[Android] Define a baseline seccomp-bpf sandbox policy.

content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h

Index: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
diff --git a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
new file mode 100644
index 0000000000000000000000000000000000000000..0eaa6b56d7449adee55f84f70178f4b12acb1942
--- /dev/null
+++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h
@@ -0,0 +1,32 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_
+#define CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_
+
+#include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
+#include "sandbox/linux/seccomp-bpf/errorcode.h"
+
+namespace content {
+
+// This class builds on top of the generic Linux baseline policy to reduce
+// Linux kernel attack surface. It augments the list of allowed syscalls to
+// allow ones required by the Android runtime.
+class SandboxBPFBasePolicyAndroid : public SandboxBPFBasePolicy {
+ public:
+  SandboxBPFBasePolicyAndroid();
+  virtual ~SandboxBPFBasePolicyAndroid();
+
+  // sandbox::SandboxBPFPolicy:
+  virtual sandbox::ErrorCode EvaluateSyscall(
+      sandbox::SandboxBPF* sandbox_compiler,
+      int system_call_number) const OVERRIDE;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(SandboxBPFBasePolicyAndroid);
+};
+
+}  // namespace content
+
+#endif  // CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_