Non-SFI NaCl: Disallow futex call without FUTEX_PRIVATE_FLAG

components/nacl/loader/nonsfi/nonsfi_sandbox.cc

Index: components/nacl/loader/nonsfi/nonsfi_sandbox.cc
diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
index 260dd7509331d5ecbc5431f6bb24386f8e8c5cd7..a6664a321d87347afb60ace1e692d0ff776aefc2 100644
--- a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
+++ b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
@@ -6,6 +6,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <linux/futex.h>
 #include <linux/net.h>
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
@@ -35,6 +36,20 @@ namespace nacl {
 namespace nonsfi {
 namespace {
 
+ErrorCode RestrictFutexCommands(SandboxBPF* sb) {
+  // For now, we allow non-PRIVATE FUTEX_WAIT for lll_wait_tid in
+  // glibc's pthread_join.
+  // TODO(hamaji): Disallow FUTEX_WAIT by switching to newlib or
+  // detaching threads.
+  return sb->Cond(1, ErrorCode::TP_32BIT,
+                  ErrorCode::OP_EQUAL, FUTEX_WAIT,
+                  ErrorCode(ErrorCode::ERR_ALLOWED),
+         sb->Cond(1, ErrorCode::TP_32BIT,
+                  ErrorCode::OP_HAS_ALL_BITS, FUTEX_PRIVATE_FLAG,
+                  ErrorCode(ErrorCode::ERR_ALLOWED),
+         sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)));
+}
+
 ErrorCode RestrictFcntlCommands(SandboxBPF* sb) {
   ErrorCode::ArgType mask_long_type;
   if (sizeof(long) == 8) {
@@ -226,8 +241,6 @@ ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl(
 #elif defined(__x86_64__)
     case __NR_fstat:
 #endif
-    // TODO(hamaji): Allow only FUTEX_PRIVATE_FLAG.
-    case __NR_futex:
     // TODO(hamaji): Remove the need of gettid. Currently, this is
     // called from PlatformThread::CurrentId().
     case __NR_gettid:
@@ -263,6 +276,9 @@ ErrorCode NaClNonSfiBPFSandboxPolicy::EvaluateSyscallImpl(
 #endif
       return RestrictFcntlCommands(sb);
 
+    case __NR_futex:
+      return RestrictFutexCommands(sb);
+
 #if defined(__x86_64__)
     case __NR_mmap:
 #endif