Reland: Non-SFI NaCl: Allow CLOCK_SYSTEM_TRACE on Chrome OS

components/nacl/loader/nonsfi/nonsfi_sandbox.cc

Index: components/nacl/loader/nonsfi/nonsfi_sandbox.cc
diff --git a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
index 7ffb20e68b16160997ee7190b612eaaad7b08a6f..ff17c62cb170453fd4daf456e00b6999ab926731 100644
--- a/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
+++ b/components/nacl/loader/nonsfi/nonsfi_sandbox.cc
@@ -15,6 +15,7 @@
 
 #include "base/basictypes.h"
 #include "base/logging.h"
+#include "base/time/time.h"
 #include "build/build_config.h"
 #include "content/public/common/sandbox_init.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
@@ -80,19 +81,26 @@ ErrorCode RestrictClockID(SandboxBPF* sb) {
   // returned by {clock,pthread}_getcpuclockid), which can leak information
   // about the state of the host OS.
   COMPILE_ASSERT(4 == sizeof(clockid_t), clockid_is_not_32bit);
-  return sb->Cond(0, ErrorCode::TP_32BIT,
-                  ErrorCode::OP_EQUAL, CLOCK_MONOTONIC,
-                  ErrorCode(ErrorCode::ERR_ALLOWED),
-         sb->Cond(0, ErrorCode::TP_32BIT,
-                  ErrorCode::OP_EQUAL, CLOCK_PROCESS_CPUTIME_ID,
-                  ErrorCode(ErrorCode::ERR_ALLOWED),
-         sb->Cond(0, ErrorCode::TP_32BIT,
-                  ErrorCode::OP_EQUAL, CLOCK_REALTIME,
-                  ErrorCode(ErrorCode::ERR_ALLOWED),
-         sb->Cond(0, ErrorCode::TP_32BIT,
-                  ErrorCode::OP_EQUAL, CLOCK_THREAD_CPUTIME_ID,
-                  ErrorCode(ErrorCode::ERR_ALLOWED),
-         sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))));
+  ErrorCode result = sb->Cond(0, ErrorCode::TP_32BIT,
+                              ErrorCode::OP_EQUAL, CLOCK_MONOTONIC,
+                              ErrorCode(ErrorCode::ERR_ALLOWED),
+                     sb->Cond(0, ErrorCode::TP_32BIT,
+                              ErrorCode::OP_EQUAL, CLOCK_PROCESS_CPUTIME_ID,
+                              ErrorCode(ErrorCode::ERR_ALLOWED),
+                     sb->Cond(0, ErrorCode::TP_32BIT,
+                              ErrorCode::OP_EQUAL, CLOCK_REALTIME,
+                              ErrorCode(ErrorCode::ERR_ALLOWED),
+                     sb->Cond(0, ErrorCode::TP_32BIT,
+                              ErrorCode::OP_EQUAL, CLOCK_THREAD_CPUTIME_ID,
+                              ErrorCode(ErrorCode::ERR_ALLOWED),
+                     sb->Trap(sandbox::CrashSIGSYS_Handler, NULL)))));
+#if defined(OS_CHROMEOS)

[jln (very slow on Chromium), 2014/06/05 17:56:15]

If you prefer, we could do this unconditionally.

I don't think we care much about non-ChromeOS Linux since this feature won't run
there. It's also probably not a big security risk, even if that clockid gets
reused for something else.

[hamaji, 2014/06/05 18:21:02]

Hmm. I'd prefer having this as removing this would not reduce complexity of the
unittest much (the complex code is in defined(OS_CHROMEOS).

Also, I'd like not to make unnecessary logic change in a retrial of a reverted
change. If you don't like this #if, please let me remove this in a separate
change.

+  // Allow the special clock for Chrome OS used by Chrome tracing.
+  result = sb->Cond(0, ErrorCode::TP_32BIT,
+                    ErrorCode::OP_EQUAL, base::TimeTicks::kClockSystemTrace,
+                    ErrorCode(ErrorCode::ERR_ALLOWED), result);
+#endif
+  return result;
 }
 
 ErrorCode RestrictClone(SandboxBPF* sb) {