BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning.
PiperOrigin-RevId: 309173849
Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234
Sandbox2 is a C++ security sandbox for Linux which can be used to run untrusted
programs or portions of programs in confined environments. The idea is that the
runtime environment is so restricted that security bugs such as buffer overflows
in the protected region cause no harm.
Documentation
Detailed developer documentation is available on the Google Developers site for Sandboxed API under
Sandbox2.
79049b09c0