sandbox: Extend BrokerPolicy to support file creation

content/common/sandbox_linux/bpf_gpu_policy_linux.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h"
 
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/socket.h>
@@ skipping 14 matching lines @@
 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
 #include "content/common/set_process_title.h"
 #include "content/public/common/content_switches.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "sandbox/linux/syscall_broker/broker_process.h"
 
 using sandbox::BrokerProcess;
+using sandbox::syscall_broker::BrokerPermission;
 using sandbox::SyscallSets;
 using sandbox::arch_seccomp_data;
 using sandbox::bpf_dsl::Allow;
 using sandbox::bpf_dsl::ResultExpr;
 using sandbox::bpf_dsl::Trap;
 
 namespace content {
 
 namespace {
 
@@ skipping 87 matching lines @@
 };
 
 // x86_64/i386 or desktop ARM.
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
 ResultExpr GpuBrokerProcessPolicy::EvaluateSyscall(int sysno) const {
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
+    case __NR_unlink:
       return Allow();
     default:
       return GpuProcessPolicy::EvaluateSyscall(sysno);
   }
 }
 
 void UpdateProcessTypeToGpuBroker() {
   base::CommandLine::StringVector exec =
       base::CommandLine::ForCurrentProcess()->GetArgs();
   base::CommandLine::Reset();
@@ skipping 41 matching lines @@
 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
     // The Nvidia driver uses flags not in the baseline policy
     // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
     case __NR_mmap:
 #endif
     // We also hit this on the linux_chromeos bot but don't yet know what
     // weird flags were involved.
     case __NR_mprotect:
     // TODO(jln): restrict prctl.
     case __NR_prctl:
+    case __NR_ftruncate:
       return Allow();
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       DCHECK(broker_process_);
       return Trap(GpuSIGSYS_Handler, broker_process_);
     case __NR_setpriority:
       return sandbox::RestrictGetSetpriority(GetPolicyPid());
     case __NR_sched_getaffinity:
     case __NR_sched_setaffinity:
@@ skipping 11 matching lines @@
   // Warm up resources needed by the policy we're about to enable and
   // eventually start a broker process.
   const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm();
   // This policy is for x86 or Desktop.
   DCHECK(!chromeos_arm_gpu);
 
   DCHECK(!broker_process());
   // Create a new broker process.
   InitGpuBrokerProcess(
       GpuBrokerProcessPolicy::Create,
-      std::vector<std::string>(),  // No extra files in whitelist.
-      std::vector<std::string>());
+      std::vector<BrokerPermission>());  // No extra files in whitelist.
 
   if (IsArchitectureX86_64() || IsArchitectureI386()) {
     // Accelerated video dlopen()'s some shared objects
     // inside the sandbox, so preload them now.
     if (IsAcceleratedVideoEnabled()) {
       const char* I965DrvVideoPath = NULL;
 
       if (IsArchitectureX86_64()) {
         I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so";
       } else if (IsArchitectureI386()) {
         I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so";
       }
 
       dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
       dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
       dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
     }
   }
 
   return true;
 }
 
 void GpuProcessPolicy::InitGpuBrokerProcess(
     sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void),
-    const std::vector<std::string>& read_whitelist_extra,
-    const std::vector<std::string>& write_whitelist_extra) {
+    const std::vector<BrokerPermission>& permissions_extra) {
   static const char kDriRcPath[] = "/etc/drirc";
   static const char kDriCard0Path[] = "/dev/dri/card0";
+  static const char kShm[] = "/dev/shm/";
 
   CHECK(broker_process_ == NULL);
 
   // All GPU process policies need these files brokered out.
-  std::vector<std::string> read_whitelist;
-  read_whitelist.push_back(kDriCard0Path);
-  read_whitelist.push_back(kDriRcPath);
-  // Add eventual extra files from read_whitelist_extra.
-  read_whitelist.insert(read_whitelist.end(),
-                        read_whitelist_extra.begin(),
-                        read_whitelist_extra.end());
+  std::vector<BrokerPermission> permissions;
+  permissions.push_back(BROKER_PERM_READ_WRITE(kDriCard0Path));
+  permissions.push_back(BROKER_PERM_READ_ONLY(kDriRcPath));
+  permissions.push_back(BROKER_PERM_READ_WRITE_CREATE_UNLINK_RECURSIVE(kShm));
 
-  std::vector<std::string> write_whitelist;
-  write_whitelist.push_back(kDriCard0Path);
-  // Add eventual extra files from write_whitelist_extra.
-  write_whitelist.insert(write_whitelist.end(),
-                         write_whitelist_extra.begin(),
-                         write_whitelist_extra.end());
+  // Add eventual extra files from permissions_extra.
+  permissions.insert(permissions.end(), permissions_extra.begin(),
+                     permissions_extra.end());
 
-  broker_process_ = new BrokerProcess(GetFSDeniedErrno(),
-                                      read_whitelist,
-                                      write_whitelist);
+  broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions);
   // The initialization callback will perform generic initialization and then
   // call broker_sandboxer_callback.
   CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,
                                          broker_sandboxer_allocator)));
 }
 
 }  // namespace content