mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
3323ddc129
The default policy causes immediate termination of a sandboxee that calls `bpf`(2). This does not allow for try-call use of `bpf()` to test for optional features. To support such try-call use cases, sandboxes would like to say: ``` sandbox2::PolicyBuilder builder; builder.BlockSyscallWithErrno(__NR_bpf, EPERM); ``` but this doesn't work because the default policy unconditionally treats `bpf()` as a sandbox violation. Remove the bpf violation check from the policy if `bpf()` is explicitly blocked with an errno. PiperOrigin-RevId: 345239389 Change-Id: I7fcfd3a938c610c8679edf8e1fa0238b32cc9db4 |
||
|---|---|---|
| .. | ||
| abort.cc | ||
| add_policy_on_syscalls.cc | ||
| buffer.cc | ||
| BUILD.bazel | ||
| CMakeLists.txt | ||
| hostname.cc | ||
| ipc.cc | ||
| limits.cc | ||
| malloc.cc | ||
| minimal.cc | ||
| namespace.cc | ||
| personality.cc | ||
| pidcomms.cc | ||
| policy.cc | ||
| print_fds.cc | ||
| sanitizer.cc | ||
| sleep.cc | ||
| starve.cc | ||
| symbolize.cc | ||
| tsync.cc | ||