[MIPS] Add seccomp bpf support

sandbox/linux/seccomp-bpf/syscall.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__
 #define SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__
 
 #include <stdint.h>
 
 #include "sandbox/sandbox_export.h"
 
 namespace sandbox {
 
 // We have to make sure that we have a single "magic" return address for

[jln (very slow on Chromium), 2014/06/03 01:00:33]

Could you add some explicit documentation that this will return the  kernel
return value on success and -errno on error on all architectures, even MIPS?

[nedeljko, 2014/06/03 15:32:18]

Done.

 // our system calls, which we can check from within a BPF filter. This
 // works by writing a little bit of asm() code that a) enters the kernel, and
 // that also b) can be invoked in a way that computes this return address.
 // Passing "nr" as "-1" computes the "magic" return address. Passing any
 // other value invokes the appropriate system call.
 SANDBOX_EXPORT intptr_t SandboxSyscall(int nr,
                                        intptr_t p0,
                                        intptr_t p1,
                                        intptr_t p2,
                                        intptr_t p3,
                                        intptr_t p4,
                                        intptr_t p5);
 
+#if defined(__mips__)
+// This function basically does on MIPS what SandboxSyscall() is doing on
+// othere architectures. However, because of specificity of MIPS regarding
+// handelling syscall errors, SandboxSyscall() is made as a wrapper for this
+// function in order for SandboxSyscall() to behave more like on othere
+// architectures on places where return value from SandboxSyscall() is used
+// directly (like in the most tests).

[jln (very slow on Chromium), 2014/06/03 01:00:33]

"like in most tests"

[nedeljko, 2014/06/03 15:32:18]

Done.

+intptr_t SandboxSyscallRaw(int nr,

[jln (very slow on Chromium), 2014/06/03 01:00:33]

Please, document |args| and |err_stat|

[nedeljko, 2014/06/03 15:32:18]

Done.

+                        const intptr_t *args,

[jln (very slow on Chromium), 2014/06/03 01:00:33]

Nit: chromium style is "type* variable".

[nedeljko, 2014/06/03 15:32:18]

I was looking at the syscall.cc when I wrote this and there is "type *variable"
in use there, but I can see now that this is wrong.

+                        intptr_t *err_stat);
+#endif  // defined(__mips__)
+
 // System calls can take up to six parameters. Traditionally, glibc
 // implements this property by using variadic argument lists. This works, but
 // confuses modern tools such as valgrind, because we are nominally passing
 // uninitialized data whenever we call through this function and pass less
 // than the full six arguments.
 // So, instead, we use C++'s template system to achieve a very similar
 // effect. C++ automatically sets the unused parameters to zero for us, and
 // it also does the correct type expansion (e.g. from 32bit to 64bit) where
 // necessary.
 // We have to use C-style cast operators as we want to be able to accept both
@@ skipping 101 matching lines @@
     __attribute__((always_inline));
 SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr) {
   return SandboxSyscall(nr, 0, 0, 0, 0, 0, 0);
 }
 
 #endif  // Pre-C++11
 
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__