Index: content/common/sandbox_seccomp_bpf_linux.cc |
diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc |
index 2f3f0efa449c5308268f543f97e946cdee1cab24..7f12eea3eb4494775eee5c2350d14ae5e77ea180 100644 |
--- a/content/common/sandbox_seccomp_bpf_linux.cc |
+++ b/content/common/sandbox_seccomp_bpf_linux.cc |
@@ -1269,11 +1269,11 @@ ErrorCode BaselinePolicy(Sandbox *sandbox, int sysno) { |
// be denied gracefully right away. |
return sandbox->Trap(CrashSIGSYS_Handler, NULL); |
} |
- // In any other case crash the program with our SIGSYS handler |
+ // In any other case crash the program with our SIGSYS handler. |
return sandbox->Trap(CrashSIGSYS_Handler, NULL); |
} |
-// x86_64/i386 for now. Needs to be adapted and tested for ARM. |
+// x86_64/i386. |
ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno, |
void *broker_process) { |
switch(sysno) { |
@@ -1283,7 +1283,7 @@ ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno, |
return ErrorCode(ErrorCode::ERR_ALLOWED); |
case __NR_open: |
case __NR_openat: |
- return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); |
+ return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); |
default: |
#if defined(__x86_64__) || defined(__arm__) |
if (IsSystemVSharedMemory(sysno)) |
@@ -1297,7 +1297,7 @@ ErrorCode GpuProcessPolicy(Sandbox *sandbox, int sysno, |
} |
} |
-// x86_64/i386 for now. Needs to be adapted and tested for ARM. |
+// x86_64/i386. |
// A GPU broker policy is the same as a GPU policy with open and |
// openat allowed. |
ErrorCode GpuBrokerProcessPolicy(Sandbox *sandbox, int sysno, void *aux) { |
@@ -1312,6 +1312,56 @@ ErrorCode GpuBrokerProcessPolicy(Sandbox *sandbox, int sysno, void *aux) { |
} |
} |
+// ARM Mali GPU process sandbox. |
+ErrorCode ArmMaliGpuProcessPolicy(Sandbox *sandbox, int sysno, |
+ void *broker_process) { |
+ switch(sysno) { |
+ case __NR_ioctl: |
+#if defined(__arm__) |
+ case __NR_access: // TODO(jorgelo): broker this out (crbug.com/232077). |
+ // ARM GPU sandbox is started earlier so we need to allow networking |
+ // in the sandbox. |
+ // TODO(jorgelo): tighten this up. |
+ case __NR_connect: |
+ case __NR_getpeername: |
+ case __NR_getsockname: |
+ case __NR_socket: |
+ case __NR_socketpair: |
+ case __NR_sysinfo: |
+ case __NR_uname: |
+#endif // defined(__arm__) |
+ return ErrorCode(ErrorCode::ERR_ALLOWED); |
+ case __NR_open: |
+ case __NR_openat: |
+ return sandbox->Trap(GpuOpenSIGSYS_Handler, broker_process); |
+ default: |
+#if defined(__arm__) |
+ if (IsSystemVSharedMemory(sysno)) |
+ return ErrorCode(EACCES); |
+#endif |
+ if (IsAdvancedScheduler(sysno) || IsEventFd(sysno)) |
+ return ErrorCode(ErrorCode::ERR_ALLOWED); |
+ |
+ // Default on the baseline policy. |
+ return BaselinePolicy(sandbox, sysno); |
+ } |
+} |
+ |
+// A GPU broker policy is the same as a GPU policy with open and |
+// openat allowed. |
+ErrorCode ArmMaliGpuBrokerProcessPolicy(Sandbox *sandbox, |
+ int sysno, void *aux) { |
+ // "aux" would typically be NULL, when called from |
+ // "EnableGpuBrokerPolicyCallBack" |
+ switch(sysno) { |
+ case __NR_open: |
+ case __NR_openat: |
+ return ErrorCode(ErrorCode::ERR_ALLOWED); |
+ default: |
+ return ArmMaliGpuProcessPolicy(sandbox, sysno, aux); |
+ } |
+} |
+ |
// Allow clone for threads, crash if anything else is attempted. |
// Don't restrict on ASAN. |
ErrorCode RestrictCloneToThreads(Sandbox *sandbox) { |
@@ -1453,28 +1503,79 @@ ErrorCode AllowAllPolicy(Sandbox *, int sysno, void *) { |
} |
} |
-bool EnableGpuBrokerPolicyCallBack() { |
+bool EnableGpuBrokerPolicyCallback() { |
StartSandboxWithPolicy(GpuBrokerProcessPolicy, NULL); |
return true; |
} |
+bool EnableArmMaliGpuBrokerPolicyCallback() { |
+ StartSandboxWithPolicy(ArmMaliGpuBrokerProcessPolicy, NULL); |
+ return true; |
+} |
+ |
+void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist, |
+ std::vector<std::string>* write_whitelist) { |
+ // On ARM we're enabling the sandbox before the X connection is made, |
+ // so we need to allow access to |.Xauthority|. |
+ static const char kXAutorityPath[] = "/home/chronos/.Xauthority"; |
+ |
+ // Devices and files needed by the ARM GPU userspace. |
