syscall_filter: Implement flag set inclusion.
When filtering syscalls that take flags as an argument, we usually want
to allow a small set of "safe" flags. This is hard to express with the
current language.
Implement this by adding a "flag set inclusion" mode using the 'in'
keyword. This works by allowing the syscall as long as the passed
flags, when viewed as a set, are included in the set of flags described
by the policy.
Also, clang-format all of bpf.c.
Bug: 31997910
Test: syscall_filter_unittest
Change-Id: I121af56b176bd3260904d367fd92d47a16bb3dcb
diff --git a/util.c b/util.c
index b242c71..f0dc23d 100644
--- a/util.c
+++ b/util.c
@@ -108,7 +108,7 @@
* Try to parse constants separated by pipes. Note that since
* |constant_str| is an atom, there can be no spaces between the
* constant and the pipe. Constants can be either a named constant
- * defined in libconstants.gen.c or a number parsed with strtol.
+ * defined in libconstants.gen.c or a number parsed with strtol(3).
*
* If there is an error parsing any of the constants, the whole process
* fails.