Linux sandbox: always restrict clone() in baseline policy.
Always restrict clone() to thread creation in the baseline policy.
This CL does the following
- Extend RestrictCloneToThreadsAndEPERMFork to support Android.
- Always EPERM anything that looks like fork()
- Add unit tests to the baseline policy related to clone() and fork().
This CL also modifies any other BPF policy so that if clone() was not
restricted before, it remains so. That is, only renderers and PPAPI
processes have clone() restrictions applied to them, as before.
BUG=367986
R=jorgelo@chromium.org, mdempsky@chromium.org
Review URL: https://codereview.chromium.org/270613008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@269114 0039d316-1c4b-4281-b951-d872f2087c98
11 files changed