+ static const char kMali0Path[] = "/dev/mali0"; |
+ static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; |
+ static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; |
+ |
+ // Devices needed for video decode acceleration on ARM. |
+ static const char kDevMfcDecPath[] = "/dev/mfc-dec"; |
+ static const char kDevGsc1Path[] = "/dev/gsc1"; |
+ |
+ read_whitelist->push_back(kXAutorityPath); |
+ read_whitelist->push_back(kMali0Path); |
+ read_whitelist->push_back(kLibGlesPath); |
+ read_whitelist->push_back(kLibEglPath); |
+ read_whitelist->push_back(kDevMfcDecPath); |
+ read_whitelist->push_back(kDevGsc1Path); |
+ |
+ write_whitelist->push_back(kMali0Path); |
+ write_whitelist->push_back(kDevMfcDecPath); |
+ write_whitelist->push_back(kDevGsc1Path); |
+} |
+ |
// Start a broker process to handle open() inside the sandbox. |
-void InitGpuBrokerProcess(BrokerProcess** broker_process) { |
+void InitGpuBrokerProcess(Sandbox::EvaluateSyscall gpu_policy, |
+ BrokerProcess** broker_process) { |
static const char kDriRcPath[] = "/etc/drirc"; |
static const char kDriCard0Path[] = "/dev/dri/card0"; |
CHECK(broker_process); |
CHECK(*broker_process == NULL); |
+ bool (*sandbox_callback)(void) = NULL; |
+ |
+ // All GPU process policies need these files brokered out. |
std::vector<std::string> read_whitelist; |
read_whitelist.push_back(kDriCard0Path); |
read_whitelist.push_back(kDriRcPath); |
+ |
std::vector<std::string> write_whitelist; |
write_whitelist.push_back(kDriCard0Path); |
+ if (gpu_policy == ArmMaliGpuProcessPolicy) { |
+ // We shouldn't be using this policy on non-ARM architectures. |
+ CHECK(IsArchitectureArm()); |
+ |
+ AddArmMaliGpuWhitelist(&read_whitelist, &write_whitelist); |
+ sandbox_callback = EnableArmMaliGpuBrokerPolicyCallback; |
+ } else if (gpu_policy == GpuProcessPolicy) { |
+ sandbox_callback = EnableGpuBrokerPolicyCallback; |
+ } else { |
+ // We shouldn't be initializing a GPU broker process without a GPU process |
+ // policy. |
+ NOTREACHED(); |
+ } |
+ |
*broker_process = new BrokerProcess(read_whitelist, write_whitelist); |
- // Initialize the broker process and give it a sandbox call back. |
- CHECK((*broker_process)->Init(EnableGpuBrokerPolicyCallBack)); |
+ // Initialize the broker process and give it a sandbox callback. |
+ CHECK((*broker_process)->Init(sandbox_callback)); |
} |
// Warms up/preloads resources needed by the policies. |
@@ -1482,10 +1583,10 @@ void InitGpuBrokerProcess(BrokerProcess** broker_process) { |
void WarmupPolicy(Sandbox::EvaluateSyscall policy, |
BrokerProcess** broker_process) { |
if (policy == GpuProcessPolicy) { |
- if (IsArchitectureX86_64() || IsArchitectureI386()) { |
- // Create a new broker process. |
- InitGpuBrokerProcess(broker_process); |
+ // Create a new broker process. |
+ InitGpuBrokerProcess(policy, broker_process); |
+ if (IsArchitectureX86_64() || IsArchitectureI386()) { |
// Accelerated video decode dlopen()'s a shared object |
// inside the sandbox, so preload it now. |
if (IsAcceleratedVideoDecodeEnabled()) { |
@@ -1500,6 +1601,9 @@ void WarmupPolicy(Sandbox::EvaluateSyscall policy, |
dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE); |
} |
} |
+ } else if (policy == ArmMaliGpuProcessPolicy) { |
+ // Create a new broker process. |
+ InitGpuBrokerProcess(policy, broker_process); |
} |
} |
@@ -1508,10 +1612,11 @@ Sandbox::EvaluateSyscall GetProcessSyscallPolicy( |
const std::string& process_type) { |
if (process_type == switches::kGpuProcess) { |
// On Chrome OS, --enable-gpu-sandbox enables the more restrictive policy. |
- // However, we don't yet enable the more restrictive GPU process policy |
- // on ARM. |
- if (IsArchitectureArm() || |
- (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox))) |
+ if (IsChromeOS() && !command_line.HasSwitch(switches::kEnableGpuSandbox)) |
+ return BlacklistDebugAndNumaPolicy; |
+ // On Chrome OS ARM, we need a specific GPU process policy. |
+ // TODO(jorgelo): switch to ArmMaliGpuProcessPolicy. |
+ else if (IsChromeOS() && IsArchitectureArm()) |
return BlacklistDebugAndNumaPolicy; |
else |
return GpuProcessPolicy; |