SECCOMP-BPF: Refactor the BPF sandbox API to use fewer "static" fields and methods.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <pthread.h>
 #include <sched.h>
 #include <sys/prctl.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
@@ skipping 62 matching lines @@
 // and it helps us accidentally forgetting any of the crucial steps in
 // setting up the sandbox. But it wouldn't hurt to have at least one test
 // that explicitly walks through all these steps.
 
 intptr_t FakeGetPid(const struct arch_seccomp_data& args, void *aux) {
   BPF_ASSERT(aux);
   pid_t *pid_ptr = static_cast<pid_t *>(aux);
   return (*pid_ptr)++;
 }
 
-ErrorCode VerboseAPITestingPolicy(int sysno, void *aux) {
+ErrorCode VerboseAPITestingPolicy(Sandbox *sandbox, int sysno, void *aux) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_getpid) {
-    return Sandbox::Trap(FakeGetPid, aux);
+    return sandbox->Trap(FakeGetPid, aux);
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 SANDBOX_TEST(SandboxBpf, VerboseAPITesting) {
   if (Sandbox::SupportsSeccompSandbox(-1) ==
       playground2::Sandbox::STATUS_AVAILABLE) {
     pid_t test_var = 0;
-    playground2::Sandbox::SetSandboxPolicy(VerboseAPITestingPolicy, &test_var);
-    playground2::Sandbox::StartSandbox();
+    Sandbox sandbox;
+    sandbox.SetSandboxPolicy(VerboseAPITestingPolicy, &test_var);
+    sandbox.StartSandbox();
 
     BPF_ASSERT(test_var == 0);
     BPF_ASSERT(syscall(__NR_getpid) == 0);
     BPF_ASSERT(test_var == 1);
     BPF_ASSERT(syscall(__NR_getpid) == 1);
     BPF_ASSERT(test_var == 2);
 
     // N.B.: Any future call to getpid() would corrupt the stack.
     //       This is OK. The SANDBOX_TEST() macro is guaranteed to
     //       only ever call _exit() after the test completes.
   }
 }
 
 // A simple blacklist test
 
-ErrorCode BlacklistNanosleepPolicy(int sysno, void *) {
+ErrorCode BlacklistNanosleepPolicy(Sandbox *, int sysno, void *) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_nanosleep:
       return ErrorCode(EACCES);
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
   // nanosleep() should be denied
   const struct timespec ts = {0, 0};
   errno = 0;
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == EACCES);
 }
 
 // Now do a simple whitelist test
 
-ErrorCode WhitelistGetpidPolicy(int sysno, void *) {
+ErrorCode WhitelistGetpidPolicy(Sandbox *, int sysno, void *) {
   switch (sysno) {
     case __NR_getpid:
     case __NR_exit_group:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return ErrorCode(ENOMEM);
   }
 }
 
 BPF_TEST(SandboxBpf, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
   // getpid() should be allowed
   errno = 0;
   BPF_ASSERT(syscall(__NR_getpid) > 0);
   BPF_ASSERT(errno == 0);
 
   // getpgid() should be denied
   BPF_ASSERT(getpgid(0) == -1);
   BPF_ASSERT(errno == ENOMEM);
 }
 
 // A simple blacklist policy, with a SIGSYS handler
 
 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void *aux) {
   // We also check that the auxiliary data is correct
   SANDBOX_ASSERT(aux);
   *(static_cast<int*>(aux)) = kExpectedReturnValue;
   return -ENOMEM;
 }
 
-ErrorCode BlacklistNanosleepPolicySigsys(int sysno, void *aux) {
+ErrorCode BlacklistNanosleepPolicySigsys(Sandbox *sandbox, int sysno,
+                                         void *aux) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_nanosleep:
-      return Sandbox::Trap(EnomemHandler, aux);
+      return sandbox->Trap(EnomemHandler, aux);
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, BasicBlacklistWithSigsys,
          BlacklistNanosleepPolicySigsys, int /* BPF_AUX */) {
   // getpid() should work properly
   errno = 0;
   BPF_ASSERT(syscall(__NR_getpid) > 0);
   BPF_ASSERT(errno == 0);
 
