Revert of sandbox: Add support for starting seccomp-bpf with threads. (https://codereview.chromium.org/224403002/)

Reason for revert:
Failed compile on http://build.chromium.org/p/chromium.linux/builders/Linux%20Clang%20%28dbg%29/builds/57969/steps/compile/logs/stdio

Original issue's description:
> sandbox: Add support for starting seccomp-bpf with threads.
> 
> This requires an experimental kernel patch that has not yet been accepted
> upstream. However this is a prerequisite for getting running seccomp-bpf under
> Android.
> 
> BUG=308763, 308775
> 
> Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=261951

TBR=jln@chromium.org,rsesek@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=308763, 308775

Review URL: https://codereview.chromium.org/226693004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@261959 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 13 insertions, 56 deletions

diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h
index cc3fc25..dd30b15 100644
--- a/sandbox/linux/seccomp-bpf/bpf_tests.h
+++ b/sandbox/linux/seccomp-bpf/bpf_tests.h
@@ -84,8 +84,7 @@ class BPFTests : public UnitTests {
       sandbox::SandboxBPF sandbox;
       sandbox.set_proc_fd(proc_fd);
       sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
-      BPF_ASSERT(sandbox.StartSandbox(
-          sandbox::SandboxBPF::PROCESS_SINGLE_THREADED));
+      sandbox.SandboxBPF::StartSandbox();
 
       arg->test()(arg->aux_);
     } else {
diff --git a/sandbox/linux/seccomp-bpf/demo.cc b/sandbox/linux/seccomp-bpf/demo.cc
index bf5b85a..1418018 100644
--- a/sandbox/linux/seccomp-bpf/demo.cc
+++ b/sandbox/linux/seccomp-bpf/demo.cc
@@ -26,7 +26,6 @@
 #include <time.h>
 #include <unistd.h>
 
-#include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/services/linux_syscalls.h"
@@ -422,7 +421,7 @@ int main(int argc, char *argv[]) {
   SandboxBPF sandbox;
   sandbox.set_proc_fd(proc_fd);
   sandbox.SetSandboxPolicyDeprecated(Evaluator, NULL);
-  CHECK(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
+  sandbox.StartSandbox();
 
   // Check that we can create threads
   pthread_t thr;
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
index 1538fe8..6b2327e 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
@@ -323,9 +323,7 @@ bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
     }
 
     SetSandboxPolicyDeprecated(syscall_evaluator, aux);
-    if (!StartSandbox(PROCESS_SINGLE_THREADED)) {
-      SANDBOX_DIE(NULL);
-    }
+    StartSandbox();
 
     // Run our code in the sandbox.
     code_in_sandbox();
@@ -432,20 +430,15 @@ SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
 
 void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
 
-bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
-  CHECK(thread_state == PROCESS_SINGLE_THREADED ||
-        thread_state == PROCESS_MULTI_THREADED);
-
+void SandboxBPF::StartSandbox() {
   if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
     SANDBOX_DIE(
         "Trying to start sandbox, even though it is known to be "
         "unavailable");
-    return false;
   } else if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE(
         "Cannot repeatedly start sandbox. Create a separate Sandbox "
         "object instead.");
-    return false;
   }
   if (proc_fd_ < 0) {
     proc_fd_ = open("/proc", O_RDONLY | O_DIRECTORY);
@@ -454,10 +447,8 @@ bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
     // For now, continue in degraded mode, if we can't access /proc.
     // In the future, we might want to tighten this requirement.
   }
-
-  if (thread_state == PROCESS_SINGLE_THREADED && !IsSingleThreaded(proc_fd_)) {
+  if (!IsSingleThreaded(proc_fd_)) {
     SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
-    return false;
   }
 
   // We no longer need access to any files in /proc. We want to do this
@@ -466,18 +457,15 @@ bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
   if (proc_fd_ >= 0) {
     if (IGNORE_EINTR(close(proc_fd_))) {
       SANDBOX_DIE("Failed to close file descriptor for /proc");
-      return false;
     }
     proc_fd_ = -1;
   }
 
   // Install the filters.
-  InstallFilter(thread_state);
+  InstallFilter();
 
   // We are now inside the sandbox.
   status_ = STATUS_ENABLED;
-
-  return true;
 }
 
 void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) {
@@ -511,7 +499,7 @@ void SandboxBPF::SetSandboxPolicy(SandboxBPFPolicy* policy) {
   policy_.reset(policy);
 }
 
-void SandboxBPF::InstallFilter(SandboxThreadState thread_state) {
+void SandboxBPF::InstallFilter() {
   // We want to be very careful in not imposing any requirements on the
   // policies that are set with SetSandboxPolicy(). This means, as soon as
   // the sandbox is active, we shouldn't be relying on libraries that could
@@ -547,23 +535,9 @@ void SandboxBPF::InstallFilter(SandboxThreadState thread_state) {
     }
   }
 
