| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" | 5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" |
| 6 | 6 |
| 7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
| 8 #include <errno.h> | 8 #include <errno.h> |
| 9 #include <fcntl.h> | 9 #include <fcntl.h> |
| 10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
| (...skipping 30 matching lines...) Expand all Loading... |
| 41 | 41 |
| 42 inline bool IsChromeOS() { | 42 inline bool IsChromeOS() { |
| 43 #if defined(OS_CHROMEOS) | 43 #if defined(OS_CHROMEOS) |
| 44 return true; | 44 return true; |
| 45 #else | 45 #else |
| 46 return false; | 46 return false; |
| 47 #endif | 47 #endif |
| 48 } | 48 } |
| 49 | 49 |
| 50 inline bool IsArchitectureArm() { | 50 inline bool IsArchitectureArm() { |
| 51 #if defined(__arm__) | 51 #if defined(__arm__) || defined(__aarch64__) |
| 52 return true; | 52 return true; |
| 53 #else | 53 #else |
| 54 return false; | 54 return false; |
| 55 #endif | 55 #endif |
| 56 } | 56 } |
| 57 | 57 |
| 58 void AddArmMaliGpuWhitelist(std::vector<BrokerFilePermission>* permissions) { | 58 void AddArmMaliGpuWhitelist(std::vector<BrokerFilePermission>* permissions) { |
| 59 // Device file needed by the ARM GPU userspace. | 59 // Device file needed by the ARM GPU userspace. |
| 60 static const char kMali0Path[] = "/dev/mali0"; | 60 static const char kMali0Path[] = "/dev/mali0"; |
| 61 | 61 |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 101 | 101 |
| 102 private: | 102 private: |
| 103 CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {} | 103 CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {} |
| 104 DISALLOW_COPY_AND_ASSIGN(CrosArmGpuBrokerProcessPolicy); | 104 DISALLOW_COPY_AND_ASSIGN(CrosArmGpuBrokerProcessPolicy); |
| 105 }; | 105 }; |
| 106 | 106 |
| 107 // A GPU broker policy is the same as a GPU policy with open and | 107 // A GPU broker policy is the same as a GPU policy with open and |
| 108 // openat allowed. | 108 // openat allowed. |
| 109 ResultExpr CrosArmGpuBrokerProcessPolicy::EvaluateSyscall(int sysno) const { | 109 ResultExpr CrosArmGpuBrokerProcessPolicy::EvaluateSyscall(int sysno) const { |
| 110 switch (sysno) { | 110 switch (sysno) { |
| 111 #if !defined(__aarch64__) |
| 111 case __NR_access: | 112 case __NR_access: |
| 112 case __NR_open: | 113 case __NR_open: |
| 114 #endif // !defined(__aarch64__) |
| 115 case __NR_faccessat: |
| 113 case __NR_openat: | 116 case __NR_openat: |
| 114 return Allow(); | 117 return Allow(); |
| 115 default: | 118 default: |
| 116 return CrosArmGpuProcessPolicy::EvaluateSyscall(sysno); | 119 return CrosArmGpuProcessPolicy::EvaluateSyscall(sysno); |
| 117 } | 120 } |
| 118 } | 121 } |
| 119 | 122 |
| 120 } // namespace | 123 } // namespace |
| 121 | 124 |
| 122 CrosArmGpuProcessPolicy::CrosArmGpuProcessPolicy(bool allow_shmat) | 125 CrosArmGpuProcessPolicy::CrosArmGpuProcessPolicy(bool allow_shmat) |
| 123 : allow_shmat_(allow_shmat) {} | 126 : allow_shmat_(allow_shmat) {} |
| 124 | 127 |
| 125 CrosArmGpuProcessPolicy::~CrosArmGpuProcessPolicy() {} | 128 CrosArmGpuProcessPolicy::~CrosArmGpuProcessPolicy() {} |
| 126 | 129 |
| 127 ResultExpr CrosArmGpuProcessPolicy::EvaluateSyscall(int sysno) const { | 130 ResultExpr CrosArmGpuProcessPolicy::EvaluateSyscall(int sysno) const { |
| 128 #if defined(__arm__) | 131 #if defined(__arm__) || defined(__aarch64__) |
| 129 if (allow_shmat_ && sysno == __NR_shmat) | 132 if (allow_shmat_ && sysno == __NR_shmat) |
| 130 return Allow(); | 133 return Allow(); |
| 131 #endif // defined(__arm__) | 134 #endif // defined(__arm__) || defined(__aarch64__) |
| 132 | 135 |
| 133 switch (sysno) { | 136 switch (sysno) { |
| 134 #if defined(__arm__) | 137 #if defined(__arm__) || defined(__aarch64__) |
| 135 // ARM GPU sandbox is started earlier so we need to allow networking | 138 // ARM GPU sandbox is started earlier so we need to allow networking |
| 136 // in the sandbox. | 139 // in the sandbox. |
| 137 case __NR_connect: | 140 case __NR_connect: |
| 138 case __NR_getpeername: | 141 case __NR_getpeername: |
| 139 case __NR_getsockname: | 142 case __NR_getsockname: |
| 140 case __NR_sysinfo: | 143 case __NR_sysinfo: |
| 141 case __NR_uname: | 144 case __NR_uname: |
| 142 return Allow(); | 145 return Allow(); |
| 143 // Allow only AF_UNIX for |domain|. | 146 // Allow only AF_UNIX for |domain|. |
| 144 case __NR_socket: | 147 case __NR_socket: |
| 145 case __NR_socketpair: { | 148 case __NR_socketpair: { |
| 146 const Arg<int> domain(0); | 149 const Arg<int> domain(0); |
| 147 return If(domain == AF_UNIX, Allow()).Else(Error(EPERM)); | 150 return If(domain == AF_UNIX, Allow()).Else(Error(EPERM)); |
| 148 } | 151 } |
| 149 #endif // defined(__arm__) | 152 #endif // defined(__arm__) || defined(__aarch64__) |
| 150 default: | 153 default: |
| 151 // Default to the generic GPU policy. | 154 // Default to the generic GPU policy. |
| 152 return GpuProcessPolicy::EvaluateSyscall(sysno); | 155 return GpuProcessPolicy::EvaluateSyscall(sysno); |
| 153 } | 156 } |
| 154 } | 157 } |
| 155 | 158 |
| 156 bool CrosArmGpuProcessPolicy::PreSandboxHook() { | 159 bool CrosArmGpuProcessPolicy::PreSandboxHook() { |
| 157 DCHECK(IsChromeOS() && IsArchitectureArm()); | 160 DCHECK(IsChromeOS() && IsArchitectureArm()); |
| 158 // Create a new broker process. | 161 // Create a new broker process. |
| 159 DCHECK(!broker_process()); | 162 DCHECK(!broker_process()); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 171 // Preload the Tegra V4L2 (video decode acceleration) library. | 174 // Preload the Tegra V4L2 (video decode acceleration) library. |
| 172 dlopen("/usr/lib/libtegrav4l2.so", dlopen_flag); | 175 dlopen("/usr/lib/libtegrav4l2.so", dlopen_flag); |
| 173 // Resetting errno since platform-specific libraries will fail on other | 176 // Resetting errno since platform-specific libraries will fail on other |
| 174 // platforms. | 177 // platforms. |
| 175 errno = 0; | 178 errno = 0; |
| 176 | 179 |
| 177 return true; | 180 return true; |
| 178 } | 181 } |
| 179 | 182 |
| 180 } // namespace content | 183 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 784733002:
content: bpf: exclude the syscalls if arm64 (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master