PolicyBuilder: add convenience APIs for adding files/dirs that might not exist

happyCoder92 · copybara-github · commit 6a564c73decb · 2025-10-14T07:49:35.000-07:00
Follow-up changes will make the regular APIs error out early for non-existing
files/dirs.

PiperOrigin-RevId: 819218320
Change-Id: Ice147bf5ca20f86c24b9d9dc95955f39c6ae7472
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
@@ -104,6 +104,22 @@ namespace {
 namespace file = ::sapi::file;
 namespace fileops = ::sapi::file_util::fileops;
 
+bool IsDirectory(const std::string& path) {
+  struct stat sb;
+  if (stat(path.c_str(), &sb) == -1) {
+    return false;
+  }
+  return S_ISDIR(sb.st_mode);
+}
+
+bool IsFile(const std::string& path) {
+  struct stat sb;
+  if (stat(path.c_str(), &sb) == -1) {
+    return false;
+  }
+  return !S_ISDIR(sb.st_mode);
+}
+
 // Validates that the path is absolute and canonical.
 absl::StatusOr<std::string> ValidatePath(absl::string_view path,
                                          bool allow_relative_path = false) {
@@ -521,7 +537,9 @@ PolicyBuilder& PolicyBuilder::AllowLlvmCoverage() {
   AllowMkdir();
   AllowSafeFcntl();
   AllowSyscalls({
-      __NR_munmap, __NR_close, __NR_lseek,
+      __NR_munmap,
+      __NR_close,
+      __NR_lseek,
 #ifdef __NR__llseek
       __NR__llseek,  // Newer glibc on PPC
 #endif
@@ -1538,6 +1556,14 @@ PolicyBuilder& PolicyBuilder::AddFile(absl::string_view path, bool is_ro) {
   return AddFileAt(path, path, is_ro);
 }
 
+PolicyBuilder& PolicyBuilder::AddFileIfExists(absl::string_view path,
+                                              bool is_ro) {
+  if (IsFile(std::string(path))) {
+    AddFile(path, is_ro);
+  }
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
                                         absl::string_view inside, bool is_ro) {
   EnableNamespaces();  // NOLINT(clang-diagnostic-deprecated-declarations)
@@ -1611,6 +1637,14 @@ PolicyBuilder& PolicyBuilder::AddDirectory(absl::string_view path, bool is_ro) {
   return AddDirectoryAt(path, path, is_ro);
 }
 
+PolicyBuilder& PolicyBuilder::AddDirectoryIfExists(absl::string_view path,
+                                                   bool is_ro) {
+  if (IsDirectory(std::string(path))) {
+    AddDirectory(path, is_ro);
+  }
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AddDirectoryAt(absl::string_view outside,
                                              absl::string_view inside,
                                              bool is_ro) {
diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h
@@ -795,6 +795,8 @@ class PolicyBuilder final {
   PolicyBuilder& AddFile(absl::string_view path, bool is_ro = true);
   PolicyBuilder& AddFileAt(absl::string_view outside, absl::string_view inside,
                            bool is_ro = true);
+  // Same as `AddFile`, but no error is raised if the file does not exist.
+  PolicyBuilder& AddFileIfExists(absl::string_view path, bool is_ro = true);
 
   // Adds the libraries and linker required by a binary.
   //
@@ -829,6 +831,10 @@ class PolicyBuilder final {
   PolicyBuilder& AddDirectory(absl::string_view path, bool is_ro = true);
   PolicyBuilder& AddDirectoryAt(absl::string_view outside,
                                 absl::string_view inside, bool is_ro = true);
+  // Same as `AddDirectory`, but no error is raised if the directory does not
+  // exist.
+  PolicyBuilder& AddDirectoryIfExists(absl::string_view path,
+                                      bool is_ro = true);
 
   // Adds a tmpfs inside the namespace.
   //
diff --git a/sandboxed_api/sandbox2/policybuilder_test.cc b/sandboxed_api/sandbox2/policybuilder_test.cc
@@ -115,6 +115,28 @@ TEST(PolicyBuilderTest, Testpolicy_size) {
   // clang-format on
 }
 
+TEST(PolicyBuilderTest, NonExistingIgnored) {
+  PolicyBuilder pb;
+  pb.AddFileIfExists("/non_existing_file");
+  ASSERT_THAT(pb.mounts().ResolvePath("/non_existing_file"),
+              StatusIs(absl::StatusCode::kNotFound));
+  pb.AddDirectoryIfExists("/non_existing_dir");
+  ASSERT_THAT(pb.mounts().ResolvePath("/non_existing_dir"),
+              StatusIs(absl::StatusCode::kNotFound));
+  EXPECT_THAT(pb.TryBuild(), IsOk());
+}
+
+TEST(PolicyBuilderTest, WrongTypeIgnored) {
+  PolicyBuilder pb;
+  pb.AddFileIfExists("/usr");  // This is a directory, not a file.
+  ASSERT_THAT(pb.mounts().ResolvePath("/usr"),
+              StatusIs(absl::StatusCode::kNotFound));
+  pb.AddDirectoryIfExists("/etc/passwd");  // This is a file, not a directory.
+  ASSERT_THAT(pb.mounts().ResolvePath("/etc/passwd"),
+              StatusIs(absl::StatusCode::kNotFound));
+  EXPECT_THAT(pb.TryBuild(), IsOk());
+}
+
 TEST(PolicyBuilderTest, ApisWithPathValidation) {
   const std::initializer_list<std::pair<absl::string_view, absl::StatusCode>>
       kTestCases = {
