[MIPS] Add seccomp bpf support

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <fcntl.h>
 #include <linux/net.h>
@@ skipping 15 matching lines @@
 #if defined(OS_ANDROID)
 #if !defined(F_DUPFD_CLOEXEC)
 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
 #endif
 #endif
 
 #if defined(__arm__) && !defined(MAP_STACK)
 #define MAP_STACK 0x20000  // Daisy build environment has old headers.
 #endif
 
+#if defined(__mips__) && !defined(MAP_STACK)
+#define MAP_STACK 0x40000
+#endif
 namespace {
 
 inline bool RunningOnASAN() {
 #if defined(ADDRESS_SANITIZER)
   return true;
 #else
   return false;
 #endif
 }
 
 inline bool IsArchitectureX86_64() {
 #if defined(__x86_64__)
   return true;
 #else
   return false;
 #endif
 }
 
 inline bool IsArchitectureI386() {
 #if defined(__i386__)
   return true;
 #else
   return false;
 #endif
 }
 
+inline bool IsArchitectureMips() {
+#if defined(__mips__)
+  return true;
+#else
+  return false;
+#endif
+}
 }  // namespace.
 
 namespace sandbox {
 
 ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) {
   // Glibc's pthread.
   // TODO(jln): fix this on ASAN.
   if (!RunningOnASAN()) {
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
@@ skipping 60 matching lines @@
                        ErrorCode(ErrorCode::ERR_ALLOWED));
 }
 
 ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox) {
   // We also restrict the flags in F_SETFL. We don't want to permit flags with
   // a history of trouble such as O_DIRECT. The flags you see are actually the
   // allowed ones, and the variable is a "denied" mask because of the negation
   // operator.
   // Glibc overrides the kernel's O_LARGEFILE value. Account for this.
   int kOLargeFileFlag = O_LARGEFILE;
-  if (IsArchitectureX86_64() || IsArchitectureI386())
+  if (IsArchitectureX86_64() || IsArchitectureI386() || IsArchitectureMips())
     kOLargeFileFlag = 0100000;
 
   // TODO(jln): add TP_LONG/TP_SIZET types.
   ErrorCode::ArgType mask_long_type;
   if (sizeof(long) == 8)
     mask_long_type = ErrorCode::TP_64BIT;
   else if (sizeof(long) == 4)
     mask_long_type = ErrorCode::TP_32BIT;
   else
     NOTREACHED();
@@ skipping 26 matching lines @@
                        ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(1, ErrorCode::TP_32BIT,
                        ErrorCode::OP_EQUAL, F_GETLK,
                        ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(1, ErrorCode::TP_32BIT,
                        ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC,
                        ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Trap(CrashSIGSYS_Handler, NULL))))))))));
 }
 
-#if defined(__i386__)
+#if defined(__i386__) || defined(__mips__)
 ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox) {
   // Unfortunately, we are unable to restrict the first parameter to
   // socketpair(2). Whilst initially sounding bad, it's noteworthy that very
   // few protocols actually support socketpair(2). The scary call that we're
   // worried about, socket(2), remains blocked.
   return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                        SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                        SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED),
          sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
@@ skipping 39 matching lines @@
         // TODO(jln): fix this.
         return ErrorCode(ErrorCode::ERR_ALLOWED);
       default:
         NOTREACHED();
         return sandbox->Trap(CrashSIGSYS_Handler, NULL);
     }
   }
 }
 
 }  // namespace sandbox.