mandoline: lock down the linux sandbox more.

mojo/runner/linux_sandbox.cc

Index: mojo/runner/linux_sandbox.cc
diff --git a/mojo/runner/linux_sandbox.cc b/mojo/runner/linux_sandbox.cc
index fb6af970bd89b26e26b85410a965aa8262efbd17..9f37a7e8a2ad2e555101af181070b6039728f69c 100644
--- a/mojo/runner/linux_sandbox.cc
+++ b/mojo/runner/linux_sandbox.cc
@@ -14,6 +14,7 @@
 #include "base/sys_info.h"
 #include "sandbox/linux/bpf_dsl/policy.h"
 #include "sandbox/linux/bpf_dsl/trap_registry.h"
+#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
@@ -62,7 +63,7 @@ intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args,
   }
 }
 
-class SandboxPolicy : public sandbox::bpf_dsl::Policy {
+class SandboxPolicy : public sandbox::BaselinePolicy {
  public:
   explicit SandboxPolicy(sandbox::syscall_broker::BrokerProcess* broker_process)
       : broker_process_(broker_process) {}
@@ -77,9 +78,14 @@ class SandboxPolicy : public sandbox::bpf_dsl::Policy {
       case __NR_faccessat:
       case __NR_openat:
         return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_);
+      case __NR_ftruncate:
+      case __NR_getrlimit:
+      case __NR_sched_getaffinity:
+      case __NR_uname:
+        return sandbox::bpf_dsl::Allow();

[rickyz (no longer on Chrome), 2015/08/31 20:42:42]

ftruncate/getrlimit/uname look fine - for sched_getaffinity, we have a helper
that restricts it to being called on the current PID or TID:
https://code.google.com/p/chromium/codesearch#chromium/src/content/common/san...

This is kind of an extra layer to make sure that one process cannot mess with
another process (though this isn't really strictly necessary anymore now that
each process is in its own PID namespace).

     }
 
-    return sandbox::bpf_dsl::Allow();
+    return BaselinePolicy::EvaluateSyscall(sysno);
   }
 
  private: