Ensure that TCMalloc can execute NumCPUs.

PiperOrigin-RevId: 565683514
Change-Id: I391ab5f184f487ef3ffc553d10581cd6eaee54de
This commit is contained in:
Chris Kennelly 2023-09-15 08:20:33 -07:00 committed by Copybara-Service
parent 700f8fa547
commit f5830c93cd
4 changed files with 5 additions and 8 deletions

View File

@ -57,6 +57,7 @@ std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
.AllowSyscall(__NR_sendto) // send
.AllowStat() // printf,puts
.AddLibrariesForBinary(sandboxee_path)
.AllowTcMalloc()
.BuildOrDie();
}

View File

@ -291,7 +291,7 @@ TEST(MultipleSyscalls, AddPolicyOnSyscallsWorks) {
#endif
},
{ERRNO(42)})
.AddPolicyOnSyscalls({__NR_read, __NR_write}, {ERRNO(43)})
.AddPolicyOnSyscalls({__NR_write}, {ERRNO(43)})
.AddPolicyOnSyscall(__NR_umask, {DENY});
auto policy = builder.BuildOrDie();

View File

@ -263,12 +263,6 @@ PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
AllowPrctlSetVma();
AllowPoll();
AllowGetPIDs();
#ifdef __NR_open
OverridableBlockSyscallWithErrno(__NR_open, ENOENT);
#endif
#ifdef __NR_openat
OverridableBlockSyscallWithErrno(__NR_openat, ENOENT);
#endif
AddPolicyOnSyscall(__NR_mprotect, {
ARG_32(2),
@ -764,6 +758,9 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
AllowSyscall(__NR_membarrier);
AllowFutexOp(FUTEX_WAIT);
AllowFutexOp(FUTEX_WAKE);
AllowRead();
AllowOpen();
AllowSyscall(__NR_close);
AddPolicyOnSyscall(__NR_rt_sigprocmask, {
ARG_32(0),
JEQ32(SIG_SETMASK, ALLOW),

View File

@ -30,7 +30,6 @@ int main() {
if (getegid() != 1000) return 4;
if (getresuid(&r, &e, &s) != -1 || errno != 42) return 5;
if (getresgid(&r, &e, &s) != -1 || errno != 42) return 6;
if (read(0, buf, 1) != -1 || errno != 43) return 7;
if (write(1, buf, 1) != -1 || errno != 43) return 8;
// Trigger a violation.