Linux Sandbox: whitelist arm64 syscalls

sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc

Index: sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
index c217d47e2d65deec27aedbf39bc429f28d2c38ff..704762589fb4d2185398461743cfe2a26741442a 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -414,6 +414,7 @@ bool SyscallSets::IsAllowedEpoll(int sysno) {
     case __NR_epoll_create:
     case __NR_epoll_wait:
 #endif
+    case __NR_epoll_pwait:

[jln (very slow on Chromium), 2016/01/27 00:19:17]

Why does ARM64 influence this?

[Riku Voipio, 2016/01/27 15:37:27]

The glibc function epoll_wait() will call epoll_pwait() syscall on arm64 since
epoll_wait is a legacy syscall that doesn't exist on arm64.

     case __NR_epoll_create1:
     case __NR_epoll_ctl:
       return true;
@@ -421,7 +422,6 @@ bool SyscallSets::IsAllowedEpoll(int sysno) {
 #if defined(__x86_64__)
     case __NR_epoll_ctl_old:
 #endif
-    case __NR_epoll_pwait:
 #if defined(__x86_64__)
     case __NR_epoll_wait_old:
 #endif
@@ -606,6 +606,8 @@ bool SyscallSets::IsAllowedBasicScheduler(int sysno) {
     case __NR_sched_yield:
 #if !defined(__aarch64__)
     case __NR_pause:
+#else
+    case __NR_getrlimit:

[jln (very slow on Chromium), 2016/01/27 00:19:17]

getrlimit is already somewhere else in this file. The general policy is that
this file splits system calls into disjoint sets.

If one really decides to allow getrlimit, this should be a baseline policy
change.

[Riku Voipio, 2016/01/27 15:37:27]

Thanks, this was the part of my patches I was most uncomfortable with.

Following the backtrace in previous mail, does it warrant a change in baseline
policy?

Further tests show that even on arm64/linux chromium works sandboxed without
calling getrlimit(), if the opengl stack is available. If it isn't - due to
using X via ssh -X or because vendor opengl driver are crap, chromium will crash
on the seccomp error on start.

[Robert Sesek, 2016/01/27 16:52:31]

An alternative if we wanted to keep restricting getrlimit would be to cache the
result of base::GetMaxFds() (or base::SharedMemory::GetHandleLimit() which is
calling that function), and then ensure the value is cached as part of sandbox
warmup.

 #endif
     case __NR_nanosleep:
       return true;
@@ -713,8 +715,7 @@ bool SyscallSets::IsMessageQueue(int sysno) {
 bool SyscallSets::IsGlobalProcessEnvironment(int sysno) {
   switch (sysno) {
     case __NR_acct:  // Privileged.
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
-    defined(__aarch64__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
     case __NR_getrlimit:
 #endif
 #if defined(__i386__) || defined(__arm__)