Do not allow mounting /proc/self/cpuset.

happyCoder92 · copybara-github · commit a30d18d795b9 · 2026-05-04T01:25:51.000-07:00
PiperOrigin-RevId: 909870489
Change-Id: I2f05e96686415720a87de13c0e96d3e2d6967827
diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc
@@ -1630,8 +1630,7 @@ PolicyBuilder& PolicyBuilder::AddFileAtIfNamespaced(absl::string_view outside,
     return *this;
   }
 
-  if (absl::StartsWith(*valid_outside, "/proc/self") &&
-      *valid_outside != "/proc/self/cpuset") {
+  if (absl::StartsWith(*valid_outside, "/proc/self")) {
     SetError(absl::InvalidArgumentError(
         absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
                      "whole /proc instead. You tried to mount ",

Original file line number	Diff line number	Diff line change
`@@ -1630,8 +1630,7 @@ PolicyBuilder& PolicyBuilder::AddFileAtIfNamespaced(absl::string_view outside,`
`1630`	`1630`	`return *this;`
`1631`	`1631`	`}`
`1632`	`1632`
`1633`		`- if (absl::StartsWith(*valid_outside, "/proc/self") &&`
`1634`		`- *valid_outside != "/proc/self/cpuset") {`
	`1633`	`+ if (absl::StartsWith(*valid_outside, "/proc/self")) {`
`1635`	`1634`	`SetError(absl::InvalidArgumentError(`
`1636`	`1635`	`absl::StrCat("Cannot add /proc/self mounts, you need to mount the "`
`1637`	`1636`	`"whole /proc instead. You tried to mount ",`