| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" | 5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h" |
| 6 | 6 |
| 7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
| 8 #include <errno.h> | 8 #include <errno.h> |
| 9 #include <fcntl.h> | 9 #include <fcntl.h> |
| 10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 62 | 62 |
| 63 inline bool IsArchitectureI386() { | 63 inline bool IsArchitectureI386() { |
| 64 #if defined(__i386__) | 64 #if defined(__i386__) |
| 65 return true; | 65 return true; |
| 66 #else | 66 #else |
| 67 return false; | 67 return false; |
| 68 #endif | 68 #endif |
| 69 } | 69 } |
| 70 | 70 |
| 71 inline bool IsArchitectureArm() { | 71 inline bool IsArchitectureArm() { |
| 72 #if defined(__arm__) | 72 #if defined(__arm__) || defined(__aarch64__) |
| 73 return true; | 73 return true; |
| 74 #else | 74 #else |
| 75 return false; | 75 return false; |
| 76 #endif |
| 77 } |
| 78 |
| 79 inline bool IsOzone() { |
| 80 #if defined(USE_OZONE) |
| 81 return true; |
| 82 #else |
| 83 return false; |
| 76 #endif | 84 #endif |
| 77 } | 85 } |
| 78 | 86 |
| 79 bool IsAcceleratedVideoEnabled() { | 87 bool IsAcceleratedVideoEnabled() { |
| 80 const base::CommandLine& command_line = | 88 const base::CommandLine& command_line = |
| 81 *base::CommandLine::ForCurrentProcess(); | 89 *base::CommandLine::ForCurrentProcess(); |
| 82 bool accelerated_encode_enabled = false; | 90 bool accelerated_encode_enabled = false; |
| 83 #if defined(OS_CHROMEOS) | 91 #if defined(OS_CHROMEOS) |
| 84 accelerated_encode_enabled = | 92 accelerated_encode_enabled = |
| 85 !command_line.HasSwitch(switches::kDisableVaapiAcceleratedVideoEncode); | 93 !command_line.HasSwitch(switches::kDisableVaapiAcceleratedVideoEncode); |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 122 static_cast<int>(args.args[2])); | 130 static_cast<int>(args.args[2])); |
| 123 } else { | 131 } else { |
| 124 return -EPERM; | 132 return -EPERM; |
| 125 } | 133 } |
| 126 default: | 134 default: |
| 127 RAW_CHECK(false); | 135 RAW_CHECK(false); |
| 128 return -ENOSYS; | 136 return -ENOSYS; |
| 129 } | 137 } |
| 130 } | 138 } |
| 131 | 139 |
| 140 void AddV4L2GpuWhitelist(std::vector<BrokerFilePermission>* permissions) { |
| 141 // Device nodes for V4L2 video decode accelerator drivers. |
| 142 static const char kDevVideoDecPath[] = "/dev/video-dec"; |
| 143 |
| 144 // Device nodes for V4L2 video encode accelerator drivers. |
| 145 static const char kDevVideoEncPath[] = "/dev/video-enc"; |
| 146 |
| 147 permissions->push_back(BrokerFilePermission::ReadWrite(kDevVideoDecPath)); |
| 148 permissions->push_back(BrokerFilePermission::ReadWrite(kDevVideoEncPath)); |
| 149 } |
| 150 |
| 132 class GpuBrokerProcessPolicy : public GpuProcessPolicy { | 151 class GpuBrokerProcessPolicy : public GpuProcessPolicy { |
| 133 public: | 152 public: |
| 134 static sandbox::bpf_dsl::Policy* Create() { | 153 static sandbox::bpf_dsl::Policy* Create() { |
| 135 return new GpuBrokerProcessPolicy(); | 154 return new GpuBrokerProcessPolicy(); |
| 136 } | 155 } |
| 137 ~GpuBrokerProcessPolicy() override {} | 156 ~GpuBrokerProcessPolicy() override {} |
| 138 | 157 |
| 139 ResultExpr EvaluateSyscall(int system_call_number) const override; | 158 ResultExpr EvaluateSyscall(int system_call_number) const override; |
| 140 | 159 |
| 141 private: | 160 private: |
| (...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 293 | 312 |
| 294 CHECK(broker_process_ == NULL); | 313 CHECK(broker_process_ == NULL); |
| 295 | 314 |
| 296 // All GPU process policies need these files brokered out. | 315 // All GPU process policies need these files brokered out. |
| 297 std::vector<BrokerFilePermission> permissions; | 316 std::vector<BrokerFilePermission> permissions; |
| 298 permissions.push_back(BrokerFilePermission::ReadWrite(kDriCard0Path)); | 317 permissions.push_back(BrokerFilePermission::ReadWrite(kDriCard0Path)); |
| 299 permissions.push_back(BrokerFilePermission::ReadOnly(kDriRcPath)); | 318 permissions.push_back(BrokerFilePermission::ReadOnly(kDriRcPath)); |
| 300 if (!IsChromeOS()) { | 319 if (!IsChromeOS()) { |
| 301 permissions.push_back( | 320 permissions.push_back( |
| 302 BrokerFilePermission::ReadWriteCreateUnlinkRecursive(kDevShm)); | 321 BrokerFilePermission::ReadWriteCreateUnlinkRecursive(kDevShm)); |
| 322 } else if (IsArchitectureArm() || IsOzone()){ |
| 323 AddV4L2GpuWhitelist(&permissions); |
| 303 } | 324 } |
| 304 | 325 |
| 305 // Add eventual extra files from permissions_extra. | 326 // Add eventual extra files from permissions_extra. |
| 306 for (const auto& perm : permissions_extra) { | 327 for (const auto& perm : permissions_extra) { |
| 307 permissions.push_back(perm); | 328 permissions.push_back(perm); |
| 308 } | 329 } |
| 309 | 330 |
| 310 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions); | 331 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions); |
| 311 // The initialization callback will perform generic initialization and then | 332 // The initialization callback will perform generic initialization and then |
| 312 // call broker_sandboxer_callback. | 333 // call broker_sandboxer_callback. |
| 313 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, | 334 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox, |
| 314 broker_sandboxer_allocator))); | 335 broker_sandboxer_allocator))); |
| 315 } | 336 } |
| 316 | 337 |
| 317 } // namespace content | 338 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 834113004:
Add V4L2 device permissions on x86 CrOS which has ozone flag (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master