OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" | 5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" |
6 | 6 |
7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
8 #include <errno.h> | 8 #include <errno.h> |
9 #include <fcntl.h> | 9 #include <fcntl.h> |
10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
11 #include <sys/stat.h> | 11 #include <sys/stat.h> |
12 #include <sys/types.h> | 12 #include <sys/types.h> |
13 #include <unistd.h> | 13 #include <unistd.h> |
14 | 14 |
15 #include <string> | 15 #include <string> |
16 #include <vector> | 16 #include <vector> |
17 | 17 |
18 #include "base/bind.h" | 18 #include "base/bind.h" |
19 #include "base/command_line.h" | 19 #include "base/command_line.h" |
20 #include "base/compiler_specific.h" | 20 #include "base/compiler_specific.h" |
21 #include "base/logging.h" | 21 #include "base/logging.h" |
22 #include "base/memory/scoped_ptr.h" | 22 #include "base/memory/scoped_ptr.h" |
23 #include "build/build_config.h" | 23 #include "build/build_config.h" |
| 24 // Auto-generated for dlopen libva libraries |
| 25 #include "content/common/gpu/media/va_stubs.h" |
24 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" | 26 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" |
25 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" | 27 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h" |
26 #include "content/common/set_process_title.h" | 28 #include "content/common/set_process_title.h" |
27 #include "content/public/common/content_switches.h" | 29 #include "content/public/common/content_switches.h" |
28 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" | 30 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" |
29 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 31 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
30 #include "sandbox/linux/services/broker_process.h" | 32 #include "sandbox/linux/services/broker_process.h" |
31 #include "sandbox/linux/services/linux_syscalls.h" | 33 #include "sandbox/linux/services/linux_syscalls.h" |
| 34 #include "third_party/libva/va/va.h" |
| 35 #include "third_party/libva/va/va_x11.h" |
32 | 36 |
33 using sandbox::BrokerProcess; | 37 using sandbox::BrokerProcess; |
34 using sandbox::ErrorCode; | 38 using sandbox::ErrorCode; |
35 using sandbox::SandboxBPF; | 39 using sandbox::SandboxBPF; |
36 using sandbox::SyscallSets; | 40 using sandbox::SyscallSets; |
37 using sandbox::arch_seccomp_data; | 41 using sandbox::arch_seccomp_data; |
38 | 42 |
| 43 using content_common_gpu_media::kModuleVa; |
| 44 using content_common_gpu_media::InitializeStubs; |
| 45 using content_common_gpu_media::StubPathMap; |
| 46 |
| 47 // libva-x11 depends on libva, so dlopen libva-x11 is enough |
| 48 static const base::FilePath::CharType kVaLib[] = |
| 49 FILE_PATH_LITERAL("libva-x11.so.1"); |
| 50 |
39 namespace content { | 51 namespace content { |
40 | 52 |
41 namespace { | 53 namespace { |
42 | 54 |
43 inline bool IsChromeOS() { | 55 inline bool IsChromeOS() { |
44 #if defined(OS_CHROMEOS) | 56 #if defined(OS_CHROMEOS) |
45 return true; | 57 return true; |
46 #else | 58 #else |
47 return false; | 59 return false; |
48 #endif | 60 #endif |
(...skipping 152 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
201 base::Bind(&SandboxSeccompBPF::StartSandboxWithExternalPolicy, | 213 base::Bind(&SandboxSeccompBPF::StartSandboxWithExternalPolicy, |
202 base::Passed(scoped_ptr<sandbox::SandboxBPFPolicy>( | 214 base::Passed(scoped_ptr<sandbox::SandboxBPFPolicy>( |
203 new GpuBrokerProcessPolicy))), | 215 new GpuBrokerProcessPolicy))), |
204 std::vector<std::string>(), // No extra files in whitelist. | 216 std::vector<std::string>(), // No extra files in whitelist. |
205 std::vector<std::string>()); | 217 std::vector<std::string>()); |
206 | 218 |
