Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(246)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc

Issue 251183004: Linux GPU sandbox: only allocate broker policy in the broker. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | content/common/sandbox_linux/bpf_gpu_policy_linux.h » ('j') | content/common/sandbox_linux/bpf_gpu_policy_linux.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" 5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h"
6 6
7 #include <dlfcn.h> 7 #include <dlfcn.h>
8 #include <errno.h> 8 #include <errno.h>
9 #include <fcntl.h> 9 #include <fcntl.h>
10 #include <sys/socket.h> 10 #include <sys/socket.h>
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after
87 read_whitelist->push_back(kXAuthorityPath); 87 read_whitelist->push_back(kXAuthorityPath);
88 read_whitelist->push_back(kLdSoCache); 88 read_whitelist->push_back(kLdSoCache);
89 read_whitelist->push_back(kLibGlesPath); 89 read_whitelist->push_back(kLibGlesPath);
90 read_whitelist->push_back(kLibEglPath); 90 read_whitelist->push_back(kLibEglPath);
91 91
92 AddArmMaliGpuWhitelist(read_whitelist, write_whitelist); 92 AddArmMaliGpuWhitelist(read_whitelist, write_whitelist);
93 } 93 }
94 94
95 class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy { 95 class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy {
96 public: 96 public:
97 CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {} 97 static sandbox::SandboxBPFPolicy* Create() {
98 return new CrosArmGpuBrokerProcessPolicy();
99 }
98 virtual ~CrosArmGpuBrokerProcessPolicy() {} 100 virtual ~CrosArmGpuBrokerProcessPolicy() {}
99 101
100 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, 102 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
101 int system_call_number) const OVERRIDE; 103 int system_call_number) const OVERRIDE;
102 104
103 private: 105 private:
106 CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {}
104 DISALLOW_COPY_AND_ASSIGN(CrosArmGpuBrokerProcessPolicy); 107 DISALLOW_COPY_AND_ASSIGN(CrosArmGpuBrokerProcessPolicy);
105 }; 108 };
106 109
107 // A GPU broker policy is the same as a GPU policy with open and 110 // A GPU broker policy is the same as a GPU policy with open and
108 // openat allowed. 111 // openat allowed.
109 ErrorCode CrosArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, 112 ErrorCode CrosArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
110 int sysno) const { 113 int sysno) const {
111 switch (sysno) { 114 switch (sysno) {
112 case __NR_access: 115 case __NR_access:
113 case __NR_open: 116 case __NR_open:
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after
162 bool CrosArmGpuProcessPolicy::PreSandboxHook() { 165 bool CrosArmGpuProcessPolicy::PreSandboxHook() {
163 DCHECK(IsChromeOS() && IsArchitectureArm()); 166 DCHECK(IsChromeOS() && IsArchitectureArm());
164 // Create a new broker process. 167 // Create a new broker process.
165 DCHECK(!broker_process()); 168 DCHECK(!broker_process());
166 169
167 std::vector<std::string> read_whitelist_extra; 170 std::vector<std::string> read_whitelist_extra;
168 std::vector<std::string> write_whitelist_extra; 171 std::vector<std::string> write_whitelist_extra;
169 // Add ARM-specific files to whitelist in the broker. 172 // Add ARM-specific files to whitelist in the broker.
170 173
171 AddArmGpuWhitelist(&read_whitelist_extra, &write_whitelist_extra); 174 AddArmGpuWhitelist(&read_whitelist_extra, &write_whitelist_extra);
172 InitGpuBrokerProcess( 175 InitGpuBrokerProcess(CrosArmGpuBrokerProcessPolicy::Create,
173 base::Bind(&SandboxSeccompBPF::StartSandboxWithExternalPolicy, 176 read_whitelist_extra,
174 base::Passed(scoped_ptr<sandbox::SandboxBPFPolicy>( 177 write_whitelist_extra);
175 new CrosArmGpuBrokerProcessPolicy))),
176 read_whitelist_extra,
177 write_whitelist_extra);
178 178
179 const int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; 179 const int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE;
180 180
181 // Preload the Mali library. 181 // Preload the Mali library.
182 dlopen("/usr/lib/libmali.so", dlopen_flag); 182 dlopen("/usr/lib/libmali.so", dlopen_flag);
183 // Preload the Tegra V4L2 (video decode acceleration) library. 183 // Preload the Tegra V4L2 (video decode acceleration) library.
184 dlopen("/usr/lib/libtegrav4l2.so", dlopen_flag); 184 dlopen("/usr/lib/libtegrav4l2.so", dlopen_flag);
185 // Resetting errno since platform-specific libraries will fail on other 185 // Resetting errno since platform-specific libraries will fail on other
186 // platforms. 186 // platforms.
187 errno = 0; 187 errno = 0;
188 188
189 return true; 189 return true;
190 } 190 }
191 191
192 } // namespace content 192 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | content/common/sandbox_linux/bpf_gpu_policy_linux.h » ('j') | content/common/sandbox_linux/bpf_gpu_policy_linux.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698