search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Blink roll 25b6bd3a7a131ffe68d809546ad1a20707915cdc:3a503f41ae42e5b79cfcd2ff10e65afde...
[chromium-blink-merge.git] / content / common / sandbox_linux / bpf_gpu_policy_linux.cc
blob700ae526cc8e4b05089af491d0221a9303600a81
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h"
6
7 #include <dlfcn.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sys/socket.h>
11 #include <sys/stat.h>
12 #include <sys/types.h>
13 #include <unistd.h>
14
15 #include <string>
16 #include <vector>
17
18 #include "base/bind.h"
19 #include "base/command_line.h"
20 #include "base/compiler_specific.h"
21 #include "base/logging.h"
22 #include "base/memory/scoped_ptr.h"
23 #include "build/build_config.h"
24 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
25 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
26 #include "content/common/set_process_title.h"
27 #include "content/public/common/content_switches.h"
28 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
29 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
30 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
31 #include "sandbox/linux/services/linux_syscalls.h"
32 #include "sandbox/linux/syscall_broker/broker_process.h"
33
34 using sandbox::syscall_broker::BrokerProcess;
35 using sandbox::SyscallSets;
36 using sandbox::arch_seccomp_data;
37 using sandbox::bpf_dsl::Allow;
38 using sandbox::bpf_dsl::ResultExpr;
39 using sandbox::bpf_dsl::Trap;
40
41 namespace content {
42
43 namespace {
44
45 inline bool IsChromeOS() {
46 #if defined(OS_CHROMEOS)
47 return true;
48 #else
49 return false;
50 #endif
51 }
52
53 inline bool IsArchitectureX86_64() {
54 #if defined(__x86_64__)
55 return true;
56 #else
57 return false;
58 #endif
59 }
60
61 inline bool IsArchitectureI386() {
62 #if defined(__i386__)
63 return true;
64 #else
65 return false;
66 #endif
67 }
68
69 inline bool IsArchitectureArm() {
70 #if defined(__arm__)
71 return true;
72 #else
73 return false;
74 #endif
75 }
76
77 bool IsAcceleratedVideoEnabled() {
78 const base::CommandLine& command_line =
79 *base::CommandLine::ForCurrentProcess();
80 bool accelerated_encode_enabled = false;
81 #if defined(OS_CHROMEOS)
82 accelerated_encode_enabled =
83 !command_line.HasSwitch(switches::kDisableVaapiAcceleratedVideoEncode);
84 #endif
85 return !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode) ||
86 accelerated_encode_enabled;
87 }
88
89 intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args,
90 void* aux_broker_process) {
91 RAW_CHECK(aux_broker_process);
92 BrokerProcess* broker_process =
93 static_cast<BrokerProcess*>(aux_broker_process);
94 switch (args.nr) {
95 case __NR_access:
96 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
97 static_cast<int>(args.args[1]));
98 case __NR_open:
99 #if defined(MEMORY_SANITIZER)
100 // http://crbug.com/372840
101 __msan_unpoison_string(reinterpret_cast<const char*>(args.args[0]));
102 #endif
103 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
104 static_cast<int>(args.args[1]));
105 case __NR_openat:
106 // Allow using openat() as open().
107 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
108 return
109 broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
110 static_cast<int>(args.args[2]));
111 } else {
112 return -EPERM;
113 }
114 default:
115 RAW_CHECK(false);
116 return -ENOSYS;
117 }
118 }
119
120 class GpuBrokerProcessPolicy : public GpuProcessPolicy {
121 public:
122 static sandbox::bpf_dsl::Policy* Create() {
123 return new GpuBrokerProcessPolicy();
124 }
125 ~GpuBrokerProcessPolicy() override {}
126
127 ResultExpr EvaluateSyscall(int system_call_number) const override;
128
129 private:
130 GpuBrokerProcessPolicy() {}
131 DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy);
132 };
133
134 // x86_64/i386 or desktop ARM.
135 // A GPU broker policy is the same as a GPU policy with open and
136 // openat allowed.
137 ResultExpr GpuBrokerProcessPolicy::EvaluateSyscall(int sysno) const {
138 switch (sysno) {
139 case __NR_access:
140 case __NR_open:
141 case __NR_openat:
142 return Allow();
143 default:
144 return GpuProcessPolicy::EvaluateSyscall(sysno);
145 }
146 }
147
148 void UpdateProcessTypeToGpuBroker() {
149 base::CommandLine::StringVector exec =
150 base::CommandLine::ForCurrentProcess()->GetArgs();
151 base::CommandLine::Reset();
152 base::CommandLine::Init(0, NULL);
153 base::CommandLine::ForCurrentProcess()->InitFromArgv(exec);
154 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
155 switches::kProcessType, "gpu-broker");
156
157 // Update the process title. The argv was already cached by the call to
158 // SetProcessTitleFromCommandLine in content_main_runner.cc, so we can pass
159 // NULL here (we don't have the original argv at this point).
