[Android] Fix Microdump generation when Seccomp-BPF is enabled.

content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc

Index: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
diff --git a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
index c3b1605fc7dc6f091ae5456aad0371bcf2ee7c1a..0550b0d810ee5dbcf41164b0397231f1c78834fd 100644
--- a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
+++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.cc
@@ -4,17 +4,28 @@
 
 #include "content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h"
 
+#include <linux/net.h>
+#include <sys/socket.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 
 #include "build/build_config.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 
+using sandbox::bpf_dsl::AllOf;
 using sandbox::bpf_dsl::Allow;
+using sandbox::bpf_dsl::AnyOf;
+using sandbox::bpf_dsl::Arg;
+using sandbox::bpf_dsl::If;
+using sandbox::bpf_dsl::Error;
 using sandbox::bpf_dsl::ResultExpr;
 
 namespace content {
 
+#ifndef SOCK_TYPE_MASK
+#define SOCK_TYPE_MASK 0xf
+#endif
+
 SandboxBPFBasePolicyAndroid::SandboxBPFBasePolicyAndroid()
     : SandboxBPFBasePolicy() {}
 
@@ -30,8 +41,10 @@ ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const {
     case __NR_flock:
 #if defined(__x86_64__) || defined(__aarch64__)
     case __NR_newfstatat:
+    case __NR_getdents64:
 #elif defined(__i386__) || defined(__arm__) || defined(__mips__)
     case __NR_fstatat64:
+    case __NR_getdents:
 #endif
     case __NR_getpriority:
     case __NR_ioctl:
@@ -56,10 +69,29 @@ ResultExpr SandboxBPFBasePolicyAndroid::EvaluateSyscall(int sysno) const {
     case __NR_getrlimit:
 #endif
     case __NR_uname:
+
+    // Permit socket operations so that renderers can connect to logd and
+    // debuggerd. The arguments to socket() are further restricted below.
+    case __NR_socket:
+    case __NR_connect:
+
+    // Ptrace is allowed so the Breakpad Microdumper can fork in a renderer
+    // and then ptrace the parent.
+    case __NR_ptrace:
       override_and_allow = true;
       break;
   }
 
+  if (sysno == __NR_socket) {
+    const Arg<int> domain(0);
+    const Arg<int> type(1);
+    return If(AllOf(AnyOf(domain == PF_LOCAL, domain == PF_UNIX),

[mdempsky, 2016/02/05 20:14:02]

Nit: Unless Android is goofy, I would just check for "domain == AF_UNIX". 
AF_UNIX is the POSIX standardized name; the PF_* and AF_* names are equivalent
on Linux; and AF_UNIX and AF_LOCAL are synonyms too.

Also, maybe check that "protocol == 0".

[Robert Sesek, 2016/02/05 21:27:06]

Android isn't goofy, IMO PF is more semantically correct for socket(), AF is for
sockaddrs. But just limited to AF_UNIX for readability. Also check protocol==0.

[mdempsky, 2016/02/05 22:56:55]

Agreed that historically PF was more semantically correct here, but POSIX
decided to only standardize the AF_* names.

+                    AnyOf((type & SOCK_TYPE_MASK) == SOCK_DGRAM,

[mdempsky, 2016/02/05 20:14:02]

Any opinions on writing this instead as:

  const int kSockFlags = SOCK_CLOEXEC | SOCK_NONBLOCK;
  ...
  (type & ~kSockFlags) == SOCK_DGRAM || (type & ~kSockFlags) == SOCK_NONBLOCK

?

[Robert Sesek, 2016/02/05 21:27:06]

I like that. Prevent extra bits being set.

+                          (type & SOCK_TYPE_MASK) == SOCK_STREAM)),
+              Allow())
+           .Else(Error(EPERM));
+  }
+
   if (override_and_allow)
     return Allow();