Linux sandbox: Restrict sched_* and ioprio_* calls in the cros arm GPU policy.

content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc

Index: content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc
diff --git a/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc b/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc
index 4e54b5effb64671a15baa53336314827e09bf516..afb347406fd70239c1ff16f62b45203276835f73 100644
--- a/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc
@@ -22,6 +22,7 @@
 #include "build/build_config.h"
 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 
@@ -151,10 +152,23 @@ ResultExpr CrosArmGpuProcessPolicy::EvaluateSyscall(int sysno) const {
       return If(domain == AF_UNIX, Allow()).Else(Error(EPERM));
     }
 #endif  // defined(__arm__)
+    case __NR_ioprio_get:  // IO scheduler.
+    case __NR_ioprio_set:
+      return sandbox::RestrictIoPrioGetSet(GetPolicyPid());
+    case __NR_sched_get_priority_max:
+    case __NR_sched_get_priority_min:
+      return Allow();
+    case __NR_sched_getaffinity:
+    case __NR_sched_getattr:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_rr_get_interval:
+    case __NR_sched_setaffinity:
+    case __NR_sched_setattr:
+    case __NR_sched_setparam:
+    case __NR_sched_setscheduler:
+      return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
     default:
-      if (SyscallSets::IsAdvancedScheduler(sysno))
-        return Allow();
-
       // Default to the generic GPU policy.
       return GpuProcessPolicy::EvaluateSyscall(sysno);
   }