-  // TODO(rsesek): Always try to engage the sandbox with the
-  // PROCESS_MULTI_THREADED path first, and if that fails, assert that the
-  // process IsSingleThreaded() or SANDBOX_DIE.
-
-  if (thread_state == PROCESS_MULTI_THREADED) {
-    // TODO(rsesek): Move these to a more reasonable place once the kernel
-    // patch has landed upstream and these values are formalized.
-    #define PR_SECCOMP_EXT 41
-    #define SECCOMP_EXT_ACT 1
-    #define SECCOMP_EXT_ACT_TSYNC 1
-    if (prctl(PR_SECCOMP_EXT, SECCOMP_EXT_ACT, SECCOMP_EXT_ACT_TSYNC, 0, 0)) {
-      SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to synchronize threadgroup "
-                                  "BPF filters.");
-    }
-  }
-
   sandbox_has_started_ = true;
+
+  return;
 }
 
 SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) {
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index 67b84b9..f6e4135 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -16,7 +16,6 @@
 #include <utility>
 #include <vector>
 
-#include "base/compiler_specific.h"
 #include "base/memory/scoped_ptr.h"
 #include "sandbox/linux/sandbox_export.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
@@ -53,18 +52,6 @@ class SANDBOX_EXPORT SandboxBPF {
     STATUS_ENABLED       // The sandbox is now active
   };
 
-  // Depending on the level of kernel support, seccomp-bpf may require the
-  // process to be single-threaded in order to enable it. When calling
-  // StartSandbox(), the program should indicate whether or not the sandbox
-  // should try and engage with multi-thread support.
-  enum SandboxThreadState {
-    PROCESS_INVALID,
-    PROCESS_SINGLE_THREADED,  // The program is currently single-threaded.
-    // Note: PROCESS_MULTI_THREADED requires experimental kernel support that
-    // has not been contributed to upstream Linux.
-    PROCESS_MULTI_THREADED,   // The program may be multi-threaded.
-  };
-
   // When calling setSandboxPolicy(), the caller can provide an arbitrary
   // pointer in |aux|. This pointer will then be forwarded to the sandbox
   // policy each time a call is made through an EvaluateSyscall function
@@ -181,8 +168,6 @@ class SANDBOX_EXPORT SandboxBPF {
   // This is the main public entry point. It finds all system calls that
   // need rewriting, sets up the resources needed by the sandbox, and
   // enters Seccomp mode.
-  // The calling process must specify its current SandboxThreadState, as a way
-  // to tell the sandbox which type of kernel support it should engage.
   // It is possible to stack multiple sandboxes by creating separate "Sandbox"
   // objects and calling "StartSandbox()" on each of them. Please note, that
   // this requires special care, though, as newly stacked sandboxes can never
@@ -191,7 +176,7 @@ class SANDBOX_EXPORT SandboxBPF {
   // disallowed.
   // Finally, stacking does add more kernel overhead than having a single
   // combined policy. So, it should only be used if there are no alternatives.
-  bool StartSandbox(SandboxThreadState thread_state) WARN_UNUSED_RESULT;
+  void StartSandbox();
 
   // Assembles a BPF filter program from the current policy. After calling this
   // function, you must not call any other sandboxing function.
@@ -244,7 +229,7 @@ class SANDBOX_EXPORT SandboxBPF {
 
   // Assembles and installs a filter based on the policy that has previously
   // been configured with SetSandboxPolicy().
-  void InstallFilter(SandboxThreadState thread_state);
+  void InstallFilter();
 
   // Verify the correctness of a compiled program by comparing it against the
   // current policy. This function should only ever be called by unit tests and
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
index ba13a32..17df1d5 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
@@ -99,7 +99,7 @@ SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
     pid_t test_var = 0;
     SandboxBPF sandbox;
     sandbox.SetSandboxPolicyDeprecated(VerboseAPITestingPolicy, &test_var);
-    BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
+    sandbox.StartSandbox();
 
     BPF_ASSERT(test_var == 0);
     BPF_ASSERT(syscall(__NR_getpid) == 0);
@@ -326,7 +326,7 @@ BPF_TEST(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
   // restrict filters, but we cannot relax existing filters.
   SandboxBPF sandbox;
   sandbox.SetSandboxPolicyDeprecated(StackingPolicyPartTwo, NULL);
-  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
+  sandbox.StartSandbox();
 
   errno = 0;
   BPF_ASSERT(syscall(__NR_getppid, 0) == -1);