Skip to content

Commit f2ad018

Browse files
Sandboxed API Teamcopybara-github
Sandboxed API Team
authored and
copybara-github
committed
AllowRestartableSequences: Add whole /proc
Adding `/proc/self/cpuset` is not really correct. PiperOrigin-RevId: 899797242 Change-Id: I08c6e51e4c8c23ba43dfa81893f8e0c7fcf574fe
1 parent 5ea8bf4 commit f2ad018

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

sandboxed_api/sandbox2/policybuilder.cc

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1128,12 +1128,14 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences(
11281128
});
11291129
AllowPrctlSetVma();
11301130

1131-
AddDirectoryIfNamespaced("/proc");
1131+
AddFileIfNamespaced("/proc/cpuinfo");
1132+
AddFileIfNamespaced("/proc/stat");
11321133
AddDirectoryIfNamespaced("/sys/devices/system/cpu");
11331134
}
11341135
if (cpu_fence_mode == kAllowSlowFences && !allowed_complex_.slow_fences) {
11351136
AllowSyscall(__NR_sched_getaffinity);
11361137
AllowSyscall(__NR_sched_setaffinity);
1138+
AddFileIfNamespaced("/proc/self/cpuset");
11371139
allowed_complex_.slow_fences = true;
11381140
} else if (cpu_fence_mode == kRequireFastFences) {
11391141
allowed_complex_.fast_fences = true;

0 commit comments

Comments
 (0)