Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc |
=================================================================== |
--- sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc (revision 275489) |
+++ sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc (working copy) |
@@ -32,13 +32,13 @@ |
SyscallSets::IsAllowedBasicScheduler(sysno) || |
SyscallSets::IsAllowedEpoll(sysno) || |
SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) || |
+ SyscallSets::IsAllowedFutex(sysno) || |
SyscallSets::IsAllowedGeneralIo(sysno) || |
SyscallSets::IsAllowedGetOrModifySocket(sysno) || |
SyscallSets::IsAllowedGettime(sysno) || |
SyscallSets::IsAllowedPrctl(sysno) || |
SyscallSets::IsAllowedProcessStartOrDeath(sysno) || |
SyscallSets::IsAllowedSignalHandling(sysno) || |
- SyscallSets::IsFutex(sysno) || |
SyscallSets::IsGetSimpleId(sysno) || |
SyscallSets::IsKernelInternalApi(sysno) || |
#if defined(__arm__) |
@@ -111,6 +111,9 @@ |
} |
#endif |
+ if (sysno == __NR_futex) |
+ return RestrictFutex(sandbox); |
+ |
if (sysno == __NR_madvise) { |
// Only allow MADV_DONTNEED (aka MADV_FREE). |
return sandbox->Cond(2, ErrorCode::TP_32BIT, |