| Index: content/common/sandbox_linux/bpf_gpu_policy_linux.cc
|
| diff --git a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
|
| index e1a33d02a9b9fa33e5220af1329775a2b6afad70..7fce03195198745fa07d6784c4fd502d7beebda6 100644
|
| --- a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
|
| +++ b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
|
| @@ -32,6 +32,7 @@
|
| #include "sandbox/linux/syscall_broker/broker_process.h"
|
|
|
| using sandbox::BrokerProcess;
|
| +using sandbox::syscall_broker::BrokerPermission;
|
| using sandbox::SyscallSets;
|
| using sandbox::arch_seccomp_data;
|
| using sandbox::bpf_dsl::Allow;
|
| @@ -139,6 +140,7 @@ ResultExpr GpuBrokerProcessPolicy::EvaluateSyscall(int sysno) const {
|
| case __NR_access:
|
| case __NR_open:
|
| case __NR_openat:
|
| + case __NR_unlink:
|
| return Allow();
|
| default:
|
| return GpuProcessPolicy::EvaluateSyscall(sysno);
|
| @@ -200,6 +202,7 @@ ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
|
| case __NR_mprotect:
|
| // TODO(jln): restrict prctl.
|
| case __NR_prctl:
|
| + case __NR_ftruncate:
|
| return Allow();
|
| case __NR_access:
|
| case __NR_open:
|
| @@ -231,8 +234,7 @@ bool GpuProcessPolicy::PreSandboxHook() {
|
| // Create a new broker process.
|
| InitGpuBrokerProcess(
|
| GpuBrokerProcessPolicy::Create,
|
| - std::vector<std::string>(), // No extra files in whitelist.
|
| - std::vector<std::string>());
|
| + std::vector<BrokerPermission>()); // No extra files in whitelist.
|
|
|
| if (IsArchitectureX86_64() || IsArchitectureI386()) {
|
| // Accelerated video dlopen()'s some shared objects
|
| @@ -257,32 +259,24 @@ bool GpuProcessPolicy::PreSandboxHook() {
|
|
|
| void GpuProcessPolicy::InitGpuBrokerProcess(
|
| sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void),
|
| - const std::vector<std::string>& read_whitelist_extra,
|
| - const std::vector<std::string>& write_whitelist_extra) {
|
| + const std::vector<BrokerPermission>& permissions_extra) {
|
| static const char kDriRcPath[] = "/etc/drirc";
|
| static const char kDriCard0Path[] = "/dev/dri/card0";
|
| + static const char kShm[] = "/dev/shm/";
|
|
|
| CHECK(broker_process_ == NULL);
|
|
|
| // All GPU process policies need these files brokered out.
|
| - std::vector<std::string> read_whitelist;
|
| - read_whitelist.push_back(kDriCard0Path);
|
| - read_whitelist.push_back(kDriRcPath);
|
| - // Add eventual extra files from read_whitelist_extra.
|
| - read_whitelist.insert(read_whitelist.end(),
|
| - read_whitelist_extra.begin(),
|
| - read_whitelist_extra.end());
|
| -
|
| - std::vector<std::string> write_whitelist;
|
| - write_whitelist.push_back(kDriCard0Path);
|
| - // Add eventual extra files from write_whitelist_extra.
|
| - write_whitelist.insert(write_whitelist.end(),
|
| - write_whitelist_extra.begin(),
|
| - write_whitelist_extra.end());
|
| -
|
| - broker_process_ = new BrokerProcess(GetFSDeniedErrno(),
|
| - read_whitelist,
|
| - write_whitelist);
|
| + std::vector<BrokerPermission> permissions;
|
| + permissions.push_back(BROKER_PERM_READ_WRITE(kDriCard0Path));
|
| + permissions.push_back(BROKER_PERM_READ_ONLY(kDriRcPath));
|
| + permissions.push_back(BROKER_PERM_READ_WRITE_CREATE_UNLINK_RECURSIVE(kShm));
|
| +
|
| + // Add eventual extra files from permissions_extra.
|
| + permissions.insert(permissions.end(), permissions_extra.begin(),
|
| + permissions_extra.end());
|
| +
|
| + broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions);
|
| // The initialization callback will perform generic initialization and then
|
| // call broker_sandboxer_callback.
|
| CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,
|
|
|
Chromium Code Reviews
Issue 721553002:
sandbox: Extend BrokerPolicy to support file creation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master