Linux sandbox: Restrict sched_* and ioprio_* calls in the cros arm GPU policy.

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <fcntl.h>
 #include <linux/futex.h>
@@ skipping 231 matching lines @@
 }
 
 ResultExpr RestrictGetSetpriority(pid_t target_pid) {
   const Arg<int> which(0);
   const Arg<int> who(1);
   return If(which == PRIO_PROCESS,
             If(who == 0 || who == target_pid, Allow()).Else(Error(EPERM)))
       .Else(CrashSIGSYS());
 }
 
+ResultExpr RestrictIoPrioGetSet(pid_t target_pid) {
+  const Arg<int> which(0);
+  const Arg<int> who(1);
+  return If(which == PRIO_PROCESS,
+            If(who == 0 || who == target_pid, Allow()).Else(Error(EPERM)))

[jln (very slow on Chromium), 2014/10/09 00:31:24]

No case spotted of who == gettid() ?

That's good news. Did you get any sense of what wraps these calls in practice?
Could they be directly used by a GPU driver?
If we don't feel confident it can't happen, I wonder if we shouldn't have a
SIGSYS again here to support this case.

+      .Else(CrashSIGSYS());
+}
+
 ResultExpr RestrictClockID() {
   COMPILE_ASSERT(4 == sizeof(clockid_t), clockid_is_not_32bit);
   const Arg<clockid_t> clockid(0);
   return If(
 #if defined(OS_CHROMEOS)
              // Allow the special clock for Chrome OS used by Chrome tracing.
              clockid == base::TimeTicks::kClockSystemTrace ||
 #endif
                  clockid == CLOCK_MONOTONIC ||
                  clockid == CLOCK_PROCESS_CPUTIME_ID ||
@@ skipping 18 matching lines @@
           .Else(RewriteSchedSIGSYS());
     }
     default:
       NOTREACHED();
       return CrashSIGSYS();
   }
 }
 
 
 }  // namespace sandbox.