OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" | 5 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h" |
6 | 6 |
7 #include <dlfcn.h> | 7 #include <dlfcn.h> |
8 #include <errno.h> | 8 #include <errno.h> |
9 #include <fcntl.h> | 9 #include <fcntl.h> |
10 #include <sys/socket.h> | 10 #include <sys/socket.h> |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
66 read_whitelist->push_back(kDevMfcDecPath); | 66 read_whitelist->push_back(kDevMfcDecPath); |
67 read_whitelist->push_back(kDevGsc1Path); | 67 read_whitelist->push_back(kDevGsc1Path); |
68 read_whitelist->push_back(kDevMfcEncPath); | 68 read_whitelist->push_back(kDevMfcEncPath); |
69 | 69 |
70 write_whitelist->push_back(kMali0Path); | 70 write_whitelist->push_back(kMali0Path); |
71 write_whitelist->push_back(kDevMfcDecPath); | 71 write_whitelist->push_back(kDevMfcDecPath); |
72 write_whitelist->push_back(kDevGsc1Path); | 72 write_whitelist->push_back(kDevGsc1Path); |
73 write_whitelist->push_back(kDevMfcEncPath); | 73 write_whitelist->push_back(kDevMfcEncPath); |
74 } | 74 } |
75 | 75 |
76 void AddArmTegraGpuWhitelist(std::vector<std::string>* read_whitelist, | |
77 std::vector<std::string>* write_whitelist) { | |
78 // Device files needed by the Tegra GPU userspace. | |
79 static const char kDevNvhostCtrlPath[] = "/dev/nvhost-ctrl"; | |
80 static const char kDevNvhostIspPath[] = "/dev/nvhost-isp"; | |
81 static const char kDevNvhostViPath[] = "/dev/nvhost-vi"; | |
82 static const char kDevNvmapPath[] = "/dev/nvmap"; | |
83 static const char kDevNvhostGpuPath[] = "/dev/nvhost-gpu"; | |
84 static const char kDevNvhostAsGpuPath[] = "/dev/nvhost-as-gpu"; | |
85 static const char kDevNvhostCtrlGpuPath[] = "/dev/nvhost-ctrl-gpu"; | |
86 static const char kSysDevicesSocIDPath[] = "/sys/devices/soc0/soc_id"; | |
87 static const char kSysDevicesSocRevPath[] = "/sys/devices/soc0/revision"; | |
88 // TODO(davidung): remove these device nodes before nyan launch. | |
89 | |
90 read_whitelist->push_back(kDevNvhostCtrlPath); | |
91 read_whitelist->push_back(kDevNvhostIspPath); | |
92 read_whitelist->push_back(kDevNvhostViPath); | |
93 read_whitelist->push_back(kDevNvmapPath); | |
94 read_whitelist->push_back(kDevNvhostGpuPath); | |
95 read_whitelist->push_back(kDevNvhostAsGpuPath); | |
96 read_whitelist->push_back(kDevNvhostCtrlGpuPath); | |
97 read_whitelist->push_back(kSysDevicesSocIDPath); | |
98 read_whitelist->push_back(kSysDevicesSocRevPath); | |
99 | |
100 write_whitelist->push_back(kDevNvhostCtrlPath); | |
101 write_whitelist->push_back(kDevNvhostIspPath); | |
102 write_whitelist->push_back(kDevNvhostViPath); | |
103 write_whitelist->push_back(kDevNvmapPath); | |
104 write_whitelist->push_back(kDevNvhostGpuPath); | |
105 write_whitelist->push_back(kDevNvhostAsGpuPath); | |
106 write_whitelist->push_back(kDevNvhostCtrlGpuPath); | |
107 } | |
108 | |
109 void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, | 76 void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist, |
110 std::vector<std::string>* write_whitelist) { | 77 std::vector<std::string>* write_whitelist) { |
111 // On ARM we're enabling the sandbox before the X connection is made, | 78 // On ARM we're enabling the sandbox before the X connection is made, |
112 // so we need to allow access to |.Xauthority|. | 79 // so we need to allow access to |.Xauthority|. |
113 static const char kXAuthorityPath[] = "/home/chronos/.Xauthority"; | 80 static const char kXAuthorityPath[] = "/home/chronos/.Xauthority"; |
jln (very slow on Chromium)
2014/03/27 00:56:18
I imagine we could have a new "sane" mode, where w
| |
114 static const char kLdSoCache[] = "/etc/ld.so.cache"; | 81 static const char kLdSoCache[] = "/etc/ld.so.cache"; |
115 | 82 |
116 // Files needed by the ARM GPU userspace. | 83 // Files needed by the ARM GPU userspace. |
117 static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; | 84 static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2"; |
118 static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; | 85 static const char kLibEglPath[] = "/usr/lib/libEGL.so.1"; |
