Linux sandbox: Disallow get_robust_list and set_robust_list.

Linux sandbox: Disallow get_robust_list and set_robust_list.

These are only used for futexes that are shared between processes, which should not be happening in Chromium.
BUG=413855
Committed: https://crrev.com/a75e8729dc917c0089a725e67fa2e9feaec0baef
Cr-Commit-Position: refs/heads/master@{#294986}

[rickyz (no longer on Chrome), 2014-09-15 22:36:32]

rickyz@chromium.org changed reviewers:
+ jln@chromium.org

[rickyz (no longer on Chrome), 2014-09-15 22:37:24]

On 2014/09/15 22:36:32, rickyz wrote:
> mailto:rickyz@chromium.org changed reviewers:
> + mailto:jln@chromium.org

Hey Mark, Julien suggested CCing you since you're familiar with futex - does
this look safe to remove to you?

[Mark Seaborn, 2014-09-15 22:44:58]

Nit: Fix "anywher" typo in commit message.  LGTM if the trybots pass, which I
expect they will.

We could also restrict set_robust_list.  glibc calls it, but we can turn it into
a no-op that returns 0 or an error.  It's only used for releasing futexes that
are shared between processes, and I don't think Chromium uses futexes like that.

[rickyz (no longer on Chrome), 2014-09-15 23:10:13]

On 2014/09/15 22:44:58, Mark Seaborn wrote:
> Nit: Fix "anywher" typo in commit message.  LGTM if the trybots pass, which I
> expect they will.
> 
> We could also restrict set_robust_list.  glibc calls it, but we can turn it
into
> a no-op that returns 0 or an error.  It's only used for releasing futexes that
> are shared between processes, and I don't think Chromium uses futexes like
that.

Ah, that's useful to know, thanks!  I changed to policy to make set_robust_list
return EPERM - it looks like glibc is OK with the error like you mentioned, and
bionic libc doesn't call this at all.

[jln (very slow on Chromium), 2014-09-15 23:36:12]

Excellent improvement, lgtm!

[jln (very slow on Chromium), 2014-09-15 23:37:47]

https://chromiumcodereview.appspot.com/569713004/diff/20001/sandbox/linux/sec...
File sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc (right):

https://chromiumcodereview.appspot.com/569713004/diff/20001/sandbox/linux/sec...
sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc:406: return false;
Can you put __NR_get_robust_list here (before default:) ?

The untold rule of this file is that we're making sure to list every syscalls
here. That way people can easily see that we don't consider get_robust_list an
allowed futex operation.

[rickyz (no longer on Chrome), 2014-09-16 01:02:50]

The CQ bit was checked by rickyz@chromium.org

[commit-bot: I haz the power, 2014-09-16 01:11:31]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patchset/569713004/40001

[commit-bot: I haz the power, 2014-09-16 02:29:14]

Committed patchset #3 (id:40001) as a6ecc06d91e8faea4ce3c6d2fe93ff4515385410

[commit-bot: I haz the power, 2014-09-16 02:33:07]

Patchset 3 (id:??) landed as
https://crrev.com/a75e8729dc917c0089a725e67fa2e9feaec0baef
Cr-Commit-Position: refs/heads/master@{#294986}