Linux sandbox: restrict setpriority() in baseline policy.

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
index 4ccacdb30ef3351e3a59e899a0e5db1c3f38302f..2a4dbcb0a45d0b85344ba2cbb1eb4914d30eaade 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -14,7 +14,9 @@
 #include <sys/ioctl.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
+#include <sys/resource.h>
 #include <sys/stat.h>
+#include <sys/time.h>
 #include <sys/types.h>
 #include <unistd.h>
 
@@ -242,4 +244,12 @@ ResultExpr RestrictFutex() {
       .Default(CrashSIGSYSFutex());
 }
 
+ResultExpr RestrictGetSetpriority(pid_t target_pid) {
+  const Arg<int> which(0);
+  const Arg<int> who(1);
+  return If(which == PRIO_PROCESS,
+            If(who == 0 || who == target_pid, Allow()).Else(Error(EPERM)))
+      .Else(CrashSIGSYS());
+}
+
 }  // namespace sandbox.