| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" | 5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" |
| 6 | 6 |
| 7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
| 8 #include <errno.h> | 8 #include <errno.h> |
| 9 #include <fcntl.h> | 9 #include <fcntl.h> |
| 10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 65 read_whitelist->push_back(kDevMfcDecPath); | 65 read_whitelist->push_back(kDevMfcDecPath); |
| 66 read_whitelist->push_back(kDevGsc1Path); | 66 read_whitelist->push_back(kDevGsc1Path); |
| 67 read_whitelist->push_back(kDevMfcEncPath); | 67 read_whitelist->push_back(kDevMfcEncPath); |
| 68 | 68 |
| 69 write_whitelist->push_back(kMali0Path); | 69 write_whitelist->push_back(kMali0Path); |
| 70 write_whitelist->push_back(kDevMfcDecPath); | 70 write_whitelist->push_back(kDevMfcDecPath); |
| 71 write_whitelist->push_back(kDevGsc1Path); | 71 write_whitelist->push_back(kDevGsc1Path); |
| 72 write_whitelist->push_back(kDevMfcEncPath); | 72 write_whitelist->push_back(kDevMfcEncPath); |
| 73 } | 73 } |
| 74 | 74 |
| 75 void AddArmTegraGpuWhitelist(std::vector<std::string>* read_whitelist, | |
| 76 std::vector<std::string>* write_whitelist) { | |
| 77 // Device files needed by the Tegra GPU userspace. | |
| 78 static const char kDevNvhostCtrlPath[] = "/dev/nvhost-ctrl"; | |
| 79 static const char kDevNvhostIspPath[] = "/dev/nvhost-isp"; | |
| 80 static const char kDevNvhostViPath[] = "/dev/nvhost-vi"; | |
| 81 static const char kDevNvmapPath[] = "/dev/nvmap"; | |
| 82 static const char kDevNvhostGpuPath[] = "/dev/nvhost-gpu"; | |
| 83 static const char kDevNvhostAsGpuPath[] = "/dev/nvhost-as-gpu"; | |
| 84 static const char kDevNvhostCtrlGpuPath[] = "/dev/nvhost-ctrl-gpu"; | |
| 85 static const char kSysDevicesSocIDPath[] = "/sys/devices/soc0/soc_id"; | |
| 86 static const char kSysDevicesSocRevPath[] = "/sys/devices/soc0/revision"; | |
| 87 // TODO(davidung): remove these device nodes before nyan launch. | |
| 88 | |
| 89 read_whitelist->push_back(kDevNvhostCtrlPath); | |
| 90 read_whitelist->push_back(kDevNvhostIspPath); | |
| 91 read_whitelist->push_back(kDevNvhostViPath); | |
| 92 read_whitelist->push_back(kDevNvmapPath); | |
| 93 read_whitelist->push_back(kDevNvhostGpuPath); | |
| 94 read_whitelist->push_back(kDevNvhostAsGpuPath); | |
| 95 read_whitelist->push_back(kDevNvhostCtrlGpuPath); | |
| 96 read_whitelist->push_back(kSysDevicesSocIDPath); | |
| 97 read_whitelist->push_back(kSysDevicesSocRevPath); | |
| 98 | |
| 99 write_whitelist->push_back(kDevNvhostCtrlPath); | |
| 100 write_whitelist->push_back(kDevNvhostIspPath); | |
| 101 write_whitelist->push_back(kDevNvhostViPath); | |
| 102 write_whitelist->push_back(kDevNvmapPath); | |
| 103 write_whitelist->push_back(kDevNvhostGpuPath); | |
| 104 write_whitelist->push_back(kDevNvhostAsGpuPath); | |
| 105 write_whitelist->push_back(kDevNvhostCtrlGpuPath); | |
| 106 } | |
| 107 | |
| 108 void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, | 75 void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, |
| 109 std::vector<std::string>* write_whitelist) { | 76 std::vector<std::string>* write_whitelist) { |
| 110 // On ARM we're enabling the sandbox before the X connection is made, | 77 // On ARM we're enabling the sandbox before the X connection is made, |
| 111 // so we need to allow access to |.Xauthority|. | 78 // so we need to allow access to |.Xauthority|. |
| 112 static const char kXAuthorityPath[] = "/home/chronos/.Xauthority"; | 79 static const char kXAuthorityPath[] = "/home/chronos/.Xauthority"; |
| 113 static const char kLdSoCache[] = "/etc/ld.so.cache"; | 80 static const char kLdSoCache[] = "/etc/ld.so.cache"; |
| 114 | 81 |
| 115 // Files needed by the ARM GPU userspace. | 82 // Files needed by the ARM GPU userspace. |
| 116 static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; | 83 static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; |
| 117 static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; | 84 static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; |
| 118 | 85 |
| 119 read_whitelist->push_back(kXAuthorityPath); | 86 read_whitelist->push_back(kXAuthorityPath); |
| 120 read_whitelist->push_back(kLdSoCache); | 87 read_whitelist->push_back(kLdSoCache); |
| 121 read_whitelist->push_back(kLibGlesPath); | 88 read_whitelist->push_back(kLibGlesPath); |
| 122 read_whitelist->push_back(kLibEglPath); | 89 read_whitelist->push_back(kLibEglPath); |
| 123 | 90 |
| 124 AddArmMaliGpuWhitelist(read_whitelist, write_whitelist); | 91 AddArmMaliGpuWhitelist(read_whitelist, write_whitelist); |
| 125 AddArmTegraGpuWhitelist(read_whitelist, write_whitelist); | |
| 126 } | 92 } |
| 127 | 93 |
| 128 class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy { | 94 class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy { |
| 129 public: | 95 public: |
| 130 CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {} | 96 CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {} |
| 131 virtual ~CrosArmGpuBrokerProcessPolicy() {} | 97 virtual ~CrosArmGpuBrokerProcessPolicy() {} |
| 132 | 98 |
| 133 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, | 99 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| 134 int system_call_number) const OVERRIDE; | 100 int system_call_number) const OVERRIDE; |
| 135 | 101 |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 209 AddArmGpuWhitelist(&read_whitelist_extra, &write_whitelist_extra); | 175 AddArmGpuWhitelist(&read_whitelist_extra, &write_whitelist_extra); |
| 210 InitGpuBrokerProcess(EnableArmGpuBrokerPolicyCallback, | 176 InitGpuBrokerProcess(EnableArmGpuBrokerPolicyCallback, |
| 211 read_whitelist_extra, | 177 read_whitelist_extra, |
| 212 write_whitelist_extra); | 178 write_whitelist_extra); |
| 213 | 179 |
| 214 const int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; | 180 const int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; |
| 215 | 181 |
| 216 // Preload the Mali library. | 182 // Preload the Mali library. |
| 217 dlopen("/usr/lib/libmali.so", dlopen_flag); | 183 dlopen("/usr/lib/libmali.so", dlopen_flag); |
| 218 | 184 |
| 219 // Preload the Tegra libraries. | |
| 220 dlopen("/usr/lib/libnvrm.so", dlopen_flag); | |
| 221 dlopen("/usr/lib/libnvrm_graphics.so", dlopen_flag); | |
| 222 dlopen("/usr/lib/libnvidia-glsi.so", dlopen_flag); | |
| 223 dlopen("/usr/lib/libnvidia-rmapi-tegra.so", dlopen_flag); | |
| 224 dlopen("/usr/lib/libnvidia-eglcore.so", dlopen_flag); | |
| 225 // TODO(davidung): remove these libraries before nyan launch. | |
| 226 | |
| 227 return true; | 185 return true; |
| 228 } | 186 } |
| 229 | 187 |
| 230 } // namespace content | 188 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 179983006:
Don't start the SECCOMP sandbox early for Tegra124 (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master