OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" | 5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" |
6 | 6 |
7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
8 #include <errno.h> | 8 #include <errno.h> |
9 #include <fcntl.h> | 9 #include <fcntl.h> |
10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
(...skipping 11 matching lines...) Expand all Loading... |
22 #include "base/files/file_enumerator.h" | 22 #include "base/files/file_enumerator.h" |
23 #include "base/logging.h" | 23 #include "base/logging.h" |
24 #include "base/macros.h" | 24 #include "base/macros.h" |
25 #include "base/memory/ptr_util.h" | 25 #include "base/memory/ptr_util.h" |
26 #include "base/strings/stringprintf.h" | 26 #include "base/strings/stringprintf.h" |
27 #include "build/build_config.h" | 27 #include "build/build_config.h" |
28 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" | 28 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" |
29 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" | 29 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
30 #include "content/common/set_process_title.h" | 30 #include "content/common/set_process_title.h" |
31 #include "content/public/common/content_switches.h" | 31 #include "content/public/common/content_switches.h" |
| 32 #include "gpu/config/gpu_switches.h" |
| 33 #include "gpu/ipc/service/switches.h" |
32 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 34 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
33 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" | 35 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" |
34 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" | 36 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
35 #include "sandbox/linux/syscall_broker/broker_file_permission.h" | 37 #include "sandbox/linux/syscall_broker/broker_file_permission.h" |
36 #include "sandbox/linux/syscall_broker/broker_process.h" | 38 #include "sandbox/linux/syscall_broker/broker_process.h" |
37 #include "sandbox/linux/system_headers/linux_syscalls.h" | 39 #include "sandbox/linux/system_headers/linux_syscalls.h" |
| 40 #include "ui/gl/init/gl_factory.h" |
38 | 41 |
39 using sandbox::arch_seccomp_data; | 42 using sandbox::arch_seccomp_data; |
40 using sandbox::bpf_dsl::Allow; | 43 using sandbox::bpf_dsl::Allow; |
41 using sandbox::bpf_dsl::ResultExpr; | 44 using sandbox::bpf_dsl::ResultExpr; |
42 using sandbox::bpf_dsl::Trap; | 45 using sandbox::bpf_dsl::Trap; |
43 using sandbox::syscall_broker::BrokerFilePermission; | 46 using sandbox::syscall_broker::BrokerFilePermission; |
44 using sandbox::syscall_broker::BrokerProcess; | 47 using sandbox::syscall_broker::BrokerProcess; |
45 using sandbox::SyscallSets; | 48 using sandbox::SyscallSets; |
46 | 49 |
47 namespace content { | 50 namespace content { |
(...skipping 275 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
323 dlopen(I965HybridDrvVideoPath, RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); | 326 dlopen(I965HybridDrvVideoPath, RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); |
324 dlopen("libva.so.1", RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); | 327 dlopen("libva.so.1", RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); |
325 #if defined(USE_OZONE) | 328 #if defined(USE_OZONE) |
326 dlopen("libva-drm.so.1", RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); | 329 dlopen("libva-drm.so.1", RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); |
327 #elif defined(USE_X11) | 330 #elif defined(USE_X11) |
328 dlopen("libva-x11.so.1", RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); | 331 dlopen("libva-x11.so.1", RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); |
329 #endif | 332 #endif |
330 } | 333 } |
331 } | 334 } |
332 | 335 |
| 336 // If kGpuSandboxStartEarly is set then we need to warmup by loading gl and |
| 337 // driver libraries before to actually run the sandbox. Another approach would |
| 338 // be to white list these libraries using the broker file permissons. But |
| 339 // that would require to white list all single dependencies which is not easy |
| 340 // and there is no much value compared to the following. |
| 341 const base::CommandLine& command_line = |
| 342 *base::CommandLine::ForCurrentProcess(); |
| 343 if (command_line.HasSwitch(switches::kGpuSandboxStartEarly)) { |
| 344 gl::GLImplementation gl_iml = gl::kGLImplementationNone; |
| 345 std::vector<gl::GLImplementation> allowed_impls = |
| 346 gl::init::GetAllowedGLImplementations(); |
| 347 bool fallback_to_osmesa = false; |
| 348 bool result = |
| 349 gl::SelectGLImplementation(allowed_impls, &gl_iml, &fallback_to_osmesa); |
| 350 if (!result) |
| 351 LOG(ERROR) << "Failed to select a gl implementation"; |
| 352 |
| 353 std::vector<std::string> driver_libraries; |
| 354 if (result) { |
| 355 result = gl::init::GetNativeLibraryNamesFromGLImplementation( |
| 356 gl_iml, &driver_libraries); |
| 357 if (!result) { |
| 358 LOG(ERROR) << "Failed to retrieve libraries for " |
| 359 << gl::GetGLImplementationName(gl_iml); |
| 360 } |
| 361 } |
| 362 |
| 363 #if defined(DRI_DRIVER_DIR) |
| 364 // Mesa always fallback to software driver in the 3 following cases: |
| 365 // 1- there is no real driver. |
| 366 // 2- it fails to load a real driver. |
| 367 // 3- User set the env var LIBGL_ALWAYS_SOFTWARE. |
| 368 if (result && command_line.HasSwitch(switches::kGpuDriverVendor) && |
| 369 command_line.GetSwitchValueASCII(switches::kGpuDriverVendor) == |
| 370 "Mesa") { |
| 371 base::FilePath swrast_lib(DRI_DRIVER_DIR); |
| 372 swrast_lib = swrast_lib.Append("swrast_dri.so"); |
| 373 driver_libraries.push_back(swrast_lib.value()); |
| 374 } |
| 375 #endif |
| 376 |
| 377 for (const auto& lib_name : driver_libraries) { |
| 378 void* dl = |
| 379 dlopen(lib_name.c_str(), RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE); |
| 380 if (!dl) { |
| 381 LOG(ERROR) << "Failed to open " << lib_name << " with error " |
| 382 << dlerror(); |
| 383 } |
| 384 } |
| 385 } |
| 386 |
333 return true; | 387 return true; |
334 } | 388 } |
335 | 389 |
336 void GpuProcessPolicy::InitGpuBrokerProcess( | 390 void GpuProcessPolicy::InitGpuBrokerProcess( |
337 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void), | 391 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void), |
338 const std::vector<BrokerFilePermission>& permissions_extra) { | 392 const std::vector<BrokerFilePermission>& permissions_extra) { |
339 static const char kDriRcPath[] = "/etc/drirc"; | 393 static const char kDriRcPath[] = "/etc/drirc"; |
340 static const char kDriCard0Path[] = "/dev/dri/card0"; | 394 static const char kDriCard0Path[] = "/dev/dri/card0"; |
341 static const char kDriCardBasePath[] = "/dev/dri/card"; | 395 static const char kDriCardBasePath[] = "/dev/dri/card"; |
342 | 396 |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
385 } | 439 } |
386 | 440 |
387 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions); | 441 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions); |
388 // The initialization callback will perform generic initialization and then | 442 // The initialization callback will perform generic initialization and then |
389 // call broker_sandboxer_callback. | 443 // call broker_sandboxer_callback. |
390 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, | 444 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, |
391 broker_sandboxer_allocator))); | 445 broker_sandboxer_allocator))); |
392 } | 446 } |
393 | 447 |
394 } // namespace content | 448 } // namespace content |
OLD | NEW |