Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc |
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc |
index 60c16d37302b880a63db88fcd2ebbbcb97f6a1da..6375ea4fda7bc6e4e66cbfe81dd6bc19d4a58946 100644 |
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc |
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc |
@@ -36,6 +36,10 @@ |
#include <sys/ioctl.h> |
#endif |
+#if defined(USE_OZONE_GBM) |
+#include <drm.h> |
+#endif |
+ |
#if defined(OS_ANDROID) |
#if !defined(F_DUPFD_CLOEXEC) |
@@ -149,9 +153,21 @@ ResultExpr RestrictPrctl() { |
} |
ResultExpr RestrictIoctl() { |
- const Arg<int> request(1); |
- return Switch(request).CASES((TCGETS, FIONREAD), Allow()).Default( |
- CrashSIGSYSIoctl()); |
+// The type of DRM_IOCTL_XXX macro is long unsigned int. |
+#if defined(USE_OZONE_GBM) |
+ auto reference_type = DRM_IOCTL_MODE_MAP_DUMB; |
+#else |
+ auto reference_type = TCGETS; |
+#endif |
+ const Arg<decltype(reference_type)> request(1); |
+ return Switch(request) |
+ .CASES(((decltype(reference_type))TCGETS, FIONREAD), Allow()) |
+#if defined(USE_OZONE_GBM) |
+ .CASES((DRM_IOCTL_GEM_CLOSE, DRM_IOCTL_MODE_DESTROY_DUMB, |
+ DRM_IOCTL_MODE_MAP_DUMB, DRM_IOCTL_PRIME_FD_TO_HANDLE), |
+ Allow()) |
+#endif |
+ .Default(CrashSIGSYSIoctl()); |
} |
ResultExpr RestrictMmapFlags() { |