search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Change Auto Lo-Fi field trial name.
[chromium-blink-merge.git] / content / common / sandbox_linux / bpf_gpu_policy_linux.cc
blobf47e703dd400a2767fc2fe96279d6c9b7a8d519c
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h"
6
7 #include <dlfcn.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sys/socket.h>
11 #include <sys/stat.h>
12 #include <sys/types.h>
13 #include <unistd.h>
14
15 #include <string>
16 #include <vector>
17
18 #include "base/bind.h"
19 #include "base/command_line.h"
20 #include "base/compiler_specific.h"
21 #include "base/logging.h"
22 #include "base/memory/scoped_ptr.h"
23 #include "build/build_config.h"
24 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
25 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
26 #include "content/common/set_process_title.h"
27 #include "content/public/common/content_switches.h"
28 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
29 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
30 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
31 #include "sandbox/linux/syscall_broker/broker_file_permission.h"
32 #include "sandbox/linux/syscall_broker/broker_process.h"
33 #include "sandbox/linux/system_headers/linux_syscalls.h"
34
35 using sandbox::arch_seccomp_data;
36 using sandbox::bpf_dsl::Allow;
37 using sandbox::bpf_dsl::ResultExpr;
38 using sandbox::bpf_dsl::Trap;
39 using sandbox::syscall_broker::BrokerFilePermission;
40 using sandbox::syscall_broker::BrokerProcess;
41 using sandbox::SyscallSets;
42
43 namespace content {
44
45 namespace {
46
47 inline bool IsChromeOS() {
48 #if defined(OS_CHROMEOS)
49 return true;
50 #else
51 return false;
52 #endif
53 }
54
55 inline bool IsArchitectureX86_64() {
56 #if defined(__x86_64__)
57 return true;
58 #else
59 return false;
60 #endif
61 }
62
63 inline bool IsArchitectureI386() {
64 #if defined(__i386__)
65 return true;
66 #else
67 return false;
68 #endif
69 }
70
71 inline bool IsArchitectureArm() {
72 #if defined(__arm__) || defined(__aarch64__)
73 return true;
74 #else
75 return false;
76 #endif
77 }
78
79 inline bool IsOzone() {
80 #if defined(USE_OZONE)
81 return true;
82 #else
83 return false;
84 #endif
85 }
86
87 inline bool UseLibV4L2() {
88 #if defined(USE_LIBV4L2)
89 return true;
90 #else
91 return false;
92 #endif
93 }
94
95 bool IsAcceleratedVaapiVideoEncodeEnabled() {
96 bool accelerated_encode_enabled = false;
97 #if defined(OS_CHROMEOS)
98 const base::CommandLine& command_line =
99 *base::CommandLine::ForCurrentProcess();
100 accelerated_encode_enabled =
101 !command_line.HasSwitch(switches::kDisableVaapiAcceleratedVideoEncode);
102 #endif
103 return accelerated_encode_enabled;
104 }
105
106 bool IsAcceleratedVideoDecodeEnabled() {
107 const base::CommandLine& command_line =
108 *base::CommandLine::ForCurrentProcess();
109 return !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode);
110 }
111
112 intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args,
113 void* aux_broker_process) {
114 RAW_CHECK(aux_broker_process);
115 BrokerProcess* broker_process =
116 static_cast<BrokerProcess*>(aux_broker_process);
117 switch (args.nr) {
118 #if !defined(__aarch64__)
119 case __NR_access:
120 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
121 static_cast<int>(args.args[1]));
122 case __NR_open:
123 #if defined(MEMORY_SANITIZER)
124 // http://crbug.com/372840
125 __msan_unpoison_string(reinterpret_cast<const char*>(args.args[0]));
126 #endif
127 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
128 static_cast<int>(args.args[1]));
129 #endif // !defined(__aarch64__)
130 case __NR_faccessat:
131 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
132 return
133 broker_process->Access(reinterpret_cast<const char*>(args.args[1]),
134 static_cast<int>(args.args[2]));
135 } else {
136 return -EPERM;
137 }
138 case __NR_openat:
139 // Allow using openat() as open().
140 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
141 return
142 broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
143 static_cast<int>(args.args[2]));
144 } else {
145 return -EPERM;
146 }
147 default:
148 RAW_CHECK(false);
149 return -ENOSYS;
150 }
151 }
152
153 void AddV4L2GpuWhitelist(std::vector<BrokerFilePermission>* permissions) {
154 if (IsAcceleratedVideoDecodeEnabled()) {
155 // Device node for V4L2 video decode accelerator drivers.
156 static const char kDevVideoDecPath[] = "/dev/video-dec";
157 permissions->push_back(BrokerFilePermission::ReadWrite(kDevVideoDecPath));
158 }
159
160 // Device node for V4L2 video encode accelerator drivers.
161 static const char kDevVideoEncPath[] = "/dev/video-enc";
162 permissions->push_back(BrokerFilePermission::ReadWrite(kDevVideoEncPath));
163 }
164
165 class GpuBrokerProcessPolicy : public GpuProcessPolicy {
166 public:
167 static sandbox::bpf_dsl::Policy* Create() {
168 return new GpuBrokerProcessPolicy();
169 }
170 ~GpuBrokerProcessPolicy() override {}
171
172 ResultExpr EvaluateSyscall(int system_call_number) const override;
173
174 private:
175 GpuBrokerProcessPolicy() {}
176 DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy);
177 };
178
179 // x86_64/i386 or desktop ARM.
