Ensure that TCMalloc can execute NumCPUs.

PiperOrigin-RevId: 565683514 Change-Id: I391ab5f184f487ef3ffc553d10581cd6eaee54de
2024-03-22 13:11:30 +08:00 · 2023-09-15 08:20:33 -07:00 · 2023-09-15 08:20:33 -07:00 · f5830c93cd
commit f5830c93cd
parent 700f8fa547
4 changed files with 5 additions and 8 deletions
--- a/sandboxed_api/sandbox2/examples/network/network_sandbox.cc
+++ b/sandboxed_api/sandbox2/examples/network/network_sandbox.cc
@ -57,6 +57,7 @@ std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
      .AllowSyscall(__NR_sendto)   // send
      .AllowStat()                 // printf,puts
      .AddLibrariesForBinary(sandboxee_path)
+      .AllowTcMalloc()
      .BuildOrDie();
 }

--- a/sandboxed_api/sandbox2/policy_test.cc
+++ b/sandboxed_api/sandbox2/policy_test.cc
@ -291,7 +291,7 @@ TEST(MultipleSyscalls, AddPolicyOnSyscallsWorks) {
 #endif
          },
          {ERRNO(42)})
-      .AddPolicyOnSyscalls({__NR_read, __NR_write}, {ERRNO(43)})
+      .AddPolicyOnSyscalls({__NR_write}, {ERRNO(43)})
      .AddPolicyOnSyscall(__NR_umask, {DENY});
  auto policy = builder.BuildOrDie();

--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -263,12 +263,6 @@ PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
  AllowPrctlSetVma();
  AllowPoll();
  AllowGetPIDs();
-#ifdef __NR_open
-  OverridableBlockSyscallWithErrno(__NR_open, ENOENT);
-#endif
-#ifdef __NR_openat
-  OverridableBlockSyscallWithErrno(__NR_openat, ENOENT);
-#endif

  AddPolicyOnSyscall(__NR_mprotect, {
                                        ARG_32(2),
@ -764,6 +758,9 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
  AllowSyscall(__NR_membarrier);
  AllowFutexOp(FUTEX_WAIT);
  AllowFutexOp(FUTEX_WAKE);
+  AllowRead();
+  AllowOpen();
+  AllowSyscall(__NR_close);
  AddPolicyOnSyscall(__NR_rt_sigprocmask, {
                                              ARG_32(0),
                                              JEQ32(SIG_SETMASK, ALLOW),
--- a/sandboxed_api/sandbox2/testcases/add_policy_on_syscalls.cc
+++ b/sandboxed_api/sandbox2/testcases/add_policy_on_syscalls.cc
@ -30,7 +30,6 @@ int main() {
  if (getegid() != 1000) return 4;
  if (getresuid(&r, &e, &s) != -1 || errno != 42) return 5;
  if (getresgid(&r, &e, &s) != -1 || errno != 42) return 6;
-  if (read(0, buf, 1) != -1 || errno != 43) return 7;
  if (write(1, buf, 1) != -1 || errno != 43) return 8;

  // Trigger a violation.