[sandbox] Restrict pkey_alloc flags

The "flags" argument to pkey_alloc must currently always be zero.
Enforce this via the sandbox to pretect against future extensions.

R=rsesek@chromium.org

Bug: chromium:1229359
Change-Id: I9922701728facbe5a44466bb6fc8534ec797be27
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3028921
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#901869}

sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc

@@ -171,7 +171,11 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
 #endif
 
   // V8 uses PKU (a.k.a. MPK / PKEY) for protecting code spaces.
-  if (sysno == __NR_pkey_alloc || sysno == __NR_pkey_free) {
+  if (sysno == __NR_pkey_alloc) {
+    return RestrictPkeyAllocFlags();
+  }
+
+  if (sysno == __NR_pkey_free) {
     return Allow();
   }
 

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

@@ -462,4 +462,9 @@ ResultExpr RestrictPtrace() {
 }
 #endif  // defined(OS_NACL_NONSFI)
 
+ResultExpr RestrictPkeyAllocFlags() {
+  const Arg<int> flags(0);
+  return If(flags == 0, Allow()).Else(CrashSIGSYS());
+}
+
 }  // namespace sandbox.

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h

@@ -114,6 +114,9 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid);
 // reporting. See https://crbug.com/933418 for details.
 SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPtrace();
 
+// Restrict the flags argument for pkey_alloc. It's specified to always be 0.
+SANDBOX_EXPORT bpf_dsl::ResultExpr RestrictPkeyAllocFlags();
+
 }  // namespace sandbox.
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_