Added support for greylisting of system calls.

sandbox/linux/seccomp-bpf/syscall.h

Index: sandbox/linux/seccomp-bpf/syscall.h
diff --git a/sandbox/linux/seccomp-bpf/syscall.h b/sandbox/linux/seccomp-bpf/syscall.h
new file mode 100644
index 0000000000000000000000000000000000000000..e19978d00a3a6a4e4f922ef6c6cd62bf3d63912d
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf/syscall.h
@@ -0,0 +1,23 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__
+#define SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__
+
+#include <stdint.h>
+#include <signal.h>
+
+namespace playground2 {
+
+// We have to make sure that we have a single "magic" return address for
+// our system calls, which we can check from within a BPF filter. This
+// works by writing a little bit of asm() code that a) enters the kernel, and
+// that also b) can be invoked in a way that computes this return address.
+// Passing "nr" as "-1" computes the "magic" return address. Passing any
+// other value invokes the appropriate system call.
+intptr_t Syscall(int nr, ...);

[jln (very slow on Chromium), 2012/11/20 01:08:31]

Should we rename this to DirectSyscall() maybe ? I fear confusion between
Syscall() and syscall().

+
+}  // namespace
+
+#endif  // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__