Add an initial Linux GPU sandbox using the seccomp filter framework.

content/gpu/gpu_main.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stdlib.h>
 
 #if defined(OS_WIN)
 #include <windows.h>
 #endif
 
 #include "base/environment.h"
 #include "base/message_loop.h"
+#include "base/rand_util.h"
 #include "base/stringprintf.h"
 #include "base/threading/platform_thread.h"
 #include "base/win/scoped_com_initializer.h"
 #include "build/build_config.h"
 #include "content/common/gpu/gpu_config.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/main_function_params.h"
 #include "content/gpu/gpu_child_thread.h"
 #include "content/gpu/gpu_info_collector.h"
 #include "content/gpu/gpu_process.h"
 #include "ui/gfx/gl/gl_surface.h"
 #include "ui/gfx/gl/gl_switches.h"
 
 #if defined(OS_WIN)
 #include "content/common/gpu/media/dxva_video_decode_accelerator.h"
 #include "sandbox/src/sandbox.h"
 #endif
 
 #if defined(USE_X11)
 #include "ui/base/x/x11_util.h"
 #endif
 
 #if defined(TOOLKIT_GTK)
 #include "ui/gfx/gtk_util.h"
 #endif
 
+#if defined(OS_LINUX)
+#include "content/public/common/sandbox_init.h"
+#endif
+
 // Main function for starting the Gpu process.
 int GpuMain(const content::MainFunctionParams& parameters) {
   base::Time start_time = base::Time::Now();
 
   const CommandLine& command_line = parameters.command_line;
   if (command_line.HasSwitch(switches::kGpuStartupDialog)) {
     ChildProcess::WaitForDebugger("Gpu");
   }
 
   if (!command_line.HasSwitch(switches::kSingleProcess)) {
@@ skipping 43 matching lines @@
 #endif
 
     // Set the GPU info even if it failed.
     content::GetContentClient()->SetGpuInfo(gpu_info);
   } else {
     LOG(INFO) << "gfx::GLSurface::InitializeOneOff failed";
     gpu_info.gpu_accessible = false;
     dead_on_arrival = true;
   }
 
+#if defined(OS_LINUX)
+  // TODO(cevans): eventually this will be removed when we have tested all
+  // cards and drivers.
+  if (gpu_info.vendor_id == 0x1002) {  // ATI

[Will Drewry, 2012/04/12 01:08:56]

Any chance we can get intel in here?

[Chris Evans, 2012/04/12 18:42:49]

Yes, and imminently, but not for this first patch. I'm going to test each card
before throwing it in :)
Ideally, someone with a CrOS device + patched kernel could test this. Happy to
add a command line flag if it would help.

+    // Warm up the random system before sandboxing. The numbers are arbitrary.
+    (void) base::RandInt(0, 1337);

[apatrick_chromium, 2012/04/12 18:36:46]

We warm up rand on windows as well. Maybe just do it on all platforms?

+    // Initialize the sandbox here because it's after the card has been
+    // opened ("privileged" operation) but before we've kicked off any threads.
+    content::InitializeSandbox();
+  }
+#endif
+
   base::win::ScopedCOMInitializer com_initializer;
 
 #if defined(OS_WIN)
   // Preload this DLL because the sandbox prevents it from loading.
   LoadLibrary(L"setupapi.dll");
 
   // Cause advapi32 to load before the sandbox is turned on.
   unsigned int dummy_rand;
   rand_s(&dummy_rand);

[apatrick_chromium, 2012/04/12 18:36:46]

...here

 
   sandbox::TargetServices* target_services =
       parameters.sandbox_info->target_services;
   // Initialize H/W video decoding stuff which fails in the sandbox.
   DXVAVideoDecodeAccelerator::PreSandboxInitialization();
   // For windows, if the target_services interface is not zero, the process
   // is sandboxed and we must call LowerToken() before rendering untrusted
   // content.
   if (target_services)
     target_services->LowerToken();
@@ skipping 22 matching lines @@
   child_thread->Init(start_time);
 
   gpu_process.set_main_thread(child_thread);
 
   main_message_loop.Run();
 
   child_thread->StopWatchdog();
 
   return 0;
 }