Update sandboxed-api dependency and import internal changes

Databean · Databean · commit cb839a5faedb · 2025-09-17T21:15:05.000Z
- cl/806270901
- cl/764006885
- cl/767014600

Bug: b/445259151
diff --git a/base/cvd/MODULE.bazel b/base/cvd/MODULE.bazel
@@ -67,7 +67,7 @@ git_override(
 
 git_override(
     module_name = "sandboxed_api",
-    commit = "75b6c16e8e95314456795b34af06571879b18e1f",
+    commit = "c520612b14a472e0b4784e9f9e41f9e822264cc3",
     remote = "https://github.com/google/sandboxed-api.git",
     patch_strip = 1,
     patches = [
diff --git a/base/cvd/cuttlefish/host/commands/process_sandboxer/policies/BUILD.bazel b/base/cvd/cuttlefish/host/commands/process_sandboxer/policies/BUILD.bazel
@@ -54,6 +54,7 @@ cf_cc_library(
     deps = [
         "//cuttlefish/host/commands/process_sandboxer:policies_header",
         "@sandboxed_api//sandboxed_api/sandbox2",
+        "@sandboxed_api//sandboxed_api/sandbox2/allowlists:map_exec",
         "@sandboxed_api//sandboxed_api/sandbox2/util:bpf_helper",
         "@sandboxed_api//sandboxed_api/util:file_base",
     ],
diff --git a/base/cvd/cuttlefish/host/commands/process_sandboxer/policies/baseline.cpp b/base/cvd/cuttlefish/host/commands/process_sandboxer/policies/baseline.cpp
@@ -22,6 +22,7 @@
 #include <string_view>
 #include <vector>
 
+#include "sandboxed_api/sandbox2/allowlists/map_exec.h"
 #include "sandboxed_api/sandbox2/policybuilder.h"
 #include "sandboxed_api/sandbox2/util/bpf_helper.h"
 #include "sandboxed_api/util/path.h"
@@ -35,11 +36,12 @@ sandbox2::PolicyBuilder BaselinePolicy(const HostInfo& host,
   return sandbox2::PolicyBuilder()
       .AddLibrariesForBinary(exe, JoinPath(host.host_artifacts_path, "lib64"))
       // For dynamic linking and memory allocation
-      .AllowDynamicStartup()
+      .AllowDynamicStartup(sandbox2::MapExec())
       .AllowExit()
       .AllowGetPIDs()
       .AllowGetRandom()
       // Observed by `strace` on `socket_vsock_proxy` with x86_64 AOSP `glibc`.
+      .Allow(sandbox2::MapExec())
       .AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
         return {
             ARG_32(2),  // prot
diff --git a/base/cvd/cuttlefish/host/commands/process_sandboxer/policies/run_cvd.cpp b/base/cvd/cuttlefish/host/commands/process_sandboxer/policies/run_cvd.cpp
@@ -125,7 +125,7 @@ sandbox2::PolicyBuilder RunCvdPolicy(const HostInfo& host) {
       .AllowEventFd()
       .AllowFork()  // Multithreading, sandboxer_proxy, process monitor
       .AllowGetIDs()
-      .AllowInotifyInit()
+      .AllowInotify()
       .AllowMkdir()
       .AllowPipe()
       .AllowSafeFcntl()
@@ -135,8 +135,6 @@ sandbox2::PolicyBuilder RunCvdPolicy(const HostInfo& host) {
       .AllowSyscall(__NR_connect)
       .AllowSyscall(__NR_execve)  // sandboxer_proxy
       .AllowSyscall(__NR_getsid)
-      .AllowSyscall(__NR_inotify_add_watch)
-      .AllowSyscall(__NR_inotify_rm_watch)
       .AllowSyscall(__NR_listen)
       .AllowSyscall(__NR_msgget)  // Metrics SysV RPC
       .AllowSyscall(__NR_msgsnd)  // Metrics SysV RPC
