OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" | 5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" |
6 | 6 |
7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
8 #include <errno.h> | 8 #include <errno.h> |
9 #include <fcntl.h> | 9 #include <fcntl.h> |
10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
99 return -EPERM; | 99 return -EPERM; |
100 } | 100 } |
101 default: | 101 default: |
102 RAW_CHECK(false); | 102 RAW_CHECK(false); |
103 return -ENOSYS; | 103 return -ENOSYS; |
104 } | 104 } |
105 } | 105 } |
106 | 106 |
107 class GpuBrokerProcessPolicy : public GpuProcessPolicy { | 107 class GpuBrokerProcessPolicy : public GpuProcessPolicy { |
108 public: | 108 public: |
109 GpuBrokerProcessPolicy() {} | 109 static sandbox::SandboxBPFPolicy* Create() { |
| 110 return new GpuBrokerProcessPolicy(); |
| 111 } |
110 virtual ~GpuBrokerProcessPolicy() {} | 112 virtual ~GpuBrokerProcessPolicy() {} |
111 | 113 |
112 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, | 114 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
113 int system_call_number) const OVERRIDE; | 115 int system_call_number) const OVERRIDE; |
114 | 116 |
115 private: | 117 private: |
| 118 GpuBrokerProcessPolicy() {} |
116 DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy); | 119 DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy); |
117 }; | 120 }; |
118 | 121 |
119 // x86_64/i386 or desktop ARM. | 122 // x86_64/i386 or desktop ARM. |
120 // A GPU broker policy is the same as a GPU policy with open and | 123 // A GPU broker policy is the same as a GPU policy with open and |
121 // openat allowed. | 124 // openat allowed. |
122 ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, | 125 ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
123 int sysno) const { | 126 int sysno) const { |
124 switch (sysno) { | 127 switch (sysno) { |
125 case __NR_access: | 128 case __NR_access: |
(...skipping 13 matching lines...) Expand all Loading... |
139 CommandLine::ForCurrentProcess()->AppendSwitchASCII(switches::kProcessType, | 142 CommandLine::ForCurrentProcess()->AppendSwitchASCII(switches::kProcessType, |
140 "gpu-broker"); | 143 "gpu-broker"); |
141 | 144 |
142 // Update the process title. The argv was already cached by the call to | 145 // Update the process title. The argv was already cached by the call to |
143 // SetProcessTitleFromCommandLine in content_main_runner.cc, so we can pass | 146 // SetProcessTitleFromCommandLine in content_main_runner.cc, so we can pass |
144 // NULL here (we don't have the original argv at this point). | 147 // NULL here (we don't have the original argv at this point). |
145 SetProcessTitleFromCommandLine(NULL); | 148 SetProcessTitleFromCommandLine(NULL); |
146 } | 149 } |
147 | 150 |
148 bool UpdateProcessTypeAndEnableSandbox( | 151 bool UpdateProcessTypeAndEnableSandbox( |
149 const base::Callback<bool(void)>& broker_sandboxer_callback) { | 152 sandbox::SandboxBPFPolicy* (*broker_sandboxer_allocator)(void)) { |
| 153 DCHECK(broker_sandboxer_allocator); |
150 UpdateProcessTypeToGpuBroker(); | 154 UpdateProcessTypeToGpuBroker(); |
151 return broker_sandboxer_callback.Run(); | 155 return SandboxSeccompBPF::StartSandboxWithExternalPolicy( |
| 156 make_scoped_ptr(broker_sandboxer_allocator())); |
152 } | 157 } |
153 | 158 |
154 } // namespace | 159 } // namespace |
155 | 160 |
156 GpuProcessPolicy::GpuProcessPolicy() : broker_process_(NULL) {} | 161 GpuProcessPolicy::GpuProcessPolicy() : broker_process_(NULL) {} |
157 | 162 |
158 GpuProcessPolicy::~GpuProcessPolicy() {} | 163 GpuProcessPolicy::~GpuProcessPolicy() {} |
159 | 164 |
160 // Main policy for x86_64/i386. Extended by CrosArmGpuProcessPolicy. | 165 // Main policy for x86_64/i386. Extended by CrosArmGpuProcessPolicy. |
161 ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, | 166 ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, |
(...skipping 29 matching lines...) Expand all Loading... |
191 bool GpuProcessPolicy::PreSandboxHook() { | 196 bool GpuProcessPolicy::PreSandboxHook() { |
192 // Warm up resources needed by the policy we're about to enable and | 197 // Warm up resources needed by the policy we're about to enable and |
193 // eventually start a broker process. | 198 // eventually start a broker process. |
194 const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm(); | 199 const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm(); |
195 // This policy is for x86 or Desktop. | 200 // This policy is for x86 or Desktop. |
196 DCHECK(!chromeos_arm_gpu); | 201 DCHECK(!chromeos_arm_gpu); |
197 | 202 |
198 DCHECK(!broker_process()); | 203 DCHECK(!broker_process()); |
199 // Create a new broker process. | 204 // Create a new broker process. |
200 InitGpuBrokerProcess( | 205 InitGpuBrokerProcess( |
