Instead of outputting one BPF check per possible system call. Coalesce

sandbox/linux/seccomp-bpf/sandbox_bpf.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_BPF_H__
 #define SANDBOX_BPF_H__
 
 #include <endian.h>
 #include <errno.h>
 #include <fcntl.h>
@@ skipping 15 matching lines @@
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <sys/shm.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/uio.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include <algorithm>
+#include <limits>
 #include <utility>
 #include <vector>
 
 #ifndef SECCOMP_BPF_STANDALONE
 #include "base/basictypes.h"
 #include "base/eintr_wrapper.h"
 #include "base/logging.h"
 #endif
 
 // The Seccomp2 kernel ABI is not part of older versions of glibc.
@@ skipping 18 matching lines @@
 #define SECCOMP_RET_ALLOW   0x7fff0000U  // Allow
 #define SECCOMP_RET_ACTION  0xffff0000U  // Masks for the return value
 #define SECCOMP_RET_DATA    0x0000ffffU  //   sections
 #endif
 #define SECCOMP_DENY_ERRNO  EPERM
 #ifndef SYS_SECCOMP
 #define SYS_SECCOMP                   1
 #endif
 
 #if defined(__i386__)
-#define MIN_SYSCALL  0
-#define MAX_SYSCALL  1024
+#define MIN_SYSCALL  0u
+#define MAX_SYSCALL  1024u
 #define SECCOMP_ARCH AUDIT_ARCH_I386
 #define REG_RESULT   REG_EAX
 #define REG_SYSCALL  REG_EAX
 #define REG_PARM1    REG_EBX
 #define REG_PARM2    REG_ECX
 #define REG_PARM3    REG_EDX
 #define REG_PARM4    REG_ESI
 #define REG_PARM5    REG_EDI
 #define REG_PARM6    REG_EBP
 #elif defined(__x86_64__)
-#define MIN_SYSCALL  0
-#define MAX_SYSCALL  1024
+#define MIN_SYSCALL  0u
+#define MAX_SYSCALL  1024u
 #define SECCOMP_ARCH AUDIT_ARCH_X86_64
 #define REG_RESULT   REG_RAX
 #define REG_SYSCALL  REG_RAX
 #define REG_PARM1    REG_RDI
 #define REG_PARM2    REG_RSI
 #define REG_PARM3    REG_RDX
 #define REG_PARM4    REG_R10
 #define REG_PARM5    REG_R8
 #define REG_PARM6    REG_R9
 #else
@@ skipping 125 matching lines @@
       // notice and file a bug...
       syscall(__NR_exit_group, 1);
       _exit(1);
     }
   }
 
   // Get a file descriptor pointing to "/proc", if currently available.
   static int getProcFd() { return proc_fd_; }
 
  private:
+  struct Range {
+    Range(uint32_t f, uint32_t t, ErrorCode e) :
+      from(f),
+      to(t),
+      err(e) {
+    }
+    uint32_t  from, to;
+    ErrorCode err;
+  };
+  typedef std::vector<Range> Ranges;
+  typedef std::vector<struct sock_filter> Program;
+
   static ErrorCode probeEvaluator(int signo);
   static bool      kernelSupportSeccompBPF(int proc_fd);
-
-  static bool    isSingleThreaded(int proc_fd);
-  static bool    disableFilesystem();
-  static void    installFilter();
-  static void    sigSys(int nr, siginfo_t *info, void *void_context);
+  static bool      isSingleThreaded(int proc_fd);
+  static bool      disableFilesystem();
+  static void      installFilter();
+  static void      findRanges(Ranges *ranges);
+  static void      rangesToBPF(Program *program, const Ranges& ranges);
+  static void      sigSys(int nr, siginfo_t *info, void *void_context);
 
   static bool          suppressLogging_;
   static SandboxStatus status_;
   static int           proc_fd_;
   static Evaluators    evaluators_;
 };
 
 }  // namespace
 
 #endif  // SANDBOX_BPF_H__