mandoline: lock down the linux sandbox more.

mojo/runner/linux_sandbox.cc

Index: mojo/runner/linux_sandbox.cc
diff --git a/mojo/runner/linux_sandbox.cc b/mojo/runner/linux_sandbox.cc
index fb6af970bd89b26e26b85410a965aa8262efbd17..6990f0acea51f7ce5688b9a428d7b0c5dc0f8c5c 100644
--- a/mojo/runner/linux_sandbox.cc
+++ b/mojo/runner/linux_sandbox.cc
@@ -14,7 +14,9 @@
 #include "base/sys_info.h"
 #include "sandbox/linux/bpf_dsl/policy.h"
 #include "sandbox/linux/bpf_dsl/trap_registry.h"
+#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/services/credentials.h"
@@ -62,7 +64,7 @@ intptr_t SandboxSIGSYSHandler(const struct sandbox::arch_seccomp_data& args,
   }
 }
 
-class SandboxPolicy : public sandbox::bpf_dsl::Policy {
+class SandboxPolicy : public sandbox::BaselinePolicy {
  public:
   explicit SandboxPolicy(sandbox::syscall_broker::BrokerProcess* broker_process)
       : broker_process_(broker_process) {}
@@ -77,9 +79,15 @@ class SandboxPolicy : public sandbox::bpf_dsl::Policy {
       case __NR_faccessat:
       case __NR_openat:
         return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_);
+      case __NR_sched_getaffinity:
+        return sandbox::RestrictSchedTarget(policy_pid(), sysno);
+      case __NR_ftruncate:
+      case __NR_getrlimit:
+      case __NR_uname:
+        return sandbox::bpf_dsl::Allow();
     }
 
-    return sandbox::bpf_dsl::Allow();
+    return BaselinePolicy::EvaluateSyscall(sysno);
   }
 
  private: