Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(562)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_linux/bpf_gpu_policy_linux.cc

Issue 2870213003: Remove /dev/dri/card0 from sandbox whitelist (Closed)
Patch Set: updated description Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" 5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h"
6 6
7 #include <dlfcn.h> 7 #include <dlfcn.h>
8 #include <errno.h> 8 #include <errno.h>
9 #include <fcntl.h> 9 #include <fcntl.h>
10 #include <sys/socket.h> 10 #include <sys/socket.h>
(...skipping 319 matching lines...) Expand 10 before | Expand all | Expand 10 after
330 } 330 }
331 } 331 }
332 332
333 return true; 333 return true;
334 } 334 }
335 335
336 void GpuProcessPolicy::InitGpuBrokerProcess( 336 void GpuProcessPolicy::InitGpuBrokerProcess(
337 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void), 337 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void),
338 const std::vector<BrokerFilePermission>& permissions_extra) { 338 const std::vector<BrokerFilePermission>& permissions_extra) {
339 static const char kDriRcPath[] = "/etc/drirc"; 339 static const char kDriRcPath[] = "/etc/drirc";
340 static const char kDriCard0Path[] = "/dev/dri/card0";
341 static const char kDriCardBasePath[] = "/dev/dri/card"; 340 static const char kDriCardBasePath[] = "/dev/dri/card";
342 341
343 static const char kNvidiaCtlPath[] = "/dev/nvidiactl"; 342 static const char kNvidiaCtlPath[] = "/dev/nvidiactl";
344 static const char kNvidiaDeviceBasePath[] = "/dev/nvidia"; 343 static const char kNvidiaDeviceBasePath[] = "/dev/nvidia";
345 static const char kNvidiaParamsPath[] = "/proc/driver/nvidia/params"; 344 static const char kNvidiaParamsPath[] = "/proc/driver/nvidia/params";
346 345
347 static const char kDevShm[] = "/dev/shm/"; 346 static const char kDevShm[] = "/dev/shm/";
348 347
349 CHECK(broker_process_ == NULL); 348 CHECK(broker_process_ == NULL);
350 349
351 // All GPU process policies need these files brokered out. 350 // All GPU process policies need these files brokered out.
352 std::vector<BrokerFilePermission> permissions; 351 std::vector<BrokerFilePermission> permissions;
353 permissions.push_back(BrokerFilePermission::ReadWrite(kDriCard0Path));
354 permissions.push_back(BrokerFilePermission::ReadOnly(kDriRcPath)); 352 permissions.push_back(BrokerFilePermission::ReadOnly(kDriRcPath));
355 353
356 if (!IsChromeOS()) { 354 if (!IsChromeOS()) {
357 // For shared memory. 355 // For shared memory.
358 permissions.push_back( 356 permissions.push_back(
359 BrokerFilePermission::ReadWriteCreateUnlinkRecursive(kDevShm)); 357 BrokerFilePermission::ReadWriteCreateUnlinkRecursive(kDevShm));
360 // For multi-card DRI setups. NOTE: /dev/dri/card0 was already added above. 358 // For multi-card DRI setups. NOTE: /dev/dri/card0 was already added above.
Jorge Lucangeli Obes (Google) 2017/05/16 14:40:06 Remove NOTE, and change comment since this will co
dnicoara 2017/05/16 16:14:41 Done. Ahh, I can't believe I didn't spot it. Thank
361 for (int i = 1; i <= 9; ++i) { 359 for (int i = 0; i <= 9; ++i) {
362 permissions.push_back(BrokerFilePermission::ReadWrite( 360 permissions.push_back(BrokerFilePermission::ReadWrite(
363 base::StringPrintf("%s%d", kDriCardBasePath, i))); 361 base::StringPrintf("%s%d", kDriCardBasePath, i)));
364 } 362 }
365 // For Nvidia GLX driver. 363 // For Nvidia GLX driver.
366 permissions.push_back(BrokerFilePermission::ReadWrite(kNvidiaCtlPath)); 364 permissions.push_back(BrokerFilePermission::ReadWrite(kNvidiaCtlPath));
367 for (int i = 0; i <= 9; ++i) { 365 for (int i = 0; i <= 9; ++i) {
368 permissions.push_back(BrokerFilePermission::ReadWrite( 366 permissions.push_back(BrokerFilePermission::ReadWrite(
369 base::StringPrintf("%s%d", kNvidiaDeviceBasePath, i))); 367 base::StringPrintf("%s%d", kNvidiaDeviceBasePath, i)));
370 } 368 }
371 permissions.push_back(BrokerFilePermission::ReadOnly(kNvidiaParamsPath)); 369 permissions.push_back(BrokerFilePermission::ReadOnly(kNvidiaParamsPath));
(...skipping 13 matching lines...) Expand all
385 } 383 }
386 384
387 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions); 385 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions);
388 // The initialization callback will perform generic initialization and then 386 // The initialization callback will perform generic initialization and then
389 // call broker_sandboxer_callback. 387 // call broker_sandboxer_callback.
390 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, 388 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,
391 broker_sandboxer_allocator))); 389 broker_sandboxer_allocator)));
392 } 390 }
393 391
394 } // namespace content 392 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698