   // Our Auxiliary Data, should be reset by the signal handler
   BPF_AUX = -1;
   const struct timespec ts = {0, 0};
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == ENOMEM);
 
   // We expect the signal handler to modify AuxData
   BPF_ASSERT(BPF_AUX == kExpectedReturnValue);
 }
 
 // A simple test that verifies we can return arbitrary errno values.
 
-ErrorCode ErrnoTestPolicy(int sysno, void *) {
+ErrorCode ErrnoTestPolicy(Sandbox *, int sysno, void *) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
   case __NR_dup2:
     // Pretend that dup2() worked, but don't actually do anything.
     return ErrorCode(0);
   case __NR_setuid:
@@ skipping 28 matching lines @@
   // into a no-op by our policy, then we will read \x55.
   BPF_ASSERT(buf[0] == '\x55');
 
   // Verify that we can return the minimum and maximum errno values.
   BPF_ASSERT(setuid(0) == -1);
   BPF_ASSERT(errno == 1);
   BPF_ASSERT(setgid(0) == -1);
   BPF_ASSERT(errno == ErrorCode::ERR_MAX_ERRNO);
 }
 
+// Testing the stacking of two sandboxes
+
+ErrorCode StackingPolicyPartOne(Sandbox *sandbox, int sysno, void *) {
+  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+    return ErrorCode(ENOSYS);
+  }
+
+  switch (sysno) {
+    case __NR_getppid:
+      return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
+                           ErrorCode(ErrorCode::ERR_ALLOWED),
+                           ErrorCode(EPERM));
+    default:
+      return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+}
+
+ErrorCode StackingPolicyPartTwo(Sandbox *sandbox, int sysno, void *) {
+  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+    return ErrorCode(ENOSYS);
+  }
+
+  switch (sysno) {
+    case __NR_getppid:
+      return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
+                           ErrorCode(EINVAL),
+                           ErrorCode(ErrorCode::ERR_ALLOWED));
+    default:
+      return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+}
+
+BPF_TEST(SandboxBpf, StackingPolicy, StackingPolicyPartOne) {
+  errno = 0;
+  BPF_ASSERT(syscall(__NR_getppid, 0) > 0);
+  BPF_ASSERT(errno == 0);
+
+  BPF_ASSERT(syscall(__NR_getppid, 1) == -1);
+  BPF_ASSERT(errno == EPERM);
+
+  // Stack a second sandbox with its own policy. Verify that we can further
+  // restrict filters, but we cannot relax existing filters.
+  Sandbox sandbox;
+  sandbox.SetSandboxPolicy(StackingPolicyPartTwo, NULL);
+  sandbox.StartSandbox();
+
+  errno = 0;
+  BPF_ASSERT(syscall(__NR_getppid, 0) == -1);
+  BPF_ASSERT(errno == EINVAL);
+
+  BPF_ASSERT(syscall(__NR_getppid, 1) == -1);
+  BPF_ASSERT(errno == EPERM);
+}
+
 // A more complex, but synthetic policy. This tests the correctness of the BPF
 // program by iterating through all syscalls and checking for an errno that
 // depends on the syscall number. Unlike the Verifier, this exercises the BPF
 // interpreter in the kernel.
 