119 | 86 |
120 read_whitelist->push_back(kXAuthorityPath); | 87 read_whitelist->push_back(kXAuthorityPath); |
121 read_whitelist->push_back(kLdSoCache); | 88 read_whitelist->push_back(kLdSoCache); |
122 read_whitelist->push_back(kLibGlesPath); | 89 read_whitelist->push_back(kLibGlesPath); |
123 read_whitelist->push_back(kLibEglPath); | 90 read_whitelist->push_back(kLibEglPath); |
124 | 91 |
125 AddArmMaliGpuWhitelist(read_whitelist, write_whitelist); | 92 AddArmMaliGpuWhitelist(read_whitelist, write_whitelist); |
126 AddArmTegraGpuWhitelist(read_whitelist, write_whitelist); | |
127 } | 93 } |
128 | 94 |
129 class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy { | 95 class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy { |
130 public: | 96 public: |
131 CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {} | 97 CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {} |
132 virtual ~CrosArmGpuBrokerProcessPolicy() {} | 98 virtual ~CrosArmGpuBrokerProcessPolicy() {} |
133 | 99 |
134 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, | 100 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
135 int system_call_number) const OVERRIDE; | 101 int system_call_number) const OVERRIDE; |
136 | 102 |
(...skipping 26 matching lines...) Expand all Loading... | |
163 int sysno) const { | 129 int sysno) const { |
164 #if defined(__arm__) | 130 #if defined(__arm__) |
165 if (allow_shmat_ && sysno == __NR_shmat) | 131 if (allow_shmat_ && sysno == __NR_shmat) |
166 return ErrorCode(ErrorCode::ERR_ALLOWED); | 132 return ErrorCode(ErrorCode::ERR_ALLOWED); |
167 #endif // defined(__arm__) | 133 #endif // defined(__arm__) |
168 | 134 |
169 switch (sysno) { | 135 switch (sysno) { |
170 #if defined(__arm__) | 136 #if defined(__arm__) |
171 // ARM GPU sandbox is started earlier so we need to allow networking | 137 // ARM GPU sandbox is started earlier so we need to allow networking |
172 // in the sandbox. | 138 // in the sandbox. |
173 case __NR_connect: | 139 case __NR_connect: |
jln (very slow on Chromium)
2014/03/27 00:56:18
This stuff is hopefully not needed either with --g
| |
174 case __NR_getpeername: | 140 case __NR_getpeername: |
175 case __NR_getsockname: | 141 case __NR_getsockname: |
176 case __NR_sysinfo: | 142 case __NR_sysinfo: |
177 case __NR_uname: | 143 case __NR_uname: |
178 return ErrorCode(ErrorCode::ERR_ALLOWED); | 144 return ErrorCode(ErrorCode::ERR_ALLOWED); |
179 // Allow only AF_UNIX for |domain|. | 145 // Allow only AF_UNIX for |domain|. |
180 case __NR_socket: | 146 case __NR_socket: |
181 case __NR_socketpair: | 147 case __NR_socketpair: |
182 return sandbox->Cond(0, ErrorCode::TP_32BIT, | 148 return sandbox->Cond(0, ErrorCode::TP_32BIT, |
183 ErrorCode::OP_EQUAL, AF_UNIX, | 149 ErrorCode::OP_EQUAL, AF_UNIX, |
(...skipping 24 matching lines...) Expand all Loading... | |
208 base::Passed(scoped_ptr<sandbox::SandboxBPFPolicy>( | 174 base::Passed(scoped_ptr<sandbox::SandboxBPFPolicy>( |
209 new CrosArmGpuBrokerProcessPolicy))), | 175 new CrosArmGpuBrokerProcessPolicy))), |
210 read_whitelist_extra, | 176 read_whitelist_extra, |
211 write_whitelist_extra); | 177 write_whitelist_extra); |
212 | 178 |
213 const int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; | 179 const int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; |
214 | 180 |
215 // Preload the Mali library. | 181 // Preload the Mali library. |
216 dlopen("/usr/lib/libmali.so", dlopen_flag); | 182 dlopen("/usr/lib/libmali.so", dlopen_flag); |
217 | 183 |
218 // Preload the Tegra libraries. | |
219 dlopen("/usr/lib/libnvrm.so", dlopen_flag); | |
220 dlopen("/usr/lib/libnvrm_graphics.so", dlopen_flag); | |
221 dlopen("/usr/lib/libnvidia-glsi.so", dlopen_flag); | |
222 dlopen("/usr/lib/libnvidia-rmapi-tegra.so", dlopen_flag); | |
223 dlopen("/usr/lib/libnvidia-eglcore.so", dlopen_flag); | |
224 // TODO(davidung): remove these libraries before nyan launch. | |
225 | |
226 return true; | 184 return true; |
227 } | 185 } |
228 | 186 |
229 } // namespace content | 187 } // namespace content |
OLD | NEW |