Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
index 3380cc851e09052da1236eae00422f710918d180..5b8badf8300d7fb9744bc4c12698181db9749805 100644 |
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
@@ -32,13 +32,13 @@ bool IsBaselinePolicyAllowed(int sysno) { |
SyscallSets::IsAllowedBasicScheduler(sysno) || |
SyscallSets::IsAllowedEpoll(sysno) || |
SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) || |
+ SyscallSets::IsAllowedFutex(sysno) || |
SyscallSets::IsAllowedGeneralIo(sysno) || |
SyscallSets::IsAllowedGetOrModifySocket(sysno) || |
SyscallSets::IsAllowedGettime(sysno) || |
SyscallSets::IsAllowedPrctl(sysno) || |
SyscallSets::IsAllowedProcessStartOrDeath(sysno) || |
SyscallSets::IsAllowedSignalHandling(sysno) || |
- SyscallSets::IsFutex(sysno) || |
SyscallSets::IsGetSimpleId(sysno) || |
SyscallSets::IsKernelInternalApi(sysno) || |
#if defined(__arm__) |
@@ -121,6 +121,9 @@ ErrorCode EvaluateSyscallImpl(int fs_denied_errno, |
return RestrictFcntlCommands(sandbox); |
#endif |
+ if (sysno == __NR_futex) |
+ return RestrictFutex(sandbox); |
+ |
if (sysno == __NR_madvise) { |
// Only allow MADV_DONTNEED (aka MADV_FREE). |
return sandbox->Cond(2, ErrorCode::TP_32BIT, |