content/common/sandbox_init_linux.cc - Issue 10534049: Disable the seccomp filter GPU process sandbox by default on Chrome OS.

Side by Side Diff: content/common/sandbox_init_linux.cc

Issue 10534049: Disable the seccomp filter GPU process sandbox by default on Chrome OS. (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Move all GPU process checks to function, allow non-Intel GPUs in debug mode. Created 8 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/public/common/sandbox_init.h"	5 #include "content/public/common/sandbox_init.h"

6	6

7 #if defined(OS_LINUX) && defined(__x86_64__)	7 #if defined(OS_LINUX) && defined(__x86_64__)

8	8

9 #include <asm/unistd.h>	9 #include <asm/unistd.h>

10 #include <errno.h>	10 #include <errno.h>

(...skipping 370 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
381 PLOG_IF(FATAL, ret != 0) << "prctl(PR_SET_NO_NEW_PRIVS) failed";	381 PLOG_IF(FATAL, ret != 0) << "prctl(PR_SET_NO_NEW_PRIVS) failed";

382	382

383 struct sock_fprog fprog;	383 struct sock_fprog fprog;

384 fprog.len = program.size();	384 fprog.len = program.size();

385 fprog.filter = const_cast<struct sock_filter*>(&program[0]);	385 fprog.filter = const_cast<struct sock_filter*>(&program[0]);

386	386

387 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog, 0, 0);	387 ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog, 0, 0);

388 PLOG_IF(FATAL, ret != 0) << "Failed to install filter.";	388 PLOG_IF(FATAL, ret != 0) << "Failed to install filter.";

389 }	389 }

390	390

	391 static bool ShouldEnableGPUSandbox() {

	392 bool res = false;

	393 const CommandLine& command_line = *CommandLine::ForCurrentProcess();

	394

	395 res = !command_line.HasSwitch(switches::kDisableGpuSandbox);

	396 #if defined(OS_CHROMEOS)
	Chris Evans 2012/06/11 20:52:23 Can you get rid of this ifdef? If we have to pull Can you get rid of this ifdef? If we have to pull the sandbox from e.g. binary Nvidia driver on desktop Linux, I want this flag to work by default. In terms of conflict, "disable" should win. Jorge Lucangeli Obes 2012/06/11 22:56:46 Done. Show quoted text On 2012/06/11 20:52:23, Chris Evans wrote: > Can you get rid of this ifdef? If we have to pull the sandbox from e.g. binary > Nvidia driver on desktop Linux, I want this flag to work by default. > > In terms of conflict, "disable" should win. Done.
	397 res = command_line.HasSwitch(switches::kEnableGpuSandbox);

	398 #endif

	399 return res;

	400 }

	401

391 } // anonymous namespace	402 } // anonymous namespace

392	403

393 namespace content {	404 namespace content {

394	405

395 void InitializeSandbox() {	406 void InitializeSandbox() {

396 const CommandLine& command_line = *CommandLine::ForCurrentProcess();	407 const CommandLine& command_line = *CommandLine::ForCurrentProcess();

397 if (command_line.HasSwitch(switches::kNoSandbox) \|\|	408 if (command_line.HasSwitch(switches::kNoSandbox) \|\|

398 command_line.HasSwitch(switches::kDisableSeccompFilterSandbox))	409 command_line.HasSwitch(switches::kDisableSeccompFilterSandbox))

399 return;	410 return;

400	411

401 std::string process_type =	412 std::string process_type =

402 command_line.GetSwitchValueASCII(switches::kProcessType);	413 command_line.GetSwitchValueASCII(switches::kProcessType);

403 if (process_type == switches::kGpuProcess &&	414 if (process_type == switches::kGpuProcess &&

404 command_line.HasSwitch(switches::kDisableGpuSandbox))	415 !ShouldEnableGPUSandbox())

405 return;	416 return;

406	417

407 if (!CanUseSeccompFilters())	418 if (!CanUseSeccompFilters())

408 return;	419 return;

409	420

410 CheckSingleThreaded();	421 CheckSingleThreaded();

411	422

412 std::vector<struct sock_filter> program;	423 std::vector<struct sock_filter> program;

413 EmitPreamble(&program);	424 EmitPreamble(&program);

414	425

(...skipping 20 matching lines...) Expand all Loading...
435 #else	446 #else

436	447

437 namespace content {	448 namespace content {

438	449

439 void InitializeSandbox() {	450 void InitializeSandbox() {

440 }	451 }

441	452

442 } // namespace content	453 } // namespace content

443	454

444 #endif	455 #endif

445

OLD	NEW

« no previous file with comments | « no previous file | content/gpu/gpu_main.cc » ('j') | no next file with comments »