sandbox: Allow kcmp for amd gpu sandbox

mesa 19.3.4 and 20.0.x and later calls kcmp

Change-Id: I2616b5dfba2bed9a348a711c2e2b9c97598f64de
Bug: none
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2108797
Commit-Queue: Drew Davenport <ddavenport@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#751845}

services/service_manager/sandbox/linux/bpf_cros_amd_gpu_policy_linux.cc

@@ -5,6 +5,7 @@
 #include "services/service_manager/sandbox/linux/bpf_cros_amd_gpu_policy_linux.h"
 
 #include <fcntl.h>
+#include <linux/kcmp.h>
 #include <sys/socket.h>
 
 // Some arch's (arm64 for instance) unistd.h don't pull in symbols used here
@@ -17,6 +18,7 @@
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 
+using sandbox::bpf_dsl::AllOf;
 using sandbox::bpf_dsl::Allow;
 using sandbox::bpf_dsl::Arg;
 using sandbox::bpf_dsl::Error;
@@ -48,6 +50,17 @@ ResultExpr CrosAmdGpuProcessPolicy::EvaluateSyscall(int sysno) const {
       return If(domain == AF_UNIX, Allow()).Else(Error(EPERM));
     }
 #endif
+    case __NR_kcmp: {
+      const Arg<int> pid1(0);
+      const Arg<int> pid2(1);
+      const Arg<int> type(2);
+      const int policy_pid = GetPolicyPid();
+      // Only allowed when comparing file handles for the calling thread.
+      return If(AllOf(pid1 == policy_pid, pid2 == policy_pid,
+                      type == KCMP_FILE),
+                Allow())
+          .Else(Error(EPERM));
+    }
     default:
       // Default to the generic GPU policy.
       return GpuProcessPolicy::EvaluateSyscall(sysno);