 // We try to make sure we exercise optimizations in the BPF compiler. We make
 // sure that the compiler can have an opportunity to coalesce syscalls with
 // contiguous numbers and we also make sure that disjoint sets can return the
 // same errno.
 int SysnoToRandomErrno(int sysno) {
   // Small contiguous sets of 3 system calls return an errno equal to the
   // index of that set + 1 (so that we never return a NUL errno).
   return ((sysno & ~3) >> 2) % 29 + 1;
 }
 
-ErrorCode SyntheticPolicy(int sysno, void *) {
+ErrorCode SyntheticPolicy(Sandbox *, int sysno, void *) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
 // TODO(jorgelo): remove this once the new code generator lands.
 #if defined(__arm__)
   if (sysno > static_cast<int>(MAX_PUBLIC_SYSCALL)) {
     return ErrorCode(ENOSYS);
   }
@@ skipping 37 matching lines @@
 // MIN_PRIVATE_SYSCALL plus 1 (to avoid NUL errno).
 int ArmPrivateSysnoToErrno(int sysno) {
   if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
       sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
     return (sysno - MIN_PRIVATE_SYSCALL) + 1;
   } else {
     return ENOSYS;
   }
 }
 
-ErrorCode ArmPrivatePolicy(int sysno, void *) {
+ErrorCode ArmPrivatePolicy(Sandbox *, int sysno, void *) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy.
     return ErrorCode(ENOSYS);
   }
 
   // Start from |__ARM_NR_set_tls + 1| so as not to mess with actual
   // ARM private system calls.
   if (sysno >= static_cast<int>(__ARM_NR_set_tls + 1) &&
       sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
     return ErrorCode(ArmPrivateSysnoToErrno(sysno));
@@ skipping 19 matching lines @@
 
   // Verify that within the callback function all filtering is temporarily
   // disabled.
   BPF_ASSERT(syscall(__NR_getpid) > 1);
 
   // Verify that we can now call the underlying system call without causing
   // infinite recursion.
   return Sandbox::ForwardSyscall(args);
 }
 
-ErrorCode GreyListedPolicy(int sysno, void *aux) {
+ErrorCode GreyListedPolicy(Sandbox *sandbox, int sysno, void *aux) {
   // The use of UnsafeTrap() causes us to print a warning message. This is
   // generally desirable, but it results in the unittest failing, as it doesn't
   // expect any messages on "stderr". So, temporarily disable messages. The
   // BPF_TEST() is guaranteed to turn messages back on, after the policy
   // function has completed.
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 
   // Some system calls must always be allowed, if our policy wants to make
   // use of UnsafeTrap()
   if (sysno == __NR_rt_sigprocmask ||
       sysno == __NR_rt_sigreturn
 #if defined(__NR_sigprocmask)
    || sysno == __NR_sigprocmask
 #endif
 #if defined(__NR_sigreturn)
    || sysno == __NR_sigreturn
 #endif
       ) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   } else if (sysno == __NR_getpid) {
     // Disallow getpid()
     return ErrorCode(EPERM);
   } else if (Sandbox::IsValidSyscallNumber(sysno)) {
     // Allow (and count) all other system calls.
-      return Sandbox::UnsafeTrap(CountSyscalls, aux);
+      return sandbox->UnsafeTrap(CountSyscalls, aux);
   } else {
     return ErrorCode(ENOSYS);
   }
 }
 
 BPF_TEST(SandboxBpf, GreyListedPolicy,
          GreyListedPolicy, int /* BPF_AUX */) {
   BPF_ASSERT(syscall(__NR_getpid) == -1);
   BPF_ASSERT(errno == EPERM);
   BPF_ASSERT(BPF_AUX == 0);
@@ skipping 23 matching lines @@
   if (args.args[0] == PR_CAPBSET_DROP &&
       static_cast<int>(args.args[1]) == -1) {
     // prctl(PR_CAPBSET_DROP, -1) is never valid. The kernel will always
     // return an error. But our handler allows this call.
     return 0;
   } else {
     return Sandbox::ForwardSyscall(args);
   }
 }
 
