mandoline: lock down the linux sandbox more.
Previously, the mandoline sandbox allowed all system calls except for
access()/open()/faccessat()/openat(). This patch now uses the baseline
sandboxing policy (which will error on many common syscalls and will
crash on unwhitelisted calls). Added a few syscalls that we need for the
compositor to the explicit allow list.
BUG=492524
Review URL: https://codereview.chromium.org/1318063006
Cr-Commit-Position: refs/heads/master@{#346469}
CrOS-Libchrome-Original-Commit: 6b21046b63481355378258b8a37d029a6a742ca1
1 file changed