content/common/sandbox_linux/bpf_renderer_policy_linux.cc - Issue 1253363004: ozone gbm: whitelist 3 DRM ioctl code for native GpuMemoryBuffer.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_linux/bpf_renderer_policy_linux.cc

Issue 1253363004: ozone gbm: whitelist 3 DRM ioctl code for native GpuMemoryBuffer. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: fix chromeos_daisy_chromium_compile_only_ng build failure Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/sandbox_linux/bpf_renderer_policy_linux.cc

diff --git a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc

index bd252ff755718d5cb28e29252416b5b2c927f835..3f2304179db01de8616a09df068813f7f528d13c 100644

--- a/content/common/sandbox_linux/bpf_renderer_policy_linux.cc

+++ b/content/common/sandbox_linux/bpf_renderer_policy_linux.cc

@@ -5,22 +5,48 @@

#include "content/common/sandbox_linux/bpf_renderer_policy_linux.h"

#include <errno.h>

+#include <sys/ioctl.h>

#include "base/basictypes.h"

#include "build/build_config.h"

#include "content/common/sandbox_linux/sandbox_linux.h"

#include "sandbox/linux/bpf_dsl/bpf_dsl.h"

+#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"

#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"

#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"

#include "sandbox/linux/system_headers/linux_syscalls.h"

+#if defined(USE_VGEM_MAP)

+#include <libdrm/vgem_drm.h>

+#endif

using sandbox::SyscallSets;

using sandbox::bpf_dsl::Allow;

+using sandbox::bpf_dsl::Arg;

using sandbox::bpf_dsl::Error;

using sandbox::bpf_dsl::ResultExpr;

namespace content {

+namespace {

+ResultExpr RestrictIoctl() {

+ const Arg<unsigned long> request(1);

+ return Switch(request)

+ .SANDBOX_BPF_DSL_CASES((static_cast<unsigned long>(TCGETS), FIONREAD),

+ Allow())

+#if defined(USE_VGEM_MAP)

+ // Type of DRM_IOCTL_XXX is unsigned long on IA and unsigned int on ARM.

+ .SANDBOX_BPF_DSL_CASES(

+ (static_cast<unsigned long>(DRM_IOCTL_GEM_CLOSE),

+ DRM_IOCTL_VGEM_MODE_MAP_DUMB, DRM_IOCTL_PRIME_FD_TO_HANDLE),

+ Allow())

+#endif

+ .Default(sandbox::CrashSIGSYSIoctl());

+} // namespace

RendererProcessPolicy::RendererProcessPolicy() {}

RendererProcessPolicy::~RendererProcessPolicy() {}

@@ -31,7 +57,7 @@ ResultExpr RendererProcessPolicy::EvaluateSyscall(int sysno) const {

case __NR_clock_getres:

return sandbox::RestrictClockID();

case __NR_ioctl:

- return sandbox::RestrictIoctl();

+ return RestrictIoctl();

// Allow the system calls below.

case __NR_fdatasync:

case __NR_fsync:

« no previous file with comments | « content/common/BUILD.gn ('k') | content/content_common.gypi » ('j') | no next file with comments »