-ErrorCode PrctlPolicy(int sysno, void *aux) {
+ErrorCode PrctlPolicy(Sandbox *sandbox, int sysno, void *aux) {
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 
   if (sysno == __NR_prctl) {
     // Handle prctl() inside an UnsafeTrap()
-    return Sandbox::UnsafeTrap(PrctlHandler, NULL);
+    return sandbox->UnsafeTrap(PrctlHandler, NULL);
   } else if (Sandbox::IsValidSyscallNumber(sysno)) {
     // Allow all other system calls.
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   } else {
     return ErrorCode(ENOSYS);
   }
 }
 
 BPF_TEST(SandboxBpf, ForwardSyscall, PrctlPolicy) {
   // This call should never be allowed. But our policy will intercept it and
@@ skipping 15 matching lines @@
   // unaffected by our policy.
   struct utsname uts = { };
   BPF_ASSERT(!uname(&uts));
   BPF_ASSERT(!strcmp(uts.sysname, "Linux"));
 }
 
 intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void *) {
   return Sandbox::ForwardSyscall(args);
 }
 
-ErrorCode RedirectAllSyscallsPolicy(int sysno, void *aux) {
+ErrorCode RedirectAllSyscallsPolicy(Sandbox *sandbox, int sysno, void *aux) {
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 
   // Some system calls must always be allowed, if our policy wants to make
   // use of UnsafeTrap()
   if (sysno == __NR_rt_sigprocmask ||
       sysno == __NR_rt_sigreturn
 #if defined(__NR_sigprocmask)
    || sysno == __NR_sigprocmask
 #endif
 #if defined(__NR_sigreturn)
    || sysno == __NR_sigreturn
 #endif
       ) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   } else if (Sandbox::IsValidSyscallNumber(sysno)) {
-    return Sandbox::UnsafeTrap(AllowRedirectedSyscall, aux);
+    return sandbox->UnsafeTrap(AllowRedirectedSyscall, aux);
   } else {
     return ErrorCode(ENOSYS);
   }
 }
 
 int bus_handler_fd_ = -1;
 
 void SigBusHandler(int, siginfo_t *info, void *void_context) {
   BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1);
 }
@@ skipping 110 matching lines @@
       // the openat() system call.
       BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
       return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
           static_cast<int>(args.args[2]));
     default:
       BPF_ASSERT(false);
       return -ENOSYS;
   }
 }
 
-ErrorCode DenyOpenPolicy(int sysno, void *aux) {
+ErrorCode DenyOpenPolicy(Sandbox *sandbox, int sysno, void *aux) {
   InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux);
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_open:
     case __NR_openat:
       // We get a InitializedOpenBroker class, but our trap handler wants
       // the BrokerProcess object.
-      return ErrorCode(Sandbox::Trap(BrokerOpenTrapHandler,
+      return ErrorCode(sandbox->Trap(BrokerOpenTrapHandler,
                                      iob->broker_process()));
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 // We use a InitializedOpenBroker class, so that we can run unsandboxed
 // code in its constructor, which is the only way to do so in a BPF_TEST.
 BPF_TEST(SandboxBpf, UseOpenBroker, DenyOpenPolicy,
          InitializedOpenBroker /* BPF_AUX */) {
@@ skipping 23 matching lines @@
 
   // This is also white listed and does exist.
   int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY);
   BPF_ASSERT(cpu_info_fd >= 0);
   char buf[1024];
   BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0);
 }
 
 // Simple test demonstrating how to use Sandbox::Cond()
 
-ErrorCode SimpleCondTestPolicy(int sysno, void *) {
+ErrorCode SimpleCondTestPolicy(Sandbox *sandbox, int sysno, void *) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
   // We deliberately return unusual errno values upon failure, so that we
   // can uniquely test for these values. In a "real" policy, you would want
   // to return more traditional values.
   switch (sysno) {
     case __NR_open:
       // Allow opening files for reading, but don't allow writing.
       COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits);
-      return Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+      return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                            O_ACCMODE /* 0x3 */,
                            ErrorCode(EROFS),
                            ErrorCode(ErrorCode::ERR_ALLOWED));
     case __NR_prctl:
       // Allow prctl(PR_SET_DUMPABLE) and prctl(PR_GET_DUMPABLE), but
       // disallow everything else.
-      return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+      return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                            PR_SET_DUMPABLE,
                            ErrorCode(ErrorCode::ERR_ALLOWED),
-             Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+             sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                            PR_GET_DUMPABLE,
                            ErrorCode(ErrorCode::ERR_ALLOWED),
                            ErrorCode(ENOMEM)));
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, SimpleCondTest, SimpleCondTestPolicy) {
   int fd;
@@ skipping 41 matching lines @@
   }
 
   ~EqualityStressTest() {
     for (std::vector<ArgValue *>::iterator iter = arg_values_.begin();
          iter != arg_values_.end();
          ++iter) {
       DeleteArgValue(*iter);
     }
   }
 
-  ErrorCode Policy(int sysno) {
+  ErrorCode Policy(Sandbox *sandbox, int sysno) {
     if (!Sandbox::IsValidSyscallNumber(sysno)) {
       // FIXME: we should really not have to do that in a trivial policy
       return ErrorCode(ENOSYS);
     } else if (sysno < 0 || sysno >= (int)arg_values_.size() ||
                IsReservedSyscall(sysno)) {
       // We only return ErrorCode values for the system calls that
       // are part of our test data. Every other system call remains
       // allowed.
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     } else {
       // ToErrorCode() turns an ArgValue object into an ErrorCode that is
       // suitable for use by a sandbox policy.
-      return ToErrorCode(arg_values_[sysno]);
+      return ToErrorCode(sandbox, arg_values_[sysno]);
     }
   }
 
   void VerifyFilter() {
     // Iterate over all system calls. Skip the system calls that have
     // previously been determined as being reserved.
     for (int sysno = 0; sysno < (int)arg_values_.size(); ++sysno) {
       if (!arg_values_[sysno]) {
         // Skip reserved system calls.
         continue;
@@ skipping 129 matching lines @@
         }
         delete[] arg_value->tests;
       }
       if (!arg_value->err) {
         DeleteArgValue(arg_value->arg_value);
       }
       delete arg_value;
     }
   }
 
-  ErrorCode ToErrorCode(ArgValue *arg_value) {
+  ErrorCode ToErrorCode(Sandbox *sandbox, ArgValue *arg_value) {
     // Compute the ErrorCode that should be returned, if none of our
     // tests succeed (i.e. the system call parameter doesn't match any
     // of the values in arg_value->tests[].k_value).
     ErrorCode err;
     if (arg_value->err) {
       // If this was a leaf node, return the errno value that we expect to
       // return from the BPF filter program.
       err = ErrorCode(arg_value->err);
     } else {
       // If this wasn't a leaf node yet, recursively descend into the rest
       // of the tree. This will end up adding a few more Sandbox::Cond()
       // tests to our ErrorCode.
-      err = ToErrorCode(arg_value->arg_value);
+      err = ToErrorCode(sandbox, arg_value->arg_value);
     }
 
     // Now, iterate over all the test cases that we want to compare against.
     // This builds a chain of Sandbox::Cond() tests
     // (aka "if ... elif ... elif ... elif ... fi")
     for (int n = arg_value->size; n-- > 0; ) {
       ErrorCode matched;
       // Again, we distinguish between leaf nodes and subtrees.
       if (arg_value->tests[n].err) {
         matched = ErrorCode(arg_value->tests[n].err);
       } else {
-        matched = ToErrorCode(arg_value->tests[n].arg_value);
+        matched = ToErrorCode(sandbox, arg_value->tests[n].arg_value);
       }
       // For now, all of our tests are limited to 32bit.
       // We have separate tests that check the behavior of 32bit vs. 64bit
       // conditional expressions.
-      err = Sandbox::Cond(arg_value->argno, ErrorCode::TP_32BIT,
+      err = sandbox->Cond(arg_value->argno, ErrorCode::TP_32BIT,
                           ErrorCode::OP_EQUAL, arg_value->tests[n].k_value,
                           matched, err);
     }
     return err;
   }
 
   void Verify(int sysno, intptr_t *args, const ArgValue& arg_value) {
     uint32_t mismatched = 0;
     // Iterate over all the k_values in arg_value.tests[] and verify that
     // we see the expected return values from system calls, when we pass
@@ skipping 47 matching lines @@
 
