Adjust sandboxed_api default policy

PiperOrigin-RevId: 557762512 Change-Id: I600c8126ee09b8bab927013de25fcb836c78ac9a
google · Aug 17, 2023 · 18c64ae · 18c64ae
1 parent f378d22
commit 18c64ae
Showing 1 changed file with 13 additions and 14 deletions.
diff --git a/sandboxed_api/sandbox.cc b/sandboxed_api/sandbox.cc
@@ -70,21 +70,20 @@ void InitDefaultPolicyBuilder(sandbox2::PolicyBuilder* builder) {
       .AllowHandleSignals()
       .AllowSystemMalloc()
       .AllowSafeFcntl()
-      .AllowSyscall(__NR_recvmsg)
-      .AllowSyscall(__NR_sendmsg)
-      .AllowSyscall(__NR_futex)
-      .AllowSyscall(__NR_close)
-      .AllowSyscall(__NR_lseek)
-      .AllowSyscall(__NR_getpid)
-      .AllowSyscall(__NR_getppid)
-      .AllowSyscall(__NR_gettid)
+      .AllowGetPIDs()
       .AllowSleep()
-      .AllowSyscall(__NR_uname)
-      .AllowSyscall(__NR_getrandom)
-      .AllowSyscall(__NR_kill)
-      .AllowSyscall(__NR_tgkill)
-      .AllowSyscall(__NR_tkill)
-      .AllowReadlink();
+      .AllowReadlink()
+      .AllowSyscalls({
+          __NR_recvmsg,
+          __NR_sendmsg,
+          __NR_futex,
+          __NR_close,
+          __NR_lseek,
+          __NR_uname,
+          __NR_kill,
+          __NR_tgkill,
+          __NR_tkill,
+      });
 
 #ifdef __NR_arch_prctl  // x86-64 only
   builder->AllowSyscall(__NR_arch_prctl);