Linux sandbox: whitelist allowed Futex operations.

Remove the existing blacklist and whitelist allowed futex operations instead.
The semantics change a little bit as none of the "priority inheritance" operations
are allowed.

BUG=408847
R=mdempsky@chromium.org

Review URL: https://codereview.chromium.org/550473002

Cr-Commit-Position: refs/heads/master@{#293589}

sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc

@@ -271,6 +271,14 @@ BPF_DEATH_TEST_C(BaselinePolicy,
   syscall(__NR_futex, NULL, FUTEX_CMP_REQUEUE_PI_PRIVATE, 0, NULL, NULL, 0);
   _exit(1);
 }
+
+BPF_DEATH_TEST_C(BaselinePolicy,
+                 FutexWithUnlockPIPrivate,
+                 DEATH_MESSAGE(GetFutexErrorMessageContentForTests()),
+                 BaselinePolicy) {
+  syscall(__NR_futex, NULL, FUTEX_UNLOCK_PI_PRIVATE, 0, NULL, NULL, 0);
+  _exit(1);
+}
 #endif  // !defined(OS_ANDROID)
 
 BPF_TEST_C(BaselinePolicy, PrctlDumpable, BaselinePolicy) {

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

@@ -25,13 +25,16 @@
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-#include "sandbox/linux/services/android_futex.h"
 
 #if defined(OS_ANDROID)
+
+#include "sandbox/linux/services/android_futex.h"
+
 #if !defined(F_DUPFD_CLOEXEC)
 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
 #endif
-#endif
+
+#endif  // defined(OS_ANDROID)
 
 #if defined(__arm__) && !defined(MAP_STACK)
 #define MAP_STACK 0x20000  // Daisy build environment has old headers.
@@ -207,19 +210,20 @@ ResultExpr RestrictKillTarget(pid_t target_pid, int sysno) {
 }
 
 ResultExpr RestrictFutex() {
-  // In futex.c, the kernel does "int cmd = op & FUTEX_CMD_MASK;". We need to
-  // make sure that the combination below will cover every way to get
-  // FUTEX_CMP_REQUEUE_PI.
-  const int kBannedFutexBits =
-      ~(FUTEX_CMD_MASK | FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME);
-  COMPILE_ASSERT(0 == kBannedFutexBits,
-                 need_to_explicitly_blacklist_more_bits);
+  const int kAllowedFutexFlags = FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME;
+  const int kOperationMask = ~kAllowedFutexFlags;
+  const int kAllowedFutexOperations[] = {
+      FUTEX_WAIT,        FUTEX_WAKE,    FUTEX_FD,          FUTEX_REQUEUE,
+      FUTEX_CMP_REQUEUE, FUTEX_WAKE_OP, FUTEX_WAIT_BITSET, FUTEX_WAKE_BITSET};
 
   const Arg<int> op(1);
-  return If(op == FUTEX_CMP_REQUEUE_PI || op == FUTEX_CMP_REQUEUE_PI_PRIVATE ||
-                op == (FUTEX_CMP_REQUEUE_PI | FUTEX_CLOCK_REALTIME) ||
-                op == (FUTEX_CMP_REQUEUE_PI_PRIVATE | FUTEX_CLOCK_REALTIME),
-            CrashSIGSYSFutex()).Else(Allow());
+
+  BoolExpr IsAllowedOp = (op & kOperationMask) == kAllowedFutexOperations[0];
+  for (size_t i = 1; i < arraysize(kAllowedFutexOperations); ++i) {
+    IsAllowedOp =
+        IsAllowedOp || ((op & kOperationMask) == kAllowedFutexOperations[i]);
+  }
+  return If(IsAllowedOp, Allow()).Else(CrashSIGSYSFutex());
 }
 
 }  // namespace sandbox.

sandbox/linux/services/android_futex.h

@@ -5,20 +5,64 @@
 #ifndef SANDBOX_LINUX_SERVICES_ANDROID_FUTEX_H_
 #define SANDBOX_LINUX_SERVICES_ANDROID_FUTEX_H_
 
-#if !defined(FUTEX_PRIVATE_FLAG)
-#define FUTEX_PRIVATE_FLAG 128
+#if !defined(FUTEX_WAIT)
+#define FUTEX_WAIT 0
 #endif
 
-#if !defined(FUTEX_CLOCK_REALTIME)
-#define FUTEX_CLOCK_REALTIME 256
+#if !defined(FUTEX_WAKE)
+#define FUTEX_WAKE 1
+#endif
+
+#if !defined(FUTEX_FD)
+#define FUTEX_FD 2
+#endif
+
+#if !defined(FUTEX_REQUEUE)
+#define FUTEX_REQUEUE 3
+#endif
+
+#if !defined(FUTEX_CMP_REQUEUE)
+#define FUTEX_CMP_REQUEUE 4
+#endif
+
+#if !defined(FUTEX_WAKE_OP)
+#define FUTEX_WAKE_OP 5
+#endif
+
+#if !defined(FUTEX_LOCK_PI)
+#define FUTEX_LOCK_PI 6
+#endif
+
+#if !defined(FUTEX_UNLOCK_PI)
+#define FUTEX_UNLOCK_PI 7
+#endif
+
+#if !defined(FUTEX_TRYLOCK_PI)
+#define FUTEX_TRYLOCK_PI 8
+#endif
+
+#if !defined(FUTEX_WAIT_BITSET)
+#define FUTEX_WAIT_BITSET 9
+#endif
+
+#if !defined(FUTEX_WAKE_BITSET)
+#define FUTEX_WAKE_BITSET 10
+#endif
+
+#if !defined(FUTEX_WAIT_REQUEUE_PI)
+#define FUTEX_WAIT_REQUEUE_PI 11
 #endif
 
 #if !defined(FUTEX_CMP_REQUEUE_PI)
 #define FUTEX_CMP_REQUEUE_PI 12
 #endif
 
-#if !defined(FUTEX_CMP_REQUEUE_PI_PRIVATE)
-#define FUTEX_CMP_REQUEUE_PI_PRIVATE (FUTEX_CMP_REQUEUE_PI | FUTEX_PRIVATE_FLAG)
+#if !defined(FUTEX_PRIVATE_FLAG)
+#define FUTEX_PRIVATE_FLAG 128
+#endif
+
+#if !defined FUTEX_CLOCK_REALTIME
+#define FUTEX_CLOCK_REALTIME 256
 #endif
 
 #if !defined(FUTEX_CMD_MASK)