   // Don't increase these values. We are pushing the limits of the maximum
   // BPF program that the kernel will allow us to load. If the values are
   // increased too much, the test will start failing.
   static const int kNumIterations = 3;
   static const int kNumTestCases = 40;
   static const int kMaxFanOut = 3;
   static const int kMaxArgs = 6;
 };
 
-ErrorCode EqualityStressTestPolicy(int sysno, void *aux) {
-  return reinterpret_cast<EqualityStressTest *>(aux)->Policy(sysno);
+ErrorCode EqualityStressTestPolicy(Sandbox *sandbox, int sysno, void *aux) {
+  return reinterpret_cast<EqualityStressTest *>(aux)->Policy(sandbox, sysno);
 }
 
 BPF_TEST(SandboxBpf, EqualityTests, EqualityStressTestPolicy,
          EqualityStressTest /* BPF_AUX */) {
   BPF_AUX.VerifyFilter();
 }
 
-ErrorCode EqualityArgumentWidthPolicy(int sysno, void *) {
+ErrorCode EqualityArgumentWidthPolicy(Sandbox *sandbox, int sysno, void *) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_uname) {
-    return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          0x55555555, ErrorCode(1), ErrorCode(2)),
            // The BPF compiler and the BPF interpreter in the kernel are
            // (mostly) agnostic of the host platform's word size. The compiler
            // will happily generate code that tests a 64bit value, and the
            // interpreter will happily perform this test.
            // But unless there is a kernel bug, there is no way for us to pass
            // in a 64bit quantity on a 32bit platform. The upper 32bits should
            // always be zero. So, this test should always evaluate as false on
            // 32bit systems.
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_EQUAL,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_EQUAL,
                          0x55555555AAAAAAAAULL, ErrorCode(1), ErrorCode(2)));
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, EqualityArgumentWidth, EqualityArgumentWidthPolicy) {
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0x55555555) == -1);
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0xAAAAAAAA) == -2);
 #if __SIZEOF_POINTER__ > 4
@@ skipping 13 matching lines @@
 // On 32bit machines, there is no way to pass a 64bit argument through the
 // syscall interface. So, we have to skip the part of the test that requires
 // 64bit arguments.
 BPF_DEATH_TEST(SandboxBpf, EqualityArgumentUnallowed64bit,
                DEATH_MESSAGE("Unexpected 64bit argument detected"),
                EqualityArgumentWidthPolicy) {
   SandboxSyscall(__NR_uname, 0, 0x5555555555555555ULL);
 }
 #endif
 
-ErrorCode EqualityWithNegativeArgumentsPolicy(int sysno, void *) {
+ErrorCode EqualityWithNegativeArgumentsPolicy(Sandbox *sandbox, int sysno,
+                                              void *) {
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_uname) {
-    return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          0xFFFFFFFF, ErrorCode(1), ErrorCode(2));
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, EqualityWithNegativeArguments,
          EqualityWithNegativeArgumentsPolicy) {
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF) == -1);
   BPF_ASSERT(SandboxSyscall(__NR_uname, -1) == -1);
   BPF_ASSERT(SandboxSyscall(__NR_uname, -1LL) == -1);
 }
 
 #if __SIZEOF_POINTER__ > 4
 BPF_DEATH_TEST(SandboxBpf, EqualityWithNegative64bitArguments,
                DEATH_MESSAGE("Unexpected 64bit argument detected"),
                EqualityWithNegativeArgumentsPolicy) {
   // When expecting a 32bit system call argument, we look at the MSB of the
   // 64bit value and allow both "0" and "-1". But the latter is allowed only
   // iff the LSB was negative. So, this death test should error out.
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000LL) == -1);
 }
 #endif
 
-ErrorCode AllBitTestPolicy(int sysno, void *) {
+ErrorCode AllBitTestPolicy(Sandbox *sandbox, int sysno, void *) {
   // Test the OP_HAS_ALL_BITS conditional test operator with a couple of
   // different bitmasks. We try to find bitmasks that could conceivably
   // touch corner cases.
   // For all of these tests, we override the uname(). We can make use with
   // a single system call number, as we use the first system call argument to
   // select the different bit masks that we want to test against.
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_uname) {
-    return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
+    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x0,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x1,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x3,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
+                         0x80000000,
+                         ErrorCode(1), ErrorCode(0)),
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
+                         0x0,
+                         ErrorCode(1), ErrorCode(0)),
+
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
+                         0x1,
+                         ErrorCode(1), ErrorCode(0)),
+
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
+                         0x3,
+                         ErrorCode(1), ErrorCode(0)),
+
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x80000000,
                          ErrorCode(1), ErrorCode(0)),
 
-           // All the following tests don't really make much sense on 32bit
-           // systems. They will always evaluate as false.
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x0,
-                         ErrorCode(1), ErrorCode(0)),
-
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x1,
-                         ErrorCode(1), ErrorCode(0)),
-
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x3,
-                         ErrorCode(1), ErrorCode(0)),
-
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x80000000,
-                         ErrorCode(1), ErrorCode(0)),
-
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x100000000ULL,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x300000000ULL,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x100000001ULL,
                          ErrorCode(1), ErrorCode(0)),
 
-                         Sandbox::Kill("Invalid test case number"))))))))))));
+                         sandbox->Kill("Invalid test case number"))))))))))));
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 // Define a macro that performs tests using our test policy.
 // NOTE: Not all of the arguments in this macro are actually used!
 //       They are here just to serve as documentation of the conditions
 //       implemented in the test policy.
 //       Most notably, "op" and "mask" are unused by the macro. If you want
@@ skipping 112 matching lines @@
 
   // 64bit test: all of 0x100000001
   BITMASK_TEST(10,       0x000000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x000000001LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x100000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x100000001LL, ALLBITS64,0x100000001, EXPT64_SUCCESS);
   BITMASK_TEST(10,         0xFFFFFFFFU, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,                 -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS);
 }
 
-ErrorCode AnyBitTestPolicy(int sysno, void *) {
+ErrorCode AnyBitTestPolicy(Sandbox *sandbox, int sysno, void *) {
   // Test the OP_HAS_ANY_BITS conditional test operator with a couple of
   // different bitmasks. We try to find bitmasks that could conceivably
   // touch corner cases.
   // For all of these tests, we override the uname(). We can make use with
   // a single system call number, as we use the first system call argument to
   // select the different bit masks that we want to test against.
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_uname) {
-    return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x0,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x1,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x3,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3,
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x80000000,
                          ErrorCode(1), ErrorCode(0)),
 
            // All the following tests don't really make much sense on 32bit
            // systems. They will always evaluate as false.
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x0,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x1,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x3,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x80000000,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x100000000ULL,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x300000000ULL,
                          ErrorCode(1), ErrorCode(0)),
 
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
-           Sandbox::Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
+           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x100000001ULL,
                          ErrorCode(1), ErrorCode(0)),
 