160 SetProcessTitleFromCommandLine(NULL);
161 }
162
163 bool UpdateProcessTypeAndEnableSandbox(
164 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void)) {
165 DCHECK(broker_sandboxer_allocator);
166 UpdateProcessTypeToGpuBroker();
167 return SandboxSeccompBPF::StartSandboxWithExternalPolicy(
168 make_scoped_ptr(broker_sandboxer_allocator()));
169 }
170
171 } // namespace
172
173 GpuProcessPolicy::GpuProcessPolicy() : GpuProcessPolicy(false) {
174 }
175
176 GpuProcessPolicy::GpuProcessPolicy(bool allow_mincore)
177 : broker_process_(NULL), allow_mincore_(allow_mincore) {
178 }
179
180 GpuProcessPolicy::~GpuProcessPolicy() {}
181
182 // Main policy for x86_64/i386. Extended by CrosArmGpuProcessPolicy.
183 ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
184 switch (sysno) {
185 case __NR_ioctl:
186 return Allow();
187 case __NR_mincore:
188 if (allow_mincore_) {
189 return Allow();
190 } else {
191 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
192 }
193 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
194 // The Nvidia driver uses flags not in the baseline policy
195 // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
196 case __NR_mmap:
197 #endif
198 // We also hit this on the linux_chromeos bot but don't yet know what
199 // weird flags were involved.
200 case __NR_mprotect:
201 // TODO(jln): restrict prctl.
202 case __NR_prctl:
203 return Allow();
204 case __NR_access:
205 case __NR_open:
206 case __NR_openat:
207 DCHECK(broker_process_);
208 return Trap(GpuSIGSYS_Handler, broker_process_);
209 case __NR_setpriority:
210 return sandbox::RestrictGetSetpriority(GetPolicyPid());
211 case __NR_sched_getaffinity:
212 case __NR_sched_setaffinity:
213 return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
214 default:
215 if (SyscallSets::IsEventFd(sysno))
216 return Allow();
217
218 // Default on the baseline policy.
219 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
220 }
221 }
222
223 bool GpuProcessPolicy::PreSandboxHook() {
224 // Warm up resources needed by the policy we're about to enable and
225 // eventually start a broker process.
226 const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm();
227 // This policy is for x86 or Desktop.
228 DCHECK(!chromeos_arm_gpu);
229
230 DCHECK(!broker_process());
231 // Create a new broker process.
232 InitGpuBrokerProcess(
233 GpuBrokerProcessPolicy::Create,
234 std::vector<std::string>(), // No extra files in whitelist.
235 std::vector<std::string>());
236
237 if (IsArchitectureX86_64() || IsArchitectureI386()) {
238 // Accelerated video dlopen()'s some shared objects
239 // inside the sandbox, so preload them now.
240 if (IsAcceleratedVideoEnabled()) {
241 const char* I965DrvVideoPath = NULL;
242
243 if (IsArchitectureX86_64()) {
244 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so";
245 } else if (IsArchitectureI386()) {
246 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so";
247 }
248
249 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
250 dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
251 dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
252 }
253 }
254
255 return true;
256 }
257
258 void GpuProcessPolicy::InitGpuBrokerProcess(
259 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void),
260 const std::vector<std::string>& read_whitelist_extra,
261 const std::vector<std::string>& write_whitelist_extra) {
262 static const char kDriRcPath[] = "/etc/drirc";
263 static const char kDriCard0Path[] = "/dev/dri/card0";
264
265 CHECK(broker_process_ == NULL);
266
267 // All GPU process policies need these files brokered out.
268 std::vector<std::string> read_whitelist;
269 read_whitelist.push_back(kDriCard0Path);
270 read_whitelist.push_back(kDriRcPath);
271 // Add eventual extra files from read_whitelist_extra.
272 read_whitelist.insert(read_whitelist.end(),
273 read_whitelist_extra.begin(),
274 read_whitelist_extra.end());
275
276 std::vector<std::string> write_whitelist;
277 write_whitelist.push_back(kDriCard0Path);
278 // Add eventual extra files from write_whitelist_extra.
279 write_whitelist.insert(write_whitelist.end(),
280 write_whitelist_extra.begin(),
281 write_whitelist_extra.end());
282
283 broker_process_ = new BrokerProcess(GetFSDeniedErrno(),
284 read_whitelist,
285 write_whitelist);
286 // The initialization callback will perform generic initialization and then
287 // call broker_sandboxer_callback.
288 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,
289 broker_sandboxer_allocator)));
290 }
291
292 } // namespace content