mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
3323ddc129
The default policy causes immediate termination of a sandboxee that calls `bpf`(2). This does not allow for try-call use of `bpf()` to test for optional features. To support such try-call use cases, sandboxes would like to say: ``` sandbox2::PolicyBuilder builder; builder.BlockSyscallWithErrno(__NR_bpf, EPERM); ``` but this doesn't work because the default policy unconditionally treats `bpf()` as a sandbox violation. Remove the bpf violation check from the policy if `bpf()` is explicitly blocked with an errno. PiperOrigin-RevId: 345239389 Change-Id: I7fcfd3a938c610c8679edf8e1fa0238b32cc9db4