[Android] Define a baseline seccomp-bpf sandbox policy.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

Index: sandbox/linux/seccomp-bpf/sandbox_bpf.cc
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
index 6b2327e5452e131c3d054538f933e92f4604b56a..2e2c565c3b4e7bf3104c2423430ca88501f30d23 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
@@ -95,6 +95,7 @@ void TryVsyscallProcess(void) {
 }
 
 bool IsSingleThreaded(int proc_fd) {
+  return true;

[Robert Sesek, 2014/03/05 18:27:54]

Obviously these cannot go in as-is. I can see three options here:

1) Put this behind a flag. We want seccomp-bpf on Android behind a flag, but I'm
not sure where to put this flag since it would need to be accessed by both
//content/ and //sandbox/.

2) Just use #if defined(OS_ANDROID)

3) Use the expected prctl() tests for the threadgroup synchronization presence
in the kernel, and only call IssingleThreaded() if that test fails.

[jln (very slow on Chromium), 2014/03/07 01:30:30]

Yes, the sandbox:: seccomp-bpf class should support a StartSandboxWithThreads()
that uses the new prctl flag and disables these checks.

Later, we'll indeed probably want to simply detect if that flag is available and
use it automatically in StartSandbox().

In  your test, you did patch the prctl flag in, right? i.e. you're sure that
everything has been tested with the sandbox being applied to all threads?

[Robert Sesek, 2014/03/25 21:57:17]

OK I'll work on that, then. How do you think SupportsSeccompSandobx() should
work, then? It internally fork()s which seems like a bad thing to do as a
generic interface when we know we're multithreaded. But I don't know how else we
should test for the seccomp extensions.
Yes, I have the kernel patches applied to my AOSP build.

[jln (very slow on Chromium), 2014/03/31 19:22:32]

We could have StartSandboxWithThreads() return a bool, depending on whether or
not it managed to start.
For consistency we could change StartSandbox() in a similar way and just make
sure that the existing callers CHECK().

[Robert Sesek, 2014/03/31 19:45:50]

OK, that's also what I was thinking, though probably return SandboxStatus
instead of bool. I'll do that in another CL and make this one just about landing
the Android policy, which I'll also move to //content, per your suggestion.

   if (proc_fd < 0) {
     // Cannot determine whether program is single-threaded. Hope for
     // the best...
@@ -253,6 +254,7 @@ bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
 bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
                                      EvaluateSyscall syscall_evaluator,
                                      void* aux) {
+  return true;
   // Block all signals before forking a child process. This prevents an
   // attacker from manipulating our test by sending us an unexpected signal.
   sigset_t old_mask, new_mask;