ARM GPU process Seccomp-BPF policy.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 1251 matching lines @@
   if (IsUmask(sysno) || IsDeniedFileSystemAccessViaFd(sysno) ||
       IsDeniedGetOrModifySocket(sysno)) {
     return ErrorCode(EPERM);
   }
 
   if (IsBaselinePolicyWatched(sysno)) {
     // Previously unseen syscalls. TODO(jln): some of these should
     // be denied gracefully right away.
     return sandbox->Trap(CrashSIGSYS_Handler, NULL);
   }
-  // In any other case crash the program with our SIGSYS handler
+  // In any other case crash the program with our SIGSYS handler.
   return sandbox->Trap(CrashSIGSYS_Handler, NULL);
 }
 
 // x86_64/i386 for now. Needs to be adapted and tested for ARM.
 ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno,
                            void *broker_process) {
   switch(sysno) {
     case __NR_ioctl:
     case __NR_sched_getaffinity:
     case __NR_sched_setaffinity:
+#if defined(__arm__)

[jln (very slow on Chromium), 2013/04/19 21:28:27]

Let's make another GPU process policy instead. Name GpuArmIntelDriverPolicy or
something along these lines.
Make it clear in a comment that the if (IsArchitectureArm()) is just a
convenient shortcut to detect that configuration, but that the policy is
specific to one driver.

From that policy, you can inherit the current, generic GPU policy.

I also think you should just allow all of IsAdvancedScheduler(), it's not much
more attack surface than what this allows. If we're concerned about the IO
Scheduler, let's split it  up in its own function.

For access(), if we need to allow it, we should add it to the broker process
that allows open(). Add it as a TODO on the existing bug for NONBLOCK / CLOEXEC.

Also remember: use IseArchitectureArm() for anything that doesn't trigger a
compile error, and #ifdef as last resort.

[jln (very slow on Chromium), 2013/04/20 15:05:00]

Thinking about it a bit more, perhaps the policies should just be fully separate
(and inherit on the baseline policy).

Inheritance from an intermediate GPU policy would create more complexity for
little gain. Inheritance from the generic GPU policy is probably just wrong.

Let me know what you think.

[Jorge Lucangeli Obes, 2013/04/23 00:13:20]

Done by inheriting from Baseline, agreed that makes more sense.

+    // ARM GPU sandbox is started earlier so we need to allow more stuff.
+    case __NR_access:
+    case __NR_socket:
+    case __NR_socketpair:
+    case __NR_connect:
+    case __NR_getpeername:
+    case __NR_getsockname:
+    case __NR_sched_get_priority_min:
+    case __NR_sched_get_priority_max:
+    case __NR_sched_getparam:
+    case __NR_sched_getscheduler:
+    case __NR_sched_setscheduler:
+    case __NR_sysinfo:
+    case __NR_uname:
+#endif  // defined(__arm__)
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     case __NR_open:
     case __NR_openat:
         return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process);
     default:
 #if defined(__x86_64__) || defined(__arm__)
       if (IsSystemVSharedMemory(sysno))
         return ErrorCode(EACCES);
 #endif
       if (IsEventFd(sysno))
@@ skipping 163 matching lines @@
 bool EnableGpuBrokerPolicyCallBack() {
   StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL);
   return true;
 }
 
 // Start a broker process to handle open() inside the sandbox.
 void InitGpuBrokerProcess(BrokerProcess** broker_process) {
   static const char kDriRcPath[] = "/etc/drirc";
   static const char kDriCard0Path[] = "/dev/dri/card0";
 
+  // On ARM we're enabling the sandbox before the X connection is made,

[jln (very slow on Chromium), 2013/04/19 21:28:27]

Similarly, let's cleanly split this as its own ARM-with-intel-GPU function.

You could make helper functions such as:
AddX86IntGpuWhiteListedFiled(std::.....* read_whitelist,...* write_whitelist);
that you call from here.

InitGpuBrokerProcess() can take the policy as an argument to determine which one
of the helpers to call.

[Jorge Lucangeli Obes, 2013/04/23 00:13:20]

Split ARM portion into its own function.

I ended up needing different "sandbox enabling" callbacks. I could have added a
|policy| parameter to BrokerProcess::Init, but decided against it to keep
coupling to a minimum. We could eventually do some base::Bind magic to have
proper currying in Enable*GpuBrokerPolicyCallback.

+  // so we need to allow access to |.Xauthority|.
+  static const char kXAutorityPath[] = "/home/chronos/.Xauthority";
+
+  // Devices and files needed by the ARM GPU userspace.
+  static const char kMali0Path[] = "/dev/mali0";
+  static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2";
+  static const char kLibEglPath[] = "/usr/lib/libEGL.so.1";
+
+  // Devices needed for video decode acceleration on ARM.
+  static const char kDevMfcDecPath[] = "/dev/mfc-dec";
+  static const char kDevGsc1Path[] = "/dev/gsc1";
+
   CHECK(broker_process);
   CHECK(*broker_process == NULL);
 
   std::vector<std::string> read_whitelist;
+  if (IsArchitectureArm()) {
+    read_whitelist.push_back(kXAutorityPath);
+    read_whitelist.push_back(kMali0Path);
+    read_whitelist.push_back(kLibGlesPath);
+    read_whitelist.push_back(kLibEglPath);
+    read_whitelist.push_back(kDevMfcDecPath);
+    read_whitelist.push_back(kDevGsc1Path);
+  }
   read_whitelist.push_back(kDriCard0Path);
   read_whitelist.push_back(kDriRcPath);
+
   std::vector<std::string> write_whitelist;
+  if (IsArchitectureArm()) {
+    write_whitelist.push_back(kMali0Path);
+    write_whitelist.push_back(kDevMfcDecPath);
+    write_whitelist.push_back(kDevGsc1Path);
+  }
   write_whitelist.push_back(kDriCard0Path);
 
   *broker_process = new BrokerProcess(read_whitelist, write_whitelist);
   // Initialize the broker process and give it a sandbox call back.
   CHECK((*broker_process)->Init(EnableGpuBrokerPolicyCallBack));
 }
 
 // Warms up/preloads resources needed by the policies.
 // Eventually start a broker process and return it in broker_process.
 void WarmupPolicy(Sandbox::EvaluateSyscall policy,
                   BrokerProcess** broker_process) {
   if (policy == GpuProcessPolicy) {
+    // Create a new broker process.
+    InitGpuBrokerProcess(broker_process);
+
     if (IsArchitectureX86_64() || IsArchitectureI386()) {
-      // Create a new broker process.
-      InitGpuBrokerProcess(broker_process);
-
       // Accelerated video decode dlopen()'s a shared object
       // inside the sandbox, so preload it now.
       if (IsAcceleratedVideoDecodeEnabled()) {
         const char* I965DrvVideoPath = NULL;
 
         if (IsArchitectureX86_64()) {
           I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so";
         } else if (IsArchitectureI386()) {
           I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so";
         }
@@ skipping 124 matching lines @@
     // should enable it, enable it or die.
     bool started_sandbox = StartBpfSandbox(command_line, process_type);
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
 }  // namespace content