Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1449)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/sandbox_linux/bpf_gpu_policy_linux.cc

Issue 251183004: Linux GPU sandbox: only allocate broker policy in the broker. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/common/sandbox_linux/bpf_gpu_policy_linux.h ('K') | « content/common/sandbox_linux/bpf_gpu_policy_linux.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/sandbox_linux/bpf_gpu_policy_linux.cc
diff --git a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
index b119c4251fc0fd5e36fd149654ae3343763b050f..8ea2600a7ed9a20695b921f4a652bb947f50917b 100644
--- a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
@@ -106,13 +106,16 @@ intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args,
class GpuBrokerProcessPolicy : public GpuProcessPolicy {
public:
- GpuBrokerProcessPolicy() {}
+ static sandbox::SandboxBPFPolicy* Create() {
+ return new GpuBrokerProcessPolicy();
+ }
virtual ~GpuBrokerProcessPolicy() {}
virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
int system_call_number) const OVERRIDE;
private:
+ GpuBrokerProcessPolicy() {}
DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy);
};
@@ -146,9 +149,11 @@ void UpdateProcessTypeToGpuBroker() {
}
bool UpdateProcessTypeAndEnableSandbox(
- const base::Callback<bool(void)>& broker_sandboxer_callback) {
+ sandbox::SandboxBPFPolicy* (*broker_sandboxer_allocator)(void)) {
+ DCHECK(broker_sandboxer_allocator);
UpdateProcessTypeToGpuBroker();
- return broker_sandboxer_callback.Run();
+ return SandboxSeccompBPF::StartSandboxWithExternalPolicy(
+ make_scoped_ptr(broker_sandboxer_allocator()));
}
} // namespace
@@ -198,9 +203,7 @@ bool GpuProcessPolicy::PreSandboxHook() {
DCHECK(!broker_process());
// Create a new broker process.
InitGpuBrokerProcess(
- base::Bind(&SandboxSeccompBPF::StartSandboxWithExternalPolicy,
- base::Passed(scoped_ptr<sandbox::SandboxBPFPolicy>(
- new GpuBrokerProcessPolicy))),
+ GpuBrokerProcessPolicy::Create,
std::vector<std::string>(), // No extra files in whitelist.
std::vector<std::string>());
@@ -226,7 +229,7 @@ bool GpuProcessPolicy::PreSandboxHook() {
}
void GpuProcessPolicy::InitGpuBrokerProcess(
- const base::Callback<bool(void)>& broker_sandboxer_callback,
+ sandbox::SandboxBPFPolicy* (*broker_sandboxer_allocator)(void),
const std::vector<std::string>& read_whitelist_extra,
const std::vector<std::string>& write_whitelist_extra) {
static const char kDriRcPath[] = "/etc/drirc";
@@ -256,7 +259,7 @@ void GpuProcessPolicy::InitGpuBrokerProcess(
// The initialization callback will perform generic initialization and then
// call broker_sandboxer_callback.
CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,
- broker_sandboxer_callback)));
+ broker_sandboxer_allocator)));
}
} // namespace content
« content/common/sandbox_linux/bpf_gpu_policy_linux.h ('K') | « content/common/sandbox_linux/bpf_gpu_policy_linux.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698