201 base::Bind(&SandboxSeccompBPF::StartSandboxWithExternalPolicy, | 206 GpuBrokerProcessPolicy::Create, |
202 base::Passed(scoped_ptr<sandbox::SandboxBPFPolicy>( | |
203 new GpuBrokerProcessPolicy))), | |
204 std::vector<std::string>(), // No extra files in whitelist. | 207 std::vector<std::string>(), // No extra files in whitelist. |
205 std::vector<std::string>()); | 208 std::vector<std::string>()); |
206 | 209 |
207 if (IsArchitectureX86_64() || IsArchitectureI386()) { | 210 if (IsArchitectureX86_64() || IsArchitectureI386()) { |
208 // Accelerated video decode dlopen()'s some shared objects | 211 // Accelerated video decode dlopen()'s some shared objects |
209 // inside the sandbox, so preload them now. | 212 // inside the sandbox, so preload them now. |
210 if (IsAcceleratedVideoDecodeEnabled()) { | 213 if (IsAcceleratedVideoDecodeEnabled()) { |
211 const char* I965DrvVideoPath = NULL; | 214 const char* I965DrvVideoPath = NULL; |
212 | 215 |
213 if (IsArchitectureX86_64()) { | 216 if (IsArchitectureX86_64()) { |
214 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; | 217 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so"; |
215 } else if (IsArchitectureI386()) { | 218 } else if (IsArchitectureI386()) { |
216 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; | 219 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so"; |
217 } | 220 } |
218 | 221 |
219 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 222 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
220 dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 223 dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
221 dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); | 224 dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
222 } | 225 } |
223 } | 226 } |
224 | 227 |
225 return true; | 228 return true; |
226 } | 229 } |
227 | 230 |
228 void GpuProcessPolicy::InitGpuBrokerProcess( | 231 void GpuProcessPolicy::InitGpuBrokerProcess( |
229 const base::Callback<bool(void)>& broker_sandboxer_callback, | 232 sandbox::SandboxBPFPolicy* (*broker_sandboxer_allocator)(void), |
230 const std::vector<std::string>& read_whitelist_extra, | 233 const std::vector<std::string>& read_whitelist_extra, |
231 const std::vector<std::string>& write_whitelist_extra) { | 234 const std::vector<std::string>& write_whitelist_extra) { |
232 static const char kDriRcPath[] = "/etc/drirc"; | 235 static const char kDriRcPath[] = "/etc/drirc"; |
233 static const char kDriCard0Path[] = "/dev/dri/card0"; | 236 static const char kDriCard0Path[] = "/dev/dri/card0"; |
234 | 237 |
235 CHECK(broker_process_ == NULL); | 238 CHECK(broker_process_ == NULL); |
236 | 239 |
237 // All GPU process policies need these files brokered out. | 240 // All GPU process policies need these files brokered out. |
238 std::vector<std::string> read_whitelist; | 241 std::vector<std::string> read_whitelist; |
239 read_whitelist.push_back(kDriCard0Path); | 242 read_whitelist.push_back(kDriCard0Path); |
240 read_whitelist.push_back(kDriRcPath); | 243 read_whitelist.push_back(kDriRcPath); |
241 // Add eventual extra files from read_whitelist_extra. | 244 // Add eventual extra files from read_whitelist_extra. |
242 read_whitelist.insert(read_whitelist.end(), | 245 read_whitelist.insert(read_whitelist.end(), |
243 read_whitelist_extra.begin(), | 246 read_whitelist_extra.begin(), |
244 read_whitelist_extra.end()); | 247 read_whitelist_extra.end()); |
245 | 248 |
246 std::vector<std::string> write_whitelist; | 249 std::vector<std::string> write_whitelist; |
247 write_whitelist.push_back(kDriCard0Path); | 250 write_whitelist.push_back(kDriCard0Path); |
248 // Add eventual extra files from write_whitelist_extra. | 251 // Add eventual extra files from write_whitelist_extra. |
249 write_whitelist.insert(write_whitelist.end(), | 252 write_whitelist.insert(write_whitelist.end(), |
250 write_whitelist_extra.begin(), | 253 write_whitelist_extra.begin(), |
251 write_whitelist_extra.end()); | 254 write_whitelist_extra.end()); |
252 | 255 |
253 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), | 256 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), |
254 read_whitelist, | 257 read_whitelist, |
255 write_whitelist); | 258 write_whitelist); |
256 // The initialization callback will perform generic initialization and then | 259 // The initialization callback will perform generic initialization and then |
257 // call broker_sandboxer_callback. | 260 // call broker_sandboxer_callback. |
258 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, | 261 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, |
259 broker_sandboxer_callback))); | 262 broker_sandboxer_allocator))); |
260 } | 263 } |
261 | 264 |
262 } // namespace content | 265 } // namespace content |
OLD | NEW |