sandbox: Extend BrokerPolicy to support file creation

content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc

Index: content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc
diff --git a/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc b/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc
index 20b8f94ea544d5c40fb55ec7caeaed2f118a04ae..da791409ef832f9b5aa7c595c2471e5f4bade752 100644
--- a/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc
@@ -25,7 +25,9 @@
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/services/linux_syscalls.h"
+#include "sandbox/linux/syscall_broker/broker_process.h"
 
+using sandbox::syscall_broker::BrokerPermission;
 using sandbox::SyscallSets;
 using sandbox::bpf_dsl::Allow;
 using sandbox::bpf_dsl::Arg;
@@ -53,8 +55,7 @@ inline bool IsArchitectureArm() {
 #endif
 }
 
-void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist,
-                            std::vector<std::string>* write_whitelist) {
+void AddArmMaliGpuWhitelist(std::vector<BrokerPermission>* permissions) {
   // Device file needed by the ARM GPU userspace.
   static const char kMali0Path[] = "/dev/mali0";
 
@@ -65,19 +66,13 @@ void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist,
   // Devices needed for video encode acceleration on ARM.
   static const char kDevMfcEncPath[] = "/dev/mfc-enc";
 
-  read_whitelist->push_back(kMali0Path);
-  read_whitelist->push_back(kDevMfcDecPath);
-  read_whitelist->push_back(kDevGsc1Path);
-  read_whitelist->push_back(kDevMfcEncPath);
-
-  write_whitelist->push_back(kMali0Path);
-  write_whitelist->push_back(kDevMfcDecPath);
-  write_whitelist->push_back(kDevGsc1Path);
-  write_whitelist->push_back(kDevMfcEncPath);
+  permissions->push_back(BROKER_PERM_READ_WRITE(kMali0Path));
+  permissions->push_back(BROKER_PERM_READ_WRITE(kDevMfcDecPath));
+  permissions->push_back(BROKER_PERM_READ_WRITE(kDevGsc1Path));
+  permissions->push_back(BROKER_PERM_READ_WRITE(kDevMfcEncPath));
 }
 
-void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist,
-                        std::vector<std::string>* write_whitelist) {
+void AddArmGpuWhitelist(std::vector<BrokerPermission>* permissions) {
   // On ARM we're enabling the sandbox before the X connection is made,
   // so we need to allow access to |.Xauthority|.
   static const char kXAuthorityPath[] = "/home/chronos/.Xauthority";
@@ -87,12 +82,12 @@ void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist,
   static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2";
   static const char kLibEglPath[] = "/usr/lib/libEGL.so.1";
 
-  read_whitelist->push_back(kXAuthorityPath);
-  read_whitelist->push_back(kLdSoCache);
-  read_whitelist->push_back(kLibGlesPath);
-  read_whitelist->push_back(kLibEglPath);
+  permissions->push_back(BROKER_PERM_READ_ONLY(kXAuthorityPath));
+  permissions->push_back(BROKER_PERM_READ_ONLY(kLdSoCache));
+  permissions->push_back(BROKER_PERM_READ_ONLY(kLibGlesPath));
+  permissions->push_back(BROKER_PERM_READ_ONLY(kLibEglPath));
 
-  AddArmMaliGpuWhitelist(read_whitelist, write_whitelist);
+  AddArmMaliGpuWhitelist(permissions);
 }
 
 class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy {
@@ -163,14 +158,12 @@ bool CrosArmGpuProcessPolicy::PreSandboxHook() {
   // Create a new broker process.
   DCHECK(!broker_process());
 
-  std::vector<std::string> read_whitelist_extra;
-  std::vector<std::string> write_whitelist_extra;
   // Add ARM-specific files to whitelist in the broker.
+  std::vector<BrokerPermission> permissions;
+
+  AddArmGpuWhitelist(&permissions);
 
-  AddArmGpuWhitelist(&read_whitelist_extra, &write_whitelist_extra);
-  InitGpuBrokerProcess(CrosArmGpuBrokerProcessPolicy::Create,
-                       read_whitelist_extra,
-                       write_whitelist_extra);
+  InitGpuBrokerProcess(CrosArmGpuBrokerProcessPolicy::Create, permissions);
 
   const int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE;