Linux sandbox: Allow restricting sched_* on other processes.
Adds a RestrictSchedTarget parameter restriction which only allows
sched_* syscalls if the pid argument is the sandboxed process's pid or
if the pid is 0, which means the current thread. glibc's pthread
implementation sometimes calls these syscalls with pid equal to the
current tid. On these calls, the policy triggers a SIGSYS, and the
SIGSYS handler reruns the syscall with a pid argument of 0.
R=jln@chromium.org
BUG=413855
Review URL: https://codereview.chromium.org/590213003
Cr-Commit-Position: refs/heads/master@{#297059}
5 files changed