207 if (IsArchitectureX86_64() || IsArchitectureI386()) { | 219 if (IsArchitectureX86_64() || IsArchitectureI386()) { |
208 // Accelerated video decode dlopen()'s some shared objects | 220 // Accelerated video decode dlopen()'s some shared objects |
209 // inside the sandbox, so preload them now. | 221 // inside the sandbox, so preload them now. |
210 if (IsAcceleratedVideoDecodeEnabled()) { | 222 if (IsAcceleratedVideoDecodeEnabled()) { |
211 const char* I965DrvVideoPath = NULL; | 223 StubPathMap paths; |
212 | 224 paths[kModuleVa].push_back(kVaLib); |
213 if (IsArchitectureX86_64()) { | 225 if (!InitializeStubs(paths)) { |
214 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; | 226 return false; |
215 } else if (IsArchitectureI386()) { | |
216 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; | |
217 } | 227 } |
218 | 228 |
219 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 229 // libva drivers won't get loaded even above two libraries get dlopened. |
220 dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 230 // Thus, libva calls will fail after post sandbox stage. |
221 dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 231 // |
222 } | 232 // To get the va driver loadded before sandboxing, upstream simply dlopen |
223 } | 233 // the hard-coded va driver path because ChromeOS is the only platform |
| 234 // that Google want to support libva. |
| 235 // |
| 236 // While generic linux distros ship va driver as anywhere they want. |
| 237 // Fortunately, the va driver will be loadded when vaInitialize() get |
| 238 // called. |
| 239 // So the following code is to call vaInitialize() before sandboxing. |
| 240 Display* x_display = XOpenDisplay(NULL); |
| 241 VADisplay va_display = vaGetDisplay(x_display); |
| 242 if (!vaDisplayIsValid(va_display)) { |
| 243 DVLOG(1) << "Failed to call vaGetDisplay()"; |
| 244 return false; |
| 245 } |
| 246 |
| 247 int major_version, minor_version; |
| 248 if (vaInitialize(va_display, &major_version, &minor_version) |
| 249 != VA_STATUS_SUCCESS) { |
| 250 DVLOG(1) << "Failed to call vaInitialize()"; |
| 251 return false; |
| 252 } |
| 253 } // end of IsAcceleratedVideoDecodeEnabled() |
| 254 } // end of IsArchitectureX86_64() || IsArchitectureI386() |
224 | 255 |
225 return true; | 256 return true; |
226 } | 257 } |
227 | 258 |
228 void GpuProcessPolicy::InitGpuBrokerProcess( | 259 void GpuProcessPolicy::InitGpuBrokerProcess( |
229 const base::Callback<bool(void)>& broker_sandboxer_callback, | 260 const base::Callback<bool(void)>& broker_sandboxer_callback, |
230 const std::vector<std::string>& read_whitelist_extra, | 261 const std::vector<std::string>& read_whitelist_extra, |
231 const std::vector<std::string>& write_whitelist_extra) { | 262 const std::vector<std::string>& write_whitelist_extra) { |
232 static const char kDriRcPath[] = "/etc/drirc"; | 263 static const char kDriRcPath[] = "/etc/drirc"; |
233 static const char kDriCard0Path[] = "/dev/dri/card0"; | 264 static const char kDriCard0Path[] = "/dev/dri/card0"; |
(...skipping 19 matching lines...) Expand all Loading... |
253 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), | 284 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), |
254 read_whitelist, | 285 read_whitelist, |
255 write_whitelist); | 286 write_whitelist); |
256 // The initialization callback will perform generic initialization and then | 287 // The initialization callback will perform generic initialization and then |
257 // call broker_sandboxer_callback. | 288 // call broker_sandboxer_callback. |
258 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, | 289 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, |
259 broker_sandboxer_callback))); | 290 broker_sandboxer_callback))); |
260 } | 291 } |
261 | 292 |
262 } // namespace content | 293 } // namespace content |
OLD | NEW |