Add "alarm" and "mremap" to allow listed syscalls for ScreenAI.

"alarm and "mremap" syscalls are allow-listed for ScreenAI service, as
needed by libchromescreenai.so 127.0 (updated in crrev.com/c/6014185).

Bug: 378472917,378928754
Change-Id: Id440c841d2d4bbe314a679c3520bd3e41153d6ba
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6011106
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Ramin Halavati <rhalavati@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1382588}

sandbox/policy/linux/bpf_screen_ai_policy_linux.cc

@@ -4,9 +4,11 @@
 
 #include "sandbox/policy/linux/bpf_screen_ai_policy_linux.h"
 
+#include <sys/mman.h>
 #include <sys/prctl.h>
 
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
+#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/system_headers/linux_futex.h"
@@ -32,6 +34,11 @@ ResultExpr ScreenAIProcessPolicy::EvaluateSyscall(
     return sandbox_linux->HandleViaBroker(system_call_number);
 
   switch (system_call_number) {
+#if defined(__x86_64__)
+    case __NR_alarm:
+      return Allow();
+#endif
+
     case __NR_futex:
 #if defined(__NR_futex_time64)
     case __NR_futex_time64:
@@ -56,6 +63,12 @@ ResultExpr ScreenAIProcessPolicy::EvaluateSyscall(
       return If(which == 0, Allow()).Else(Error(EPERM));
     }
 
+    case __NR_mremap: {
+      const Arg<int> flags(3);
+      return If((flags & ~(MREMAP_MAYMOVE | MREMAP_FIXED)) == 0, Allow())
+          .Else(CrashSIGSYS());
+    }
+
 #if defined(__arm__) || defined(__aarch64__)
     case __NR_prctl: {
       const Arg<int> option(0);