Add basic ARM support to the seccomp-bpf sandbox.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <ostream>
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using namespace playground2;
 
 namespace {
 
 const int kExpectedReturnValue = 42;
+#if defined(__arm__)
+const int kArmPublicSysnoCeiling = __NR_SYSCALL_BASE + 1024;
+#endif
 
 TEST(SandboxBpf, CallSupports) {
   // We check that we don't crash, but it's ok if the kernel doesn't
   // support it.
   bool seccomp_bpf_supported =
       Sandbox::supportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE;
   // We want to log whether or not seccomp BPF is actually supported
   // since actual test coverage depends on it.
   RecordProperty("SeccompBPFSupported",
                  seccomp_bpf_supported ? "true." : "false.");
@@ skipping 201 matching lines @@
   // index of that set + 1 (so that we never return a NUL errno).
   return ((sysno & ~3) >> 2) % 29 + 1;
 }
 
 Sandbox::ErrorCode SyntheticPolicy(int sysno) {
   if (sysno < static_cast<int>(MIN_SYSCALL) ||
       sysno > static_cast<int>(MAX_SYSCALL)) {
     // FIXME: we should really not have to do that in a trivial policy.
     return ENOSYS;
   }
+
+  // TODO(jorgelo): remove this restriction once crbug.com/141694 is fixed.
+#if defined(__arm__)
+  if (sysno > kArmPublicSysnoCeiling)
+    return ENOSYS;
+#endif
+
   if (sysno == __NR_exit_group) {
     // exit_group() is special, we really need it to work.
     return Sandbox::SB_ALLOWED;
   } else {
     return SysnoToRandomErrno(sysno);
   }
 }
 
 void SyntheticProcess(void) {
   // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int
   // overflow.
   if (std::numeric_limits<int>::max() - kExpectedReturnValue - 1 <
       static_cast<int>(MAX_SYSCALL)) {
     ExitGroup(1);
   }
+
+  // TODO(jorgelo): remove this limit once crbug.com/141694 is fixed.
+#if defined(__arm__)
+  int sysno_ceiling = kArmPublicSysnoCeiling;

[jln (very slow on Chromium), 2012/08/09 22:41:23]

These should be const.

[Jorge Lucangeli Obes, 2012/08/09 22:58:26]

Done.

+#else
+  int sysno_ceiling = static_cast<int>(MAX_SYSCALL);
+#endif
+
   for (int syscall_number =  static_cast<int>(MIN_SYSCALL);
-           syscall_number <= static_cast<int>(MAX_SYSCALL);
+           syscall_number <= sysno_ceiling;
          ++syscall_number) {
     if (syscall_number == __NR_exit_group) {
       // exit_group() is special
       continue;
     }
     errno = 0;
     if (syscall(syscall_number) != -1 ||
         errno != SysnoToRandomErrno(syscall_number)) {
       // Exit with a return value that is different than kExpectedReturnValue
       // to signal an error. Make it easy to see what syscall_number failed in
       // the test report.
       ExitGroup(kExpectedReturnValue + syscall_number + 1);
     }
   }
   ExitGroup(kExpectedReturnValue);
 }
 
 TEST(SandboxBpf, SyntheticPolicy) {
   TryPolicyInProcess(SyntheticPolicy, SyntheticProcess);
 }
 
 } // namespace