Linux sandbox: Restrict sched_* calls in the renderer policy.

content/common/sandbox_linux/bpf_renderer_policy_linux.cc

Index: content/common/sandbox_linux/bpf_renderer_policy_linux.cc
diff --git a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
index 86cef92cbe324bd18000b1301552ce292157e81e..20301938d6285b21a94caa3048a3a94600a4dc63 100644
--- a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc
@@ -43,16 +43,17 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {
     case __NR_mremap:  // See crbug.com/149834.
     case __NR_pread64:
     case __NR_pwrite64:
-    case __NR_sched_getaffinity:
     case __NR_sched_get_priority_max:
     case __NR_sched_get_priority_min:
-    case __NR_sched_getparam:
-    case __NR_sched_getscheduler:
-    case __NR_sched_setscheduler:
     case __NR_sysinfo:
     case __NR_times:
     case __NR_uname:
       return Allow();
+    case __NR_sched_getaffinity:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_setscheduler:
+      return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
     case __NR_prlimit64:
       return Error(EPERM);  // See crbug.com/160157.
     default: