Linux Sandbox: split the GPU policies to their own file.

content/common/sandbox_linux/sandbox_bpf_gpu_policy_linux.cc

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <asm/unistd.h>
+#include "content/common/sandbox_linux/sandbox_bpf_gpu_policy_linux.h"
+
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
-#include <linux/net.h>
-#include <signal.h>
-#include <string.h>
-#include <sys/ioctl.h>
-#include <sys/mman.h>
-#include <sys/prctl.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <ucontext.h>
 #include <unistd.h>
 
+#include <string>
 #include <vector>
 
-#include "base/basictypes.h"
 #include "base/command_line.h"
+#include "base/compiler_specific.h"
 #include "base/logging.h"
-#include "build/build_config.h"
-#include "content/common/sandbox_linux.h"
-#include "content/common/sandbox_seccomp_bpf_linux.h"
+#include "base/memory/scoped_ptr.h"
+#include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
+#include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
 #include "content/public/common/content_switches.h"
-#include "sandbox/linux/services/broker_process.h"
-
-// These are the only architectures supported for now.
-#if defined(__i386__) || defined(__x86_64__) || \
-    (defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__)))
-#define SECCOMP_BPF_SANDBOX
-#endif
-
-#if defined(SECCOMP_BPF_SANDBOX)
-#include "base/posix/eintr_wrapper.h"
-#include "content/common/sandbox_bpf_base_policy_linux.h"
-#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
-#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
-#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
+#include "sandbox/linux/services/broker_process.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 
-using sandbox::BaselinePolicy;
 using sandbox::BrokerProcess;
 using sandbox::ErrorCode;
 using sandbox::SandboxBPF;
 using sandbox::SyscallSets;
 using sandbox::arch_seccomp_data;
 
 namespace content {
 
 namespace {
 
-void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy);
+void InitGpuBrokerProcess(bool (*broker_sandboxer_callback)(void),
+                          bool for_chromeos_arm,
+                          const std::vector<std::string>& read_whitelist_extra,
+                          const std::vector<std::string>& write_whitelist_extra,
+                          BrokerProcess** broker_process);
+
+void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist,
+                        std::vector<std::string>* write_whitelist);
+bool EnableGpuBrokerPolicyCallback();
+bool EnableArmGpuBrokerPolicyCallback();
 
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
 #else
   return false;
 #endif
 }
 
 inline bool IsArchitectureX86_64() {
@@ skipping 13 matching lines @@
 }
 
 inline bool IsArchitectureArm() {
 #if defined(__arm__)
   return true;
 #else
   return false;
 #endif
 }
 
-inline bool IsUsingToolKitGtk() {
-#if defined(TOOLKIT_GTK)
-  return true;
-#else
-  return false;
-#endif
-}
-
-// Policies for the GPU process.
-// TODO(jln): move to gpu/
-
 bool IsAcceleratedVideoDecodeEnabled() {
   // Accelerated video decode is currently enabled on Chrome OS,
   // but not on Linux: crbug.com/137247.
   bool is_enabled = IsChromeOS();
 
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   is_enabled = is_enabled &&
       !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode);
 
   return is_enabled;
@@ skipping 21 matching lines @@
         return -EPERM;
       }
     default:
       RAW_CHECK(false);
       return -ENOSYS;
   }
 }
 
 class GpuProcessPolicy : public SandboxBPFBasePolicy {
  public:
-  explicit GpuProcessPolicy(void* broker_process)
-      : broker_process_(broker_process) {}
+  GpuProcessPolicy() : broker_process_(NULL) {}
   virtual ~GpuProcessPolicy() {}
 
   virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
+  virtual bool PreSandboxHook() OVERRIDE;
+
+ protected:
+  BrokerProcess* broker_process() { return broker_process_; }
+  void set_broker_process(BrokerProcess* broker_process) {

[Jorge Lucangeli Obes, 2013/12/12 21:37:21]

Is this the correct style for the setter?

[Robert Sesek, 2013/12/12 21:41:43]

Yes, simple accessors use unix_hacker_style and get inlined.

http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Functi...

[jln (very slow on Chromium), 2013/12/12 22:15:14]

Done.

[jln (very slow on Chromium), 2013/12/12 22:15:14]

Done.

+    broker_process_ = broker_process;
+  }
 
  private:
-  const void* broker_process_;  // Non-owning pointer.
+  // A BrokerProcess is a helper that is started before the sandbox is engaged
+  // and will serve requests to access files over an IPC. The client of this

[Jorge Lucangeli Obes, 2013/12/12 21:37:21]

I would say "over IPC" or "over an IPC channel".

[jln (very slow on Chromium), 2013/12/12 22:15:14]

Done.

+  // runs from a SIGSYS handler triggered by the seccomp-bpf sandbox.
+  // This should never be destroyed, as after the sandbox is started it is
+  // vital to the process.
+  // This is allocated by PreSandboxHook(), which executes iff the sandbox
+  // is going to be enabled afterwards.
+  BrokerProcess* broker_process_;
   DISALLOW_COPY_AND_ASSIGN(GpuProcessPolicy);
 };
 
-// Main policy for x86_64/i386. Extended by ArmGpuProcessPolicy.
+// Main policy for x86_64/i386. Extended by CrosArmGpuProcessPolicy.
 ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                             int sysno) const {
   switch (sysno) {
     case __NR_ioctl:
 #if defined(__i386__) || defined(__x86_64__)
     // The Nvidia driver uses flags not in the baseline policy
     // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
     case __NR_mmap:
 #endif
     // We also hit this on the linux_chromeos bot but don't yet know what
     // weird flags were involved.
     case __NR_mprotect:
     case __NR_sched_getaffinity:
     case __NR_sched_setaffinity:
     case __NR_setpriority:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     case __NR_access:
     case __NR_open:
     case __NR_openat:
+      DCHECK(broker_process_);
       return sandbox->Trap(GpuSIGSYS_Handler, broker_process_);
     default:
       if (SyscallSets::IsEventFd(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 
       // Default on the baseline policy.
       return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
+bool GpuProcessPolicy::PreSandboxHook() {
+  // Warm up resources needed by the policy we're about to enable and
+  // eventually start a broker process.
+  const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm();
+  DCHECK(!chromeos_arm_gpu);

[Jorge Lucangeli Obes, 2013/12/12 21:37:21]

Maybe add a comment reminding the reader "This policy is only used on
x86_64/i386." The previous comment to this effect is in a different function.

[jln (very slow on Chromium), 2013/12/12 22:15:14]

Done, but not that it's also used on ARM desktop. Even though ARM Desktop is not
really a thing.

+
+  BrokerProcess* broker_process_temp = NULL;
+  DCHECK(!broker_process());
+  // Create a new broker process.
+  InitGpuBrokerProcess(
+      EnableGpuBrokerPolicyCallback,
+      false /* not for ChromeOS ARM */,
+      std::vector<std::string>(),  // No extra files in whitelist.
+      std::vector<std::string>(),
+      &broker_process_temp);
+  set_broker_process(broker_process_temp);
+
+  if (IsArchitectureX86_64() || IsArchitectureI386()) {
+    // Accelerated video decode dlopen()'s some shared objects
+    // inside the sandbox, so preload them now.
+    if (IsAcceleratedVideoDecodeEnabled()) {
+      const char* I965DrvVideoPath = NULL;
+
+      if (IsArchitectureX86_64()) {
+        I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so";
+      } else if (IsArchitectureI386()) {
+        I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so";
+      }
+
+      dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+      dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+      dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+    }
+  }
+
+  return true;
+}
+
 class GpuBrokerProcessPolicy : public GpuProcessPolicy {
  public:
-  GpuBrokerProcessPolicy() : GpuProcessPolicy(NULL) {}
+  GpuBrokerProcessPolicy() {}
   virtual ~GpuBrokerProcessPolicy() {}
 
   virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy);
 };
 
-// x86_64/i386.
+// x86_64/i386 or desktop ARM.
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
 ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                   int sysno) const {
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return GpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
-class ArmGpuProcessPolicy : public GpuProcessPolicy {
+// This policy is for Chrome OS ARM.
+class CrosArmGpuProcessPolicy : public GpuProcessPolicy {
  public:
-  explicit ArmGpuProcessPolicy(void* broker_process, bool allow_shmat)
-      : GpuProcessPolicy(broker_process), allow_shmat_(allow_shmat) {}
-  virtual ~ArmGpuProcessPolicy() {}
+  explicit CrosArmGpuProcessPolicy(bool allow_shmat)
+      : allow_shmat_(allow_shmat) {}
+  virtual ~CrosArmGpuProcessPolicy() {}
 
   virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
+  virtual bool PreSandboxHook() OVERRIDE;
 
  private:
   const bool allow_shmat_;  // Allow shmat(2).
-  DISALLOW_COPY_AND_ASSIGN(ArmGpuProcessPolicy);
+  DISALLOW_COPY_AND_ASSIGN(CrosArmGpuProcessPolicy);
 };
 
 // Generic ARM GPU process sandbox, inheriting from GpuProcessPolicy.
-ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                               int sysno) const {
+ErrorCode CrosArmGpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+                                                   int sysno) const {
 #if defined(__arm__)
   if (allow_shmat_ && sysno == __NR_shmat)
     return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif  // defined(__arm__)
 
   switch (sysno) {
 #if defined(__arm__)
     // ARM GPU sandbox is started earlier so we need to allow networking
     // in the sandbox.
     case __NR_connect:
@@ skipping 12 matching lines @@
 #endif  // defined(__arm__)
     default:
       if (SyscallSets::IsAdvancedScheduler(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 
       // Default to the generic GPU policy.
       return GpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
-class ArmGpuBrokerProcessPolicy : public ArmGpuProcessPolicy {
+bool CrosArmGpuProcessPolicy::PreSandboxHook() {
+  DCHECK(IsChromeOS() && IsArchitectureArm());
+  // Create a new broker process.
+  BrokerProcess* broker_process_temp = NULL;
+  DCHECK(!broker_process());
+
+  std::vector<std::string> read_whitelist_extra;
+  std::vector<std::string> write_whitelist_extra;
+  // Add arm specific files to whitelist in the broker.

[Jorge Lucangeli Obes, 2013/12/12 21:37:21]

ARM-specific

[jln (very slow on Chromium), 2013/12/12 22:15:14]

Done.

+
+  AddArmGpuWhitelist(&read_whitelist_extra, &write_whitelist_extra);
+  InitGpuBrokerProcess(EnableArmGpuBrokerPolicyCallback,
+                       true /* for ChromeOS ARM */,
+                       read_whitelist_extra,
+                       write_whitelist_extra,
+                       &broker_process_temp);
+  set_broker_process(broker_process_temp);
+
+  // Preload the Mali library.
+  dlopen("/usr/lib/libmali.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+
+  // Preload the Tegra libraries.
+  dlopen("/usr/lib/libnvrm.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+  dlopen("/usr/lib/libnvrm_graphics.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+  dlopen("/usr/lib/libnvos.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+  dlopen("/usr/lib/libnvddk_2d.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+  dlopen("/usr/lib/libardrv_dynamic.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+  dlopen("/usr/lib/libnvwsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+  dlopen("/usr/lib/libnvglsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+  dlopen("/usr/lib/libcgdrv.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
+
+  return true;
+}
+
+class CrosArmGpuBrokerProcessPolicy : public CrosArmGpuProcessPolicy {
  public:
-  ArmGpuBrokerProcessPolicy() : ArmGpuProcessPolicy(NULL, false) {}
-  virtual ~ArmGpuBrokerProcessPolicy() {}
+  CrosArmGpuBrokerProcessPolicy() : CrosArmGpuProcessPolicy(false) {}
+  virtual ~CrosArmGpuBrokerProcessPolicy() {}
 
   virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
-  DISALLOW_COPY_AND_ASSIGN(ArmGpuBrokerProcessPolicy);
+  DISALLOW_COPY_AND_ASSIGN(CrosArmGpuBrokerProcessPolicy);
 };
 
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
-ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                                     int sysno) const {
+ErrorCode CrosArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+    int sysno) const {
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
-      return ArmGpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
-  }
-}
-
-// Policy for renderer and worker processes.
-// TODO(jln): move to renderer/
-
-class RendererOrWorkerProcessPolicy : public SandboxBPFBasePolicy {
- public:
-  RendererOrWorkerProcessPolicy() {}
-  virtual ~RendererOrWorkerProcessPolicy() {}
-
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
-                                    int system_call_number) const OVERRIDE;
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(RendererOrWorkerProcessPolicy);
-};
-
-ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                                         int sysno) const {
-  switch (sysno) {
-    case __NR_clone:
-      return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox);
-    case __NR_ioctl:
-      return sandbox::RestrictIoctl(sandbox);
-    case __NR_prctl:
-      return sandbox::RestrictPrctl(sandbox);
-    // Allow the system calls below.
-    case __NR_fdatasync:
-    case __NR_fsync:
-    case __NR_getpriority:
-#if defined(__i386__) || defined(__x86_64__)
-    case __NR_getrlimit:
-#endif
-#if defined(__i386__) || defined(__arm__)
-    case __NR_ugetrlimit:
-#endif
-    case __NR_mremap:   // See crbug.com/149834.
-    case __NR_pread64:
-    case __NR_pwrite64:
-    case __NR_sched_getaffinity:
-    case __NR_sched_get_priority_max:
-    case __NR_sched_get_priority_min:
-    case __NR_sched_getparam:
-    case __NR_sched_getscheduler:
-    case __NR_sched_setscheduler:
-    case __NR_setpriority:
-    case __NR_sysinfo:
-    case __NR_times:
-    case __NR_uname:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
-    case __NR_prlimit64:
-      return ErrorCode(EPERM);  // See crbug.com/160157.
-    default:
-      if (IsUsingToolKitGtk()) {
-#if defined(__x86_64__) || defined(__arm__)
-        if (SyscallSets::IsSystemVSharedMemory(sysno))
-          return ErrorCode(ErrorCode::ERR_ALLOWED);
-#endif
-#if defined(__i386__)
-        if (SyscallSets::IsSystemVIpc(sysno))
-          return ErrorCode(ErrorCode::ERR_ALLOWED);
-#endif
-      }
-
-      // Default on the content baseline policy.
-      return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
-  }
-}
-
-// Policy for PPAPI plugins.
-// TODO(jln): move to ppapi_plugin/.
-class FlashProcessPolicy : public SandboxBPFBasePolicy {
- public:
-  FlashProcessPolicy() {}
-  virtual ~FlashProcessPolicy() {}
-
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
-                                    int system_call_number) const OVERRIDE;
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(FlashProcessPolicy);
-};
-
-ErrorCode FlashProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                              int sysno) const {
-  switch (sysno) {
-    case __NR_clone:
-      return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox);
-    case __NR_pread64:
-    case __NR_pwrite64:
-    case __NR_sched_get_priority_max:
-    case __NR_sched_get_priority_min:
-    case __NR_sched_getaffinity:
-    case __NR_sched_getparam:
-    case __NR_sched_getscheduler:
-    case __NR_sched_setscheduler:
-    case __NR_times:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
-    case __NR_ioctl:
-      return ErrorCode(ENOTTY);  // Flash Access.
-    default:
-      if (IsUsingToolKitGtk()) {
-#if defined(__x86_64__) || defined(__arm__)
-        if (SyscallSets::IsSystemVSharedMemory(sysno))
-          return ErrorCode(ErrorCode::ERR_ALLOWED);
-#endif
-#if defined(__i386__)
-        if (SyscallSets::IsSystemVIpc(sysno))
-          return ErrorCode(ErrorCode::ERR_ALLOWED);
-#endif
-      }
-
-      // Default on the baseline policy.
-      return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
-  }
-}
-
-class BlacklistDebugAndNumaPolicy : public SandboxBPFBasePolicy {
- public:
-  BlacklistDebugAndNumaPolicy() {}
-  virtual ~BlacklistDebugAndNumaPolicy() {}
-
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
-                                    int system_call_number) const OVERRIDE;
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(BlacklistDebugAndNumaPolicy);
-};
-
-ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                                       int sysno) const {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // TODO(jln) we should not have to do that in a trivial policy.
-    return ErrorCode(ENOSYS);
-  }
-  if (SyscallSets::IsDebug(sysno) || SyscallSets::IsNuma(sysno))
-    return sandbox->Trap(sandbox::CrashSIGSYS_Handler, NULL);
-
-  return ErrorCode(ErrorCode::ERR_ALLOWED);
-}
-
-class AllowAllPolicy : public SandboxBPFBasePolicy {
- public:
-  AllowAllPolicy() {}
-  virtual ~AllowAllPolicy() {}
-
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
-                                    int system_call_number) const OVERRIDE;
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
-};
-
-// Allow all syscalls.
-// This will still deny x32 or IA32 calls in 64 bits mode or
-// 64 bits system calls in compatibility mode.
-ErrorCode AllowAllPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    // TODO(jln) we should not have to do that in a trivial policy.
-    return ErrorCode(ENOSYS);
-  } else {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
-  }
-}
-
-// If a BPF policy is engaged for |process_type|, run a few sanity checks.
-void RunSandboxSanityChecks(const std::string& process_type) {
-  if (process_type == switches::kRendererProcess ||
-      process_type == switches::kWorkerProcess ||
-      process_type == switches::kGpuProcess ||
-      process_type == switches::kPpapiPluginProcess) {
-    int syscall_ret;
-    errno = 0;
-
-    // Without the sandbox, this would EBADF.
-    syscall_ret = fchmod(-1, 07777);
-    CHECK_EQ(-1, syscall_ret);
-    CHECK_EQ(EPERM, errno);
-
-    // Run most of the sanity checks only in DEBUG mode to avoid a perf.
-    // impact.
-#if !defined(NDEBUG)
-    // open() must be restricted.
-    syscall_ret = open("/etc/passwd", O_RDONLY);
-    CHECK_EQ(-1, syscall_ret);
-    CHECK_EQ(SandboxBPFBasePolicy::GetFSDeniedErrno(), errno);
-
-    // We should never allow the creation of netlink sockets.
-    syscall_ret = socket(AF_NETLINK, SOCK_DGRAM, 0);
-    CHECK_EQ(-1, syscall_ret);
-    CHECK_EQ(EPERM, errno);
-#endif  // !defined(NDEBUG)
+      return CrosArmGpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 bool EnableGpuBrokerPolicyCallback() {
-  StartSandboxWithPolicy(new GpuBrokerProcessPolicy);
-  return true;
+  return SandboxSeccompBPF::StartSandboxWithExternalPolicy(
+      scoped_ptr<sandbox::SandboxBPFPolicy>(new GpuBrokerProcessPolicy));
 }
 
 bool EnableArmGpuBrokerPolicyCallback() {
-  StartSandboxWithPolicy(new ArmGpuBrokerProcessPolicy);
-  return true;
+  return SandboxSeccompBPF::StartSandboxWithExternalPolicy(
+      scoped_ptr<sandbox::SandboxBPFPolicy>(new CrosArmGpuBrokerProcessPolicy));
 }
 
-// Files needed by the ARM GPU userspace.
-static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2";
-static const char kLibEglPath[] = "/usr/lib/libEGL.so.1";
-
 void AddArmMaliGpuWhitelist(std::vector<std::string>* read_whitelist,
                             std::vector<std::string>* write_whitelist) {
   // Device file needed by the ARM GPU userspace.
   static const char kMali0Path[] = "/dev/mali0";
 
   // Devices needed for video decode acceleration on ARM.
   static const char kDevMfcDecPath[] = "/dev/mfc-dec";
   static const char kDevGsc1Path[] = "/dev/gsc1";
 
   // Devices needed for video encode acceleration on ARM.
@@ skipping 38 matching lines @@
   write_whitelist->push_back(kDevTegraSemaPath);
 }
 
 void AddArmGpuWhitelist(std::vector<std::string>* read_whitelist,
                         std::vector<std::string>* write_whitelist) {
   // On ARM we're enabling the sandbox before the X connection is made,
   // so we need to allow access to |.Xauthority|.
   static const char kXAuthorityPath[] = "/home/chronos/.Xauthority";
   static const char kLdSoCache[] = "/etc/ld.so.cache";
 
+  // Files needed by the ARM GPU userspace.
+  static const char kLibGlesPath[] = "/usr/lib/libGLESv2.so.2";
+  static const char kLibEglPath[] = "/usr/lib/libEGL.so.1";
+
   read_whitelist->push_back(kXAuthorityPath);
   read_whitelist->push_back(kLdSoCache);
   read_whitelist->push_back(kLibGlesPath);
   read_whitelist->push_back(kLibEglPath);
 
   AddArmMaliGpuWhitelist(read_whitelist, write_whitelist);
   AddArmTegraGpuWhitelist(read_whitelist, write_whitelist);
 }
 
 // Start a broker process to handle open() inside the sandbox.
-void InitGpuBrokerProcess(bool for_chromeos_arm,
+// |broker_sandboxer_callback| is a callback that will enable a suitable
+// sandbox for the broker process itself.
+// |read_whitelist_extra| and |write_whitelist_extra| are lists of file
+// names that should be whitelisted by the broker process, in addition to
+// the basic ones.
+void InitGpuBrokerProcess(bool (*broker_sandboxer_callback)(void),
+                          bool for_chromeos_arm,
+                          const std::vector<std::string>& read_whitelist_extra,
+                          const std::vector<std::string>& write_whitelist_extra,
                           BrokerProcess** broker_process) {
   static const char kDriRcPath[] = "/etc/drirc";
   static const char kDriCard0Path[] = "/dev/dri/card0";
 
   CHECK(broker_process);
   CHECK(*broker_process == NULL);
 
-  bool (*sandbox_callback)(void) = NULL;
-
   // All GPU process policies need these files brokered out.
   std::vector<std::string> read_whitelist;
   read_whitelist.push_back(kDriCard0Path);
   read_whitelist.push_back(kDriRcPath);
+  // Add eventual extra files from read_whitelist_extra.
+  read_whitelist.insert(read_whitelist.end(),
+                        read_whitelist_extra.begin(),
+                        read_whitelist_extra.end());
 
   std::vector<std::string> write_whitelist;
   write_whitelist.push_back(kDriCard0Path);
-
-  if (for_chromeos_arm) {
-    // We shouldn't be using this policy on non-ARM architectures.
-    DCHECK(IsArchitectureArm());
-    AddArmGpuWhitelist(&read_whitelist, &write_whitelist);
-    sandbox_callback = EnableArmGpuBrokerPolicyCallback;
-  } else {
-    sandbox_callback = EnableGpuBrokerPolicyCallback;
-  }
+  // Add eventual extra files from write_whitelist_extra.
+  write_whitelist.insert(write_whitelist.end(),
+                         write_whitelist_extra.begin(),
+                         write_whitelist_extra.end());
 
   *broker_process = new BrokerProcess(SandboxBPFBasePolicy::GetFSDeniedErrno(),
                                       read_whitelist,
                                       write_whitelist);
   // Initialize the broker process and give it a sandbox callback.
-  CHECK((*broker_process)->Init(sandbox_callback));
-}
-
-// Warms up/preloads resources needed by the policies.
-// Eventually start a broker process and return it in broker_process.
-void WarmupPolicy(bool chromeos_arm_gpu,
-                  BrokerProcess** broker_process) {
-  if (!chromeos_arm_gpu) {
-    // Create a new broker process.
-    InitGpuBrokerProcess(false /* not for ChromeOS ARM */, broker_process);
-
-    if (IsArchitectureX86_64() || IsArchitectureI386()) {
-      // Accelerated video decode dlopen()'s some shared objects
-      // inside the sandbox, so preload them now.
-      if (IsAcceleratedVideoDecodeEnabled()) {
-        const char* I965DrvVideoPath = NULL;
-
-        if (IsArchitectureX86_64()) {
-          I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so";
-        } else if (IsArchitectureI386()) {
-          I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so";
-        }
-
-        dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-        dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-        dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-      }
-    }
-  } else {
-    // ChromeOS ARM GPU policy.
-    // Create a new broker process.
-    InitGpuBrokerProcess(true /* for ChromeOS ARM */, broker_process);
-
-    // Preload the Mali library.
-    dlopen("/usr/lib/libmali.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-
-    // Preload the Tegra libraries.
-    dlopen("/usr/lib/libnvrm.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-    dlopen("/usr/lib/libnvrm_graphics.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-    dlopen("/usr/lib/libnvos.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-    dlopen("/usr/lib/libnvddk_2d.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-    dlopen("/usr/lib/libardrv_dynamic.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-    dlopen("/usr/lib/libnvwsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-    dlopen("/usr/lib/libnvglsi.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-    dlopen("/usr/lib/libcgdrv.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
-  }
-}
-
-void StartGpuProcessSandbox(const CommandLine& command_line,
-                            const std::string& process_type) {
-  bool chromeos_arm_gpu = false;
-  bool allow_sysv_shm = false;
-
-  if (process_type == switches::kGpuProcess) {
-    // On Chrome OS ARM, we need a specific GPU process policy.
-    if (IsChromeOS() && IsArchitectureArm()) {
-      chromeos_arm_gpu = true;
-      if (command_line.HasSwitch(switches::kGpuSandboxAllowSysVShm)) {
-        allow_sysv_shm = true;
-      }
-    }
-  }
-
-  // This should never be destroyed, as after the sandbox is started it is
-  // vital to the process. Ownership is transfered to the policies and then to
-  // the BPF sandbox which will keep it around to service SIGSYS traps from the
-  // kernel.
-  BrokerProcess* broker_process = NULL;
-  // Warm up resources needed by the policy we're about to enable and
-  // eventually start a broker process.
-  WarmupPolicy(chromeos_arm_gpu, &broker_process);
-
-  scoped_ptr<SandboxBPFBasePolicy> gpu_policy;
-  if (chromeos_arm_gpu) {
-    gpu_policy.reset(new ArmGpuProcessPolicy(broker_process, allow_sysv_shm));
-  } else {
-    gpu_policy.reset(new GpuProcessPolicy(broker_process));
-  }
-  StartSandboxWithPolicy(gpu_policy.release());
-}
-
-// This function takes ownership of |policy|.
-void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy) {
-  // Starting the sandbox is a one-way operation. The kernel doesn't allow
-  // us to unload a sandbox policy after it has been started. Nonetheless,
-  // in order to make the use of the "Sandbox" object easier, we allow for
-  // the object to be destroyed after the sandbox has been started. Note that
-  // doing so does not stop the sandbox.
-  SandboxBPF sandbox;
-  sandbox.SetSandboxPolicy(policy);
-  sandbox.StartSandbox();
-}
-
-void StartNonGpuSandbox(const std::string& process_type) {
-  scoped_ptr<SandboxBPFBasePolicy> policy;
-
-  if (process_type == switches::kRendererProcess ||
-      process_type == switches::kWorkerProcess) {
-    policy.reset(new RendererOrWorkerProcessPolicy);
-  } else if (process_type == switches::kPpapiPluginProcess) {
-    policy.reset(new FlashProcessPolicy);
-  } else if (process_type == switches::kUtilityProcess) {
-    policy.reset(new BlacklistDebugAndNumaPolicy);
-  } else {
-    NOTREACHED();
-    policy.reset(new AllowAllPolicy);
-  }
-
-  StartSandboxWithPolicy(policy.release());
-}
-
-// Initialize the seccomp-bpf sandbox.
-bool StartBPFSandbox(const CommandLine& command_line,
-                     const std::string& process_type) {
-
-  if (process_type == switches::kGpuProcess) {
-    StartGpuProcessSandbox(command_line, process_type);
-  } else {
-    StartNonGpuSandbox(process_type);
-  }
-
-  RunSandboxSanityChecks(process_type);
-  return true;
+  CHECK((*broker_process)->Init(broker_sandboxer_callback));
 }
 
 }  // namespace
 
-#endif  // SECCOMP_BPF_SANDBOX
+scoped_ptr<SandboxBPFBasePolicy> GetGpuProcessSandbox() {
+  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
+  bool allow_sysv_shm = false;
+  if (command_line.HasSwitch(switches::kGpuSandboxAllowSysVShm)) {
+    DCHECK(IsArchitectureArm());
+    allow_sysv_shm = true;
+  }
 
-// Is seccomp BPF globally enabled?
-bool SandboxSeccompBPF::IsSeccompBPFDesired() {
-  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-  if (!command_line.HasSwitch(switches::kNoSandbox) &&
-      !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) {
-    return true;
+  if (IsChromeOS() && IsArchitectureArm()) {
+    return scoped_ptr<SandboxBPFBasePolicy>(
+        new CrosArmGpuProcessPolicy(allow_sysv_shm));
   } else {
-    return false;
+    return scoped_ptr<SandboxBPFBasePolicy>(new GpuProcessPolicy);
   }
 }
 
-bool SandboxSeccompBPF::ShouldEnableSeccompBPF(
-    const std::string& process_type) {
-#if defined(SECCOMP_BPF_SANDBOX)
-  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-  if (process_type == switches::kGpuProcess)
-    return !command_line.HasSwitch(switches::kDisableGpuSandbox);
-
-  return true;
-#endif  // SECCOMP_BPF_SANDBOX
-  return false;
-}
-
-bool SandboxSeccompBPF::SupportsSandbox() {
-#if defined(SECCOMP_BPF_SANDBOX)
-  // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton
-  // here.
-  SandboxBPF::SandboxStatus bpf_sandbox_status =
-      SandboxBPF::SupportsSeccompSandbox(-1);
-  // Kernel support is what we are interested in here. Other status
-  // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support.
-  // We make this a negative check, since if there is a bug, we would rather
-  // "fail closed" (expect a sandbox to be available and try to start it).
-  if (bpf_sandbox_status != SandboxBPF::STATUS_UNSUPPORTED) {
-    return true;
-  }
-#endif
-  return false;
-}
-
-bool SandboxSeccompBPF::StartSandbox(const std::string& process_type) {
-#if defined(SECCOMP_BPF_SANDBOX)
-  const CommandLine& command_line = *CommandLine::ForCurrentProcess();
-
-  if (IsSeccompBPFDesired() &&  // Global switches policy.
-      ShouldEnableSeccompBPF(process_type) &&  // Process-specific policy.
-      SupportsSandbox()) {
-    // If the kernel supports the sandbox, and if the command line says we
-    // should enable it, enable it or die.
-    bool started_sandbox = StartBPFSandbox(command_line, process_type);
-    CHECK(started_sandbox);
-    return true;
-  }
-#endif
-  return false;
-}
-
-bool SandboxSeccompBPF::StartSandboxWithExternalPolicy(
-    scoped_ptr<sandbox::SandboxBPFPolicy> policy) {
-#if defined(SECCOMP_BPF_SANDBOX)
-  if (IsSeccompBPFDesired() && SupportsSandbox()) {
-    CHECK(policy);
-    StartSandboxWithPolicy(policy.release());
-    return true;
-  }
-#endif  // defined(SECCOMP_BPF_SANDBOX)
-  return false;
-}
-
-scoped_ptr<sandbox::SandboxBPFPolicy>
-SandboxSeccompBPF::GetBaselinePolicy() {
-#if defined(SECCOMP_BPF_SANDBOX)
-  return scoped_ptr<sandbox::SandboxBPFPolicy>(new BaselinePolicy);
-#else
-  return scoped_ptr<sandbox::SandboxBPFPolicy>();
-#endif  // defined(SECCOMP_BPF_SANDBOX)
-}
-
 }  // namespace content