Don't start the SECCOMP sandbox early for Tegra124

content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h"
 
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/socket.h>
@@ skipping 55 matching lines @@
   read_whitelist->push_back(kDevMfcDecPath);
   read_whitelist->push_back(kDevGsc1Path);
   read_whitelist->push_back(kDevMfcEncPath);
 
   write_whitelist->push_back(kMali0Path);
   write_whitelist->push_back(kDevMfcDecPath);
   write_whitelist->push_back(kDevGsc1Path);
   write_whitelist->push_back(kDevMfcEncPath);
 }
 
-void AddArmTegraGpuWhitelist(std::vector<std::string>* read_whitelist,
-                             std::vector<std::string>* write_whitelist) {
-  // Device files needed by the Tegra GPU userspace.
-  static const char kDevNvhostCtrlPath[] = "/dev/nvhost-ctrl";
-  static const char kDevNvhostIspPath[] = "/dev/nvhost-isp";
-  static const char kDevNvhostViPath[] = "/dev/nvhost-vi";
-  static const char kDevNvmapPath[] = "/dev/nvmap";
-  static const char kDevNvhostGpuPath[] = "/dev/nvhost-gpu";
-  static const char kDevNvhostAsGpuPath[] = "/dev/nvhost-as-gpu";
-  static const char kDevNvhostCtrlGpuPath[] = "/dev/nvhost-ctrl-gpu";
-  static const char kSysDevicesSocIDPath[] = "/sys/devices/soc0/soc_id";
-  static const char kSysDevicesSocRevPath[] = "/sys/devices/soc0/revision";
-  // TODO(davidung): remove these device nodes before nyan launch.
-
-  read_whitelist->push_back(kDevNvhostCtrlPath);
-  read_whitelist->push_back(kDevNvhostIspPath);
-  read_whitelist->push_back(kDevNvhostViPath);
-  read_whitelist->push_back(kDevNvmapPath);
-  read_whitelist->push_back(kDevNvhostGpuPath);
-  read_whitelist->push_back(kDevNvhostAsGpuPath);
-  read_whitelist->push_back(kDevNvhostCtrlGpuPath);
-  read_whitelist->push_back(kSysDevicesSocIDPath);
-  read_whitelist->push_back(kSysDevicesSocRevPath);
-
-  write_whitelist->push_back(kDevNvhostCtrlPath);
-  write_whitelist->push_back(kDevNvhostIspPath);
-  write_whitelist->push_back(kDevNvhostViPath);
-  write_whitelist->push_back(kDevNvmapPath);
-  write_whitelist->push_back(kDevNvhostGpuPath);
-  write_whitelist->push_back(kDevNvhostAsGpuPath);
-  write_whitelist->push_back(kDevNvhostCtrlGpuPath);
-}
-
 void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist,
                         std::vector<std::string>* write_whitelist) {
   // On ARM we're enabling the sandbox before the X connection is made,
   // so we need to allow access to |.Xauthority|.
   static const char kXAuthorityPath[] = "/home/chronos/.Xauthority";

[jln (very slow on Chromium), 2014/03/27 00:56:18]

I imagine we could have a new "sane" mode, where we don't do any of this now for
the "--gpu-sandbox-start-after-initialization" case.

   static const char kLdSoCache[] = "/etc/ld.so.cache";
 
   // Files needed by the ARM GPU userspace.
   static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2";
   static const char kLibEglPath[] = "/usr/lib/libEGL.so.1";
 
   read_whitelist->push_back(kXAuthorityPath);
   read_whitelist->push_back(kLdSoCache);
   read_whitelist->push_back(kLibGlesPath);
   read_whitelist->push_back(kLibEglPath);
 
   AddArmMaliGpuWhitelist(read_whitelist, write_whitelist);
-  AddArmTegraGpuWhitelist(read_whitelist, write_whitelist);
 }
 
 class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy {
  public:
   CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {}
   virtual ~CrosArmGpuBrokerProcessPolicy() {}
 
   virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
@@ skipping 26 matching lines @@
                                                    int sysno) const {
 #if defined(__arm__)
   if (allow_shmat_ && sysno == __NR_shmat)
     return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif  // defined(__arm__)
 
   switch (sysno) {
 #if defined(__arm__)
     // ARM GPU sandbox is started earlier so we need to allow networking
     // in the sandbox.
     case __NR_connect:

[jln (very slow on Chromium), 2014/03/27 00:56:18]

This stuff is hopefully not needed either with
--gpu-sandbox-start-after-initialization

     case __NR_getpeername:
     case __NR_getsockname:
     case __NR_sysinfo:
     case __NR_uname:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     // Allow only AF_UNIX for |domain|.
     case __NR_socket:
     case __NR_socketpair:
       return sandbox->Cond(0, ErrorCode::TP_32BIT,
                            ErrorCode::OP_EQUAL, AF_UNIX,
@@ skipping 24 matching lines @@
                  base::Passed(scoped_ptr<sandbox::SandboxBPFPolicy>(
                      new CrosArmGpuBrokerProcessPolicy))),
       read_whitelist_extra,
       write_whitelist_extra);
 
   const int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE;
 
   // Preload the Mali library.
   dlopen("/usr/lib/libmali.so", dlopen_flag);
 
-  // Preload the Tegra libraries.
-  dlopen("/usr/lib/libnvrm.so", dlopen_flag);
-  dlopen("/usr/lib/libnvrm_graphics.so", dlopen_flag);
-  dlopen("/usr/lib/libnvidia-glsi.so", dlopen_flag);
-  dlopen("/usr/lib/libnvidia-rmapi-tegra.so", dlopen_flag);
-  dlopen("/usr/lib/libnvidia-eglcore.so", dlopen_flag);
-  // TODO(davidung): remove these libraries before nyan launch.
-
   return true;
 }
 
 }  // namespace content