Clean up GPU process seccomp-bpf sandbox policies.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 406 matching lines @@
     // TODO(jorgelo): generalize this to other platforms.
     if (IsAcceleratedVideoDecodeEnabled()) {
       const char kI965DrvVideoPath_64[] =
           "/usr/lib64/va/drivers/i965_drv_video.so";
       dlopen(kI965DrvVideoPath_64, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
     }
   }
 #endif
 }
 
-// Is the sandbox fully disabled for this process?
-bool ShouldDisableBpfSandbox(const CommandLine& command_line,
-                             const std::string& process_type) {
-  if (process_type == switches::kGpuProcess) {
-    // The GPU sandbox is disabled by default in ChromeOS, enabled by default on
-    // generic Linux.
-    // TODO(jorgelo): when we feel comfortable, make this a policy decision
-    // instead. (i.e. move this to GetProcessSyscallPolicy) and return an
-    // AllowAllPolicy for lack of "--enable-gpu-sandbox".
-    bool should_disable;
-    if (IsChromeOS()) {
-      should_disable = true;
-    } else {
-      should_disable = false;
-    }
-
-    if (command_line.HasSwitch(switches::kEnableGpuSandbox))
-      should_disable = false;
-    if (command_line.HasSwitch(switches::kDisableGpuSandbox))
-      should_disable = true;
-    return should_disable;
-  }
-
-  return false;
-}
-
 playground2::Sandbox::EvaluateSyscall GetProcessSyscallPolicy(
     const CommandLine& command_line,
     const std::string& process_type) {
 #if defined(__x86_64__)
   if (process_type == switches::kGpuProcess) {
-    return GpuProcessPolicy_x86_64;
+    // On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy.
+    if (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox))
+      return BlacklistPtracePolicy;
+    else
+      return GpuProcessPolicy_x86_64;
   }
 
   if (process_type == switches::kPpapiPluginProcess) {
     // TODO(jln): figure out what to do with non-Flash PPAPI
     // out-of-process plug-ins.
     return FlashProcessPolicy_x86_64;
   }
 
   if (process_type == switches::kRendererProcess ||
       process_type == switches::kWorkerProcess) {
@@ skipping 38 matching lines @@
     return true;
   } else {
     return false;
   }
 }
 
 bool SandboxSeccompBpf::ShouldEnableSeccompBpf(
     const std::string& process_type) {
 #if defined(SECCOMP_BPF_SANDBOX)
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-  return !ShouldDisableBpfSandbox(command_line, process_type);
+  if (process_type == switches::kGpuProcess)
+    return !command_line.HasSwitch(switches::kDisableGpuSandbox);
+
+  return true;
 #endif
   return false;
 }
 
 bool SandboxSeccompBpf::SupportsSandbox() {
 #if defined(SECCOMP_BPF_SANDBOX)
   // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton
   // here.
   if (playground2::Sandbox::supportsSeccompSandbox(-1) ==
       playground2::Sandbox::STATUS_AVAILABLE) {
@@ skipping 11 matching lines @@
       // Process-specific policy.
       ShouldEnableSeccompBpf(process_type) &&
       SupportsSandbox()) {
     return StartBpfSandbox_x86(command_line, process_type);
   }
 #endif
   return false;
 }
 
 }  // namespace content