Add V4L2 device permissions on x86 CrOS which has ozone flag

content/common/sandbox_linux/bpf_gpu_policy_linux.cc

Index: content/common/sandbox_linux/bpf_gpu_policy_linux.cc
diff --git a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
index 81d389e2ea2962fe9cfa0bce5113a14e54eb4dc5..0c239e87d2b4cb6a7326525683aa89c9518fee63 100644
--- a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
@@ -69,7 +69,15 @@ inline bool IsArchitectureI386() {
 }
 
 inline bool IsArchitectureArm() {
-#if defined(__arm__)
+#if defined(__arm__) || defined(__aarch64__)
+  return true;
+#else
+  return false;
+#endif
+}
+
+inline bool IsOzone() {
+#if defined(USE_OZONE)
   return true;
 #else
   return false;
@@ -129,6 +137,17 @@ intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args,
   }
 }
 
+void AddV4L2GpuWhitelist(std::vector<BrokerFilePermission>* permissions) {
+  // Device nodes for V4L2 video decode accelerator drivers.
+  static const char kDevVideoDecPath[] = "/dev/video-dec";
+
+  // Device nodes for V4L2 video encode accelerator drivers.
+  static const char kDevVideoEncPath[] = "/dev/video-enc";
+
+  permissions->push_back(BrokerFilePermission::ReadWrite(kDevVideoDecPath));
+  permissions->push_back(BrokerFilePermission::ReadWrite(kDevVideoEncPath));
+}
+
 class GpuBrokerProcessPolicy : public GpuProcessPolicy {
  public:
   static sandbox::bpf_dsl::Policy* Create() {
@@ -300,6 +319,8 @@ void GpuProcessPolicy::InitGpuBrokerProcess(
   if (!IsChromeOS()) {
     permissions.push_back(
         BrokerFilePermission::ReadWriteCreateUnlinkRecursive(kDevShm));
+  } else if (IsArchitectureArm() || IsOzone()){
+    AddV4L2GpuWhitelist(&permissions);
   }
 
   // Add eventual extra files from permissions_extra.