ExynosVideoEncodeAccelerator

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
@@ skipping 1776 matching lines @@
 
 void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist,
                             std::vector<std::string>* write_whitelist) {
   // Device file needed by the ARM GPU userspace.
   static const char kMali0Path[] = "/dev/mali0";
 
   // Devices needed for video decode acceleration on ARM.
   static const char kDevMfcDecPath[] = "/dev/mfc-dec";
   static const char kDevGsc1Path[] = "/dev/gsc1";
 
+  // Devices needed for video encode acceleration on ARM.
+  static const char kDevMfcEncPath[] = "/dev/mfc-enc";

[jln (very slow on Chromium), 2013/08/14 04:30:17]

Is there no way that this device could be opened, once, prior to engaging the
sandbox?

Same question for kDevMfcDecPath[]. Since the code to use this seems to be in
Chromium, hopefully it could be "Pre warmed" ?

See WarmUpSandbox() in gpu_main.cc.

We really need to remove complexity from the sandbox and instead have
sandbox-friendly code.

[sheu, 2013/08/14 05:44:44]

Yep.

Every time you open the device you get another encoder/decoder context.  We need
a new context for each encode/decode.

+
   read_whitelist->push_back(kMali0Path);
   read_whitelist->push_back(kDevMfcDecPath);
   read_whitelist->push_back(kDevGsc1Path);
+  read_whitelist->push_back(kDevMfcEncPath);
 
   write_whitelist->push_back(kMali0Path);
   write_whitelist->push_back(kDevMfcDecPath);
   write_whitelist->push_back(kDevGsc1Path);
+  read_whitelist->push_back(kDevMfcEncPath);

[hshi1, 2013/08/14 01:21:35]

Did you mean write_whitelist->push_back(kDevMfcEncPath); ?

[jln (very slow on Chromium), 2013/08/14 04:30:17]

If this works fine without write access, please remove this line entirely, but
that seems very surprising.

[sheu, 2013/08/14 05:44:44]

Lulz.  I forgot to actually remove the --no-sandbox flag when testing.

Tested now.

 }
 
 void AddArmTegraGpuWhitelist(std::vector<std::string>* read_whitelist,
                              std::vector<std::string>* write_whitelist) {
   // Device files needed by the Tegra GPU userspace.
   static const char kDevNvhostCtrlPath[] = "/dev/nvhost-ctrl";
   static const char kDevNvhostGr2dPath[] = "/dev/nvhost-gr2d";
   static const char kDevNvhostGr3dPath[] = "/dev/nvhost-gr3d";
   static const char kDevNvhostIspPath[] = "/dev/nvhost-isp";
   static const char kDevNvhostViPath[] = "/dev/nvhost-vi";
@@ skipping 257 matching lines @@
   return false;
 }
 
 #if defined(SECCOMP_BPF_SANDBOX)
 playground2::BpfSandboxPolicyCallback SandboxSeccompBpf::GetBaselinePolicy() {
   return base::Bind(&BaselinePolicyWithAux);
 }
 #endif  // defined(SECCOMP_BPF_SANDBOX)
 
 }  // namespace content