscall(__NR_eventfd2)
+        .AllowPipe()
        .AllowWrite()
        .BuildOrDie();
  }
--- a/oss-internship-2020/libuv/examples/uvcat.cc
+++ b/oss-internship-2020/libuv/examples/uvcat.cc
@ -39,8 +39,10 @@ class UVSapiUVCatSandbox : public uv::UVSandbox {
        .AllowFutexOp(FUTEX_WAIT_PRIVATE)
        .AllowMmap()
        .AllowOpen()
-        .AllowSyscalls({__NR_epoll_create1, __NR_epoll_ctl, __NR_epoll_wait,
-                        __NR_eventfd2, __NR_pipe2, __NR_prlimit64})
+        .AllowEpoll()
+        .AllowSyscall(__NR_eventfd2)
+        .AllowPipe()
+        .AllowSyscall(__NR_prlimit64)
        .AllowWrite()
        .BuildOrDie();
  }
--- a/sandboxed_api/sandbox.cc
+++ b/sandboxed_api/sandbox.cc
@ -70,29 +70,26 @@ void InitDefaultPolicyBuilder(sandbox2::PolicyBuilder* builder) {
      .AllowHandleSignals()
      .AllowSystemMalloc()
      .AllowSafeFcntl()
-      .AllowSyscalls({
-          __NR_recvmsg,
-          __NR_sendmsg,
-          __NR_futex,
-          __NR_close,
-          __NR_lseek,
-          __NR_getpid,
-          __NR_getppid,
-          __NR_gettid,
-          __NR_clock_nanosleep,
-          __NR_nanosleep,
-          __NR_uname,
-          __NR_getrandom,
-          __NR_kill,
-          __NR_tgkill,
-          __NR_tkill,
-#ifdef __NR_readlink
-          __NR_readlink,
-#endif
+      .AllowSyscall(__NR_recvmsg)
+      .AllowSyscall(__NR_sendmsg)
+      .AllowSyscall(__NR_futex)
+      .AllowSyscall(__NR_close)
+      .AllowSyscall(__NR_lseek)
+      .AllowSyscall(__NR_getpid)
+      .AllowSyscall(__NR_getppid)
+      .AllowSyscall(__NR_gettid)
+      .AllowSleep()
+      .AllowSyscall(__NR_uname)
+      .AllowSyscall(__NR_getrandom)
+      .AllowSyscall(__NR_kill)
+      .AllowSyscall(__NR_tgkill)
+      .AllowSyscall(__NR_tkill)
+      .AllowReadlink();
+
 #ifdef __NR_arch_prctl  // x86-64 only
-          __NR_arch_prctl,
+  builder->AllowSyscall(__NR_arch_prctl);
 #endif
-      });
+
  if constexpr (sanitizers::IsAny()) {
    LOG(WARNING) << "Allowing additional calls to support the LLVM "
                 << "(ASAN/MSAN/TSAN) sanitizer";