[Android] Define a baseline seccomp-bpf sandbox policy.

sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h

Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h
new file mode 100644
index 0000000000000000000000000000000000000000..9d45c84c595e868c380108e0e49bbae53ac93d81
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h
@@ -0,0 +1,33 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_ANDROID_H_
+#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_ANDROID_H_
+
+#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
+#include "sandbox/linux/seccomp-bpf/errorcode.h"
+
+namespace sandbox {
+
+class SandboxBPF;
+
+// This class builds on top of the generic Linux baseline policy to reduce
+// Linux kernel attack surface. It augments the list of allowed syscalls to
+// allow ones required by the Android runtime.
+class BaselinePolicyAndroid : public BaselinePolicy {
+ public:
+  BaselinePolicyAndroid();
+  virtual ~BaselinePolicyAndroid();
+
+  // SandboxBPFPolicy:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
+                                    int system_call_number) const OVERRIDE;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(BaselinePolicyAndroid);
+};
+
+}  // namespace sandbox
+
+#endif  // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_ANDROID_H_