sandbox: Extend BrokerPolicy to support file creation

content/common/sandbox_linux/bpf_gpu_policy_linux.cc

Index: content/common/sandbox_linux/bpf_gpu_policy_linux.cc
diff --git a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
index 700ae526cc8e4b05089af491d0221a9303600a81..3e2208a9e72f3fb19f7d7210aaf78847580045e3 100644
--- a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
@@ -32,6 +32,11 @@
 #include "sandbox/linux/syscall_broker/broker_process.h"
 
 using sandbox::syscall_broker::BrokerProcess;
+using sandbox::syscall_broker::BrokerFilePermission;

[mdempsky, 2014/11/18 22:23:40]

Nit: Sort.  (Technically I think all of the sandbox::syscall_broker::* lines
should go below sandbox::bpf_dsl, since we seem to usually sort by simple
ASCII.)

+using sandbox::syscall_broker::BrokerFilePermissionReadOnly;
+using sandbox::syscall_broker::BrokerFilePermissionReadWrite;
+using sandbox::syscall_broker::
+    BrokerFilePermissionReadWriteCreateUnlinkRecursive;
 using sandbox::SyscallSets;
 using sandbox::arch_seccomp_data;
 using sandbox::bpf_dsl::Allow;
@@ -231,8 +236,7 @@ bool GpuProcessPolicy::PreSandboxHook() {
   // Create a new broker process.
   InitGpuBrokerProcess(
       GpuBrokerProcessPolicy::Create,
-      std::vector<std::string>(),  // No extra files in whitelist.
-      std::vector<std::string>());
+      std::vector<BrokerFilePermission>());  // No extra files in whitelist.
 
   if (IsArchitectureX86_64() || IsArchitectureI386()) {
     // Accelerated video dlopen()'s some shared objects
@@ -257,32 +261,23 @@ bool GpuProcessPolicy::PreSandboxHook() {
 
 void GpuProcessPolicy::InitGpuBrokerProcess(
     sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void),
-    const std::vector<std::string>& read_whitelist_extra,
-    const std::vector<std::string>& write_whitelist_extra) {
+    const std::vector<BrokerFilePermission>& permissions_extra) {
   static const char kDriRcPath[] = "/etc/drirc";
   static const char kDriCard0Path[] = "/dev/dri/card0";
 
   CHECK(broker_process_ == NULL);
 
   // All GPU process policies need these files brokered out.
-  std::vector<std::string> read_whitelist;
-  read_whitelist.push_back(kDriCard0Path);
-  read_whitelist.push_back(kDriRcPath);
-  // Add eventual extra files from read_whitelist_extra.
-  read_whitelist.insert(read_whitelist.end(),
-                        read_whitelist_extra.begin(),
-                        read_whitelist_extra.end());
-
-  std::vector<std::string> write_whitelist;
-  write_whitelist.push_back(kDriCard0Path);
-  // Add eventual extra files from write_whitelist_extra.
-  write_whitelist.insert(write_whitelist.end(),
-                         write_whitelist_extra.begin(),
-                         write_whitelist_extra.end());
-
-  broker_process_ = new BrokerProcess(GetFSDeniedErrno(),
-                                      read_whitelist,
-                                      write_whitelist);
+  std::vector<BrokerFilePermission> permissions;
+  permissions.push_back(BrokerFilePermissionReadWrite(kDriCard0Path));
+  permissions.push_back(BrokerFilePermissionReadOnly(kDriRcPath));
+
+  // Add eventual extra files from permissions_extra.
+  for (const auto& perm : permissions_extra) {

[mdempsky, 2014/11/18 22:23:40]

(Could use "permissions.insert(permissions.end(), permissions_extra.begin(),
permissions_extra.end())", but as-is is okay by me too and perhaps easier to
understand.)

+    permissions.push_back(perm);
+  }
+
+  broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions);
   // The initialization callback will perform generic initialization and then
   // call broker_sandboxer_callback.
   CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,