Linux Sandbox: whitelist arm64 syscalls

mojo/shell/runner/host/linux_sandbox.cc

Index: mojo/shell/runner/host/linux_sandbox.cc
diff --git a/mojo/shell/runner/host/linux_sandbox.cc b/mojo/shell/runner/host/linux_sandbox.cc
index 545511e0c14ab337d22633da262f5e6c3e1dbaee..1142cb8b6b2cd4c7b66152d55cf5b998136d956e 100644
--- a/mojo/shell/runner/host/linux_sandbox.cc
+++ b/mojo/shell/runner/host/linux_sandbox.cc
@@ -77,15 +77,18 @@ class SandboxPolicy : public sandbox::BaselinePolicy {
   sandbox::bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override {
     // This policy is only advisory/for noticing FS access for the moment.
     switch (sysno) {
+#if !defined(__aarch64__)

[Elliot Glaysher, 2016/02/11 18:39:05]

So I'm not an expert on this, but doesn't this mean that access() and open() are
now allowed inside the sandbox on aarch64? (Instead of trapping and sending to
the broker.)

[mdempsky, 2016/02/11 18:48:13]

__NR_access and __NR_open don't exist on ARM64.  The userspace access() and
open() functions use the generic faccessat and openat system calls.

       case __NR_access:
       case __NR_open:
+#endif
       case __NR_faccessat:
       case __NR_openat:
         return sandbox::bpf_dsl::Trap(SandboxSIGSYSHandler, broker_process_);
       case __NR_sched_getaffinity:
         return sandbox::RestrictSchedTarget(policy_pid(), sysno);
       case __NR_ftruncate:
-#if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
       // Per #ifdefs in
       // content/common/sandbox_linux/bpf_renderer_policy_linux.cc
       case __NR_getrlimit: