nacl: Allow set_robust_list(2).

set_robust_list(2) is blocked in the baseline BPF policy because it's
used for inter-process futexes, which are not used by Chrome processes.
However, because it's being EPERM'd, it's generating quite a bit of
logspam on Chrome OS. Moreover, the syscall never EPERM's according to
its manpage.

Allow set_robust_list(2) for NaCl specifically. This syscall also
doesn't allow interacting with other processes (only modifying the
calling process), so it shouldn't be too bad to allow it. Moreover,
NaCl is going away so this problem will solve itself in a few months.

BUG=1051197
TEST=Enable NaCl on the open web in chrome:flags,
TEST=Open NaCl demo,
TEST=$ grep nacl /var/log/audit/audit.log is empty.

Change-Id: I25cec12067a60c3379e55d36806e07c0f2b10caf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2264573Reviewed-by: Derek Schuff <dschuff@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#782047}

components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc

@@ -118,6 +118,12 @@ ResultExpr NaClBPFSandboxPolicy::EvaluateSyscall(int sysno) const {
     // NaCl runtime uses flock to simulate POSIX behavior for pwrite.
     case __NR_flock:
     case __NR_pwrite64:
+    // set_robust_list(2) is generating quite a bit of logspam on Chrome OS
+    // (and probably on Linux too), and per its manpage it should never EPERM.
+    // Moreover, it also doesn't allow affecting other processes, since it
+    // doesn't take a |pid| argument.
+    // See crbug.com/1051197 for details.
+    case __NR_set_robust_list:
     case __NR_sched_get_priority_max:
     case __NR_sched_get_priority_min:
     case __NR_sysinfo: