NotForReview: Implement zero/one-copy texture for ozone freon using Intel DRM

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <fcntl.h>
 #include <linux/futex.h>
@@ skipping 14 matching lines @@
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 
+#if defined(USE_OZONE_GBM_INTEL)
+#include <libdrm/i915_drm.h>
+#endif
+
 #if defined(OS_ANDROID)
 
 #include "sandbox/linux/system_headers/android_futex.h"
 
 #if !defined(F_DUPFD_CLOEXEC)
 #define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
 #endif
 
 // https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/private/bionic_prctl.h
 #if !defined(PR_SET_VMA)
@@ skipping 94 matching lines @@
   return Switch(option)
       .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE),
              Allow())
 #if defined(OS_ANDROID)
       .CASES((PR_SET_VMA, PR_SET_TIMERSLACK_PID), Allow())
 #endif
       .Default(CrashSIGSYSPrctl());
 }
 
 ResultExpr RestrictIoctl() {
-  const Arg<int> request(1);
-  return Switch(request).CASES((TCGETS, FIONREAD), Allow()).Default(
-      CrashSIGSYSIoctl());
+// The type of DRM_IOCTL_XXX macro is long unsigned int.
+#if defined(USE_OZONE_GBM_INTEL)
+  auto reference_type = DRM_IOCTL_I915_GEM_MMAP;
+#else
+  auto reference_type = TCGETS;
+#endif
+  const Arg<decltype(reference_type)> request(1);
+  return Switch(request)
+      .CASES(((decltype(reference_type))TCGETS, FIONREAD), Allow())
+#if defined(USE_OZONE_GBM_INTEL)
+      .CASES((DRM_IOCTL_GEM_CLOSE, DRM_IOCTL_I915_GEM_GET_APERTURE,
+              DRM_IOCTL_I915_GEM_GET_TILING, DRM_IOCTL_I915_GEM_MMAP,
+              DRM_IOCTL_I915_GEM_SET_DOMAIN, DRM_IOCTL_I915_GEM_SW_FINISH,
+              DRM_IOCTL_I915_GEM_USERPTR, DRM_IOCTL_I915_GETPARAM,
+              DRM_IOCTL_PRIME_FD_TO_HANDLE),
+             Allow())

[dshwang, 2015/04/09 19:12:26]

Render process requires additional ioctl calls. It's same way in which Android
and OSX add more system call in white list.
I hope security owner review it.

[reveman, 2015/04/13 00:46:13]

This has unacceptable security implications, which is why we want to use vgem
instead.

[dshwang, 2015/04/14 13:15:55]

Even if we use vgem, we need some ioctl call in render process to map/unmap
for example, DRM_IOCTL_PRIME_FD_TO_HANDLE, DRM_IOCTL_MODE_MAP_DUMB

+#endif
+      .Default(CrashSIGSYSIoctl());
 }
 
 ResultExpr RestrictMmapFlags() {
   // The flags you see are actually the allowed ones, and the variable is a
   // "denied" mask because of the negation operator.
   // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
   // MAP_POPULATE.
   // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries.
   const uint64_t kAllowedMask = MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
                                 MAP_STACK | MAP_NORESERVE | MAP_FIXED |
@@ skipping 141 matching lines @@
   const Arg<pid_t> pid(0);
   return If(pid == 0 || pid == target_pid, Allow()).Else(CrashSIGSYS());
 }
 
 ResultExpr RestrictGetrusage() {
   const Arg<int> who(0);
   return If(who == RUSAGE_SELF, Allow()).Else(CrashSIGSYS());
 }
 
 }  // namespace sandbox.