-                         Sandbox::Kill("Invalid test case number"))))))))))));
+                         sandbox->Kill("Invalid test case number"))))))))))));
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, AnyBitTests, AnyBitTestPolicy) {
   // 32bit test: any of 0x0 (should always be false)
   BITMASK_TEST( 0,                   0, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,                   1, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,                   3, ANYBITS32,        0x0, EXPECT_FAILURE);
@@ skipping 112 matching lines @@
            "%s\n",
            args.nr,
            (long long)args.args[0],  (long long)args.args[1],
            (long long)args.args[2],  (long long)args.args[3],
            (long long)args.args[4],  (long long)args.args[5],
            msg);
   }
   return -EPERM;
 }
 
-ErrorCode PthreadPolicyEquality(int sysno, void *aux) {
+ErrorCode PthreadPolicyEquality(Sandbox *sandbox, int sysno, void *aux) {
   // This policy allows creating threads with pthread_create(). But it
   // doesn't allow any other uses of clone(). Most notably, it does not
   // allow callers to implement fork() or vfork() by passing suitable flags
   // to the clone() system call.
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_clone) {
     // We have seen two different valid combinations of flags. Glibc
     // uses the more modern flags, sets the TLS from the call to clone(), and
     // uses futexes to monitor threads. Android's C run-time library, doesn't
     // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
     // The following policy is very strict. It only allows the exact masks
     // that we have seen in known implementations. It is probably somewhat
     // stricter than what we would want to do.
-    return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|
                          CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|
                          CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|
                          CLONE_THREAD|CLONE_SYSVSEM|CLONE_DETACHED,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
-                         Sandbox::Trap(PthreadTrapHandler, aux)));
-
+                         sandbox->Trap(PthreadTrapHandler, aux)));
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
-ErrorCode PthreadPolicyBitMask(int sysno, void *aux) {
+ErrorCode PthreadPolicyBitMask(Sandbox *sandbox, int sysno, void *aux) {
   // This policy allows creating threads with pthread_create(). But it
   // doesn't allow any other uses of clone(). Most notably, it does not
   // allow callers to implement fork() or vfork() by passing suitable flags
   // to the clone() system call.
   if (!Sandbox::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_clone) {
     // We have seen two different valid combinations of flags. Glibc
     // uses the more modern flags, sets the TLS from the call to clone(), and
     // uses futexes to monitor threads. Android's C run-time library, doesn't
     // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
     // The following policy allows for either combination of flags, but it
     // is generally a little more conservative than strictly necessary. We
     // err on the side of rather safe than sorry.
     // Very noticeably though, we disallow fork() (which is often just a
     // wrapper around clone()).
-    return Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          ~uint32(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|
                                  CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|
                                  CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|
                                  CLONE_DETACHED),
-                         Sandbox::Trap(PthreadTrapHandler,
+                         sandbox->Trap(PthreadTrapHandler,
                                        "Unexpected CLONE_XXX flag found"),
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
                          CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|
                          CLONE_THREAD|CLONE_SYSVSEM,
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
                          CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
-           Sandbox::Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
-                         Sandbox::Trap(PthreadTrapHandler,
+                         sandbox->Trap(PthreadTrapHandler,
                                        "Must set either all or none of the TLS"
                                        " and futex bits in call to clone()"),
                          ErrorCode(ErrorCode::ERR_ALLOWED))),
-                         Sandbox::Trap(PthreadTrapHandler,
+                         sandbox->Trap(PthreadTrapHandler,
                                        "Missing mandatory CLONE_XXX flags "
                                        "when creating new thread")));
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 static void *ThreadFnc(void *arg) {
   ++*reinterpret_cast<int *>(arg);
   SandboxSyscall(__NR_futex, arg, FUTEX_WAKE, 1, 0, 0, 0);
@@ skipping 33 matching lines @@
 
 BPF_TEST(SandboxBpf, PthreadEquality, PthreadPolicyEquality) {
   PthreadTest();
 }
 
 BPF_TEST(SandboxBpf, PthreadBitMask, PthreadPolicyBitMask) {
   PthreadTest();
 }
 
 } // namespace