Linux sandbox: Allow restricting sched_* on other processes.

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
index 94c233388d70750d4a8a2a174cf9ce5306645633..35ee88bb956228cb0fba1032425fded2866e2c7b 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -29,6 +29,7 @@
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/services/linux_syscalls.h"
 
 #if defined(OS_ANDROID)
 
@@ -264,4 +265,26 @@ ResultExpr RestrictClockID() {
              Allow()).Else(CrashSIGSYS());
 }
 
+ResultExpr RestrictSchedTarget(pid_t target_pid, int sysno) {
+  switch (sysno) {
+    case __NR_sched_getaffinity:
+    case __NR_sched_getattr:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_rr_get_interval:
+    case __NR_sched_setaffinity:
+    case __NR_sched_setattr:
+    case __NR_sched_setparam:
+    case __NR_sched_setscheduler: {
+      const Arg<pid_t> pid(0);
+      return If(pid == 0 || pid == target_pid, Allow())
+          .Else(RewriteSchedSIGSYS());
+    }
+    default:
+      NOTREACHED();
+      return CrashSIGSYS();
+  }
+}
+
+
 }  // namespace sandbox.