Introduce AddFile(At)IfNamespaced/AddDirectory(At)IfNamespaced

Use the new interface in AllowRestartableSequences.

PiperOrigin-RevId: 548619728
Change-Id: I1f8aeb9a1cb412c50391d65a3cd148f77b46bd6f

sandboxed_api/sandbox2/policybuilder.cc

@@ -325,7 +325,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
                                      });
     // Sanitizers read from /proc. For example:
     // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1155
-    AddDirectory("/proc");
+    AddDirectoryIfNamespaced("/proc");
     // Sanitizers need pid for reports. For example:
     // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L740
     AllowGetPIDs();
@@ -679,18 +679,6 @@ PolicyBuilder& PolicyBuilder::AllowGetIDs() {
   });
 }
 
-PolicyBuilder& PolicyBuilder::AllowRestartableSequencesWithProcFiles(
-    CpuFenceMode cpu_fence_mode) {
-  AllowRestartableSequences(cpu_fence_mode);
-  AddFile("/proc/cpuinfo");
-  AddFile("/proc/stat");
-  AddDirectory("/sys/devices/system/cpu");
-  if (cpu_fence_mode == kAllowSlowFences) {
-    AddFile("/proc/self/cpuset");
-  }
-  return *this;
-}
-
 PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
     CpuFenceMode cpu_fence_mode) {
 #ifdef __NR_rseq
@@ -720,6 +708,12 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
     AllowSyscall(__NR_sched_getaffinity);
     AllowSyscall(__NR_sched_setaffinity);
   }
+  AddFileIfNamespaced("/proc/cpuinfo");
+  AddFileIfNamespaced("/proc/stat");
+  AddDirectoryIfNamespaced("/sys/devices/system/cpu");
+  if (cpu_fence_mode == kAllowSlowFences) {
+    AddFileIfNamespaced("/proc/self/cpuset");
+  }
   return *this;
 }
 
@@ -1250,7 +1244,17 @@ PolicyBuilder& PolicyBuilder::AddFile(absl::string_view path, bool is_ro) {
 PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
                                         absl::string_view inside, bool is_ro) {
   EnableNamespaces();  // NOLINT(clang-diagnostic-deprecated-declarations)
+  return AddFileAtIfNamespaced(outside, inside, is_ro);
+}
 
+PolicyBuilder& PolicyBuilder::AddFileIfNamespaced(absl::string_view path,
+                                                  bool is_ro) {
+  return AddFileAtIfNamespaced(path, path, is_ro);
+}
+
+PolicyBuilder& PolicyBuilder::AddFileAtIfNamespaced(absl::string_view outside,
+                                                    absl::string_view inside,
+                                                    bool is_ro) {
   auto valid_outside = ValidateAbsolutePath(outside);
   if (!valid_outside.ok()) {
     SetError(valid_outside.status());
@@ -1314,7 +1318,16 @@ PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
                                              absl::string_view inside,
                                              bool is_ro) {
   EnableNamespaces();  // NOLINT(clang-diagnostic-deprecated-declarations)
+  return AddDirectoryAtIfNamespaced(outside, inside, is_ro);
+}
 
+PolicyBuilder& PolicyBuilder::AddDirectoryIfNamespaced(absl::string_view path,
+                                                       bool is_ro) {
+  return AddDirectoryAtIfNamespaced(path, path, is_ro);
+}
+
+PolicyBuilder& PolicyBuilder::AddDirectoryAtIfNamespaced(
+    absl::string_view outside, absl::string_view inside, bool is_ro) {
   auto valid_outside = ValidateAbsolutePath(outside);
   if (!valid_outside.ok()) {
     SetError(valid_outside.status());

sandboxed_api/sandbox2/policybuilder.h

@@ -201,17 +201,12 @@ class PolicyBuilder final {
   //
   // If `cpu_fence_mode` is `kRequireFastFences`, RSEQ functionality may not
   // be enabled if fast CPU fences are not available.
-  //
-  // This function enables namespaces! If your policy disables namespaces,
-  // the conflict will cause an error when the policy is built. You should
-  // call AllowRestartableSequences() instead; see below for instructions.
-  PolicyBuilder& AllowRestartableSequencesWithProcFiles(
-      CpuFenceMode cpu_fence_mode);
-
-  // Appends code to allow restartable sequences.
-  // See above for the allowed syscalls and, more importantly, for the files
-  // that you are responsible for allowing via the deprecated `Fs` mechanism.
   PolicyBuilder& AllowRestartableSequences(CpuFenceMode cpu_fence_mode);
+  ABSL_DEPRECATED("Use AllowRestartableSequences() instead")
+  PolicyBuilder& AllowRestartableSequencesWithProcFiles(
+      CpuFenceMode cpu_fence_mode) {
+    return this->AllowRestartableSequences(cpu_fence_mode);
+  }
 
   // Appends code to allow the scudo version of malloc, free and
   // friends. This should be used in conjunction with namespaces. If scudo
@@ -738,6 +733,19 @@ class PolicyBuilder final {
       absl::string_view path);
   static absl::StatusOr<std::string> ValidatePath(absl::string_view path);
 
+  // Similar to AddFile(At)/AddDirectory(At) but it won't force use of
+  // namespaces - files will only be added to the namespace if it is not
+  // disabled by the time of TryBuild().
+  PolicyBuilder& AddFileIfNamespaced(absl::string_view path, bool is_ro = true);
+  PolicyBuilder& AddFileAtIfNamespaced(absl::string_view outside,
+                                       absl::string_view inside,
+                                       bool is_ro = true);
+  PolicyBuilder& AddDirectoryIfNamespaced(absl::string_view path,
+                                          bool is_ro = true);
+  PolicyBuilder& AddDirectoryAtIfNamespaced(absl::string_view outside,
+                                            absl::string_view inside,
+                                            bool is_ro = true);
+
   // Allows a limited version of madvise
   PolicyBuilder& AllowLimitedMadvise();