Changes

* SandboxFilter.cpp: the sandbox policy definitions* SandboxAssembler.{h,cpp}: implements the policies in terms of the Chromium CodeGen moduleand trap handlers for intercepted syscalls* Sandbox.cpp: the code that starts the sandbox and handles violations (note: this is changing soon; see {{bug|1041886}}).* arm_linux_syscalls.h and other *_linux_syscalls.h: syscall number definitions; grep these to translate syscall numbers seen in error messages (use the file corresponding to the architecture in question)

We also have an import of the Chromium The policy is compiled into a seccomp-bpf libraries at program using the Chromium code imported in security/sandbox/chromium/sandbox/linux. Files of interest in that subtree: * bpf_dsl/seccomp-bpf; we're currently using bpf_dsl.h: defines the interface used to specify the CodeGenpolicy* bpf_dsl/BasicBlockpolicy_compiler.cc: converts the intermediate form into BPF instructions* services/Instruction layer, but not ErrorCode or SandboxBPF arm_linux_syscalls.h and other *_linux_syscalls.h: syscall number definitions; grep these to translate syscall numbers seen in error messages (yetuse the file corresponding to the architecture in question).