180 // A GPU broker policy is the same as a GPU policy with access, open,
181 // openat and in the non-Chrome OS case unlink allowed.
182 ResultExpr GpuBrokerProcessPolicy::EvaluateSyscall(int sysno) const {
183 switch (sysno) {
184 #if !defined(__aarch64__)
185 case __NR_access:
186 case __NR_open:
187 #endif // !defined(__aarch64__)
188 case __NR_faccessat:
189 case __NR_openat:
190 #if !defined(OS_CHROMEOS)
191 // The broker process needs to able to unlink the temporary
192 // files that it may create. This is used by DRI3.
193 case __NR_unlink:
194 #endif
195 return Allow();
196 default:
197 return GpuProcessPolicy::EvaluateSyscall(sysno);
198 }
199 }
200
201 void UpdateProcessTypeToGpuBroker() {
202 base::CommandLine::StringVector exec =
203 base::CommandLine::ForCurrentProcess()->GetArgs();
204 base::CommandLine::Reset();
205 base::CommandLine::Init(0, NULL);
206 base::CommandLine::ForCurrentProcess()->InitFromArgv(exec);
207 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
208 switches::kProcessType, "gpu-broker");
209
210 // Update the process title. The argv was already cached by the call to
211 // SetProcessTitleFromCommandLine in content_main_runner.cc, so we can pass
212 // NULL here (we don't have the original argv at this point).
213 SetProcessTitleFromCommandLine(NULL);
214 }
215
216 bool UpdateProcessTypeAndEnableSandbox(
217 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void)) {
218 DCHECK(broker_sandboxer_allocator);
219 UpdateProcessTypeToGpuBroker();
220 return SandboxSeccompBPF::StartSandboxWithExternalPolicy(
221 make_scoped_ptr(broker_sandboxer_allocator()), base::ScopedFD());
222 }
223
224 } // namespace
225
226 GpuProcessPolicy::GpuProcessPolicy() : GpuProcessPolicy(false) {
227 }
228
229 GpuProcessPolicy::GpuProcessPolicy(bool allow_mincore)
230 : broker_process_(NULL), allow_mincore_(allow_mincore) {
231 }
232
233 GpuProcessPolicy::~GpuProcessPolicy() {}
234
235 // Main policy for x86_64/i386. Extended by CrosArmGpuProcessPolicy.
236 ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
237 switch (sysno) {
238 #if !defined(OS_CHROMEOS)
239 case __NR_ftruncate:
240 #endif
241 case __NR_ioctl:
242 return Allow();
243 case __NR_mincore:
244 if (allow_mincore_) {
245 return Allow();
246 } else {
247 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
248 }
249 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
250 // The Nvidia driver uses flags not in the baseline policy
251 // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
252 case __NR_mmap:
253 #endif
254 // We also hit this on the linux_chromeos bot but don't yet know what
255 // weird flags were involved.
256 case __NR_mprotect:
257 // TODO(jln): restrict prctl.
258 case __NR_prctl:
259 return Allow();
260 #if !defined(__aarch64__)
261 case __NR_access:
262 case __NR_open:
263 #endif // !defined(__aarch64__)
264 case __NR_faccessat:
265 case __NR_openat:
266 DCHECK(broker_process_);
267 return Trap(GpuSIGSYS_Handler, broker_process_);
268 case __NR_sched_getaffinity:
269 case __NR_sched_setaffinity:
270 return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
271 default:
272 if (SyscallSets::IsEventFd(sysno))
273 return Allow();
274
275 // Default on the baseline policy.
276 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
277 }
278 }
279
280 bool GpuProcessPolicy::PreSandboxHook() {
281 // Warm up resources needed by the policy we're about to enable and
282 // eventually start a broker process.
283 const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm();
284 // This policy is for x86 or Desktop.
285 DCHECK(!chromeos_arm_gpu);
286
287 DCHECK(!broker_process());
288 // Create a new broker process.
289 InitGpuBrokerProcess(
290 GpuBrokerProcessPolicy::Create,
291 std::vector<BrokerFilePermission>()); // No extra files in whitelist.
292
293 if (IsArchitectureX86_64() || IsArchitectureI386()) {
294 // Accelerated video dlopen()'s some shared objects
295 // inside the sandbox, so preload them now.
296 if (IsAcceleratedVaapiVideoEncodeEnabled() ||
297 IsAcceleratedVideoDecodeEnabled()) {
298 const char* I965DrvVideoPath = NULL;
299
300 if (IsArchitectureX86_64()) {
301 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so";
302 } else if (IsArchitectureI386()) {
303 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so";
304 }
305
306 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
307 dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
308 #if defined(USE_OZONE)
309 dlopen("libva-drm.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
310 #elif defined(USE_X11)
311 dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
312 #endif
313 }
314 }
315
316 return true;
317 }
318
319 void GpuProcessPolicy::InitGpuBrokerProcess(
320 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void),
321 const std::vector<BrokerFilePermission>& permissions_extra) {
322 static const char kDriRcPath[] = "/etc/drirc";
323 static const char kDriCard0Path[] = "/dev/dri/card0";
324 static const char kDevShm[] = "/dev/shm/";
325
326 CHECK(broker_process_ == NULL);
327
328 // All GPU process policies need these files brokered out.
329 std::vector<BrokerFilePermission> permissions;
330 permissions.push_back(BrokerFilePermission::ReadWrite(kDriCard0Path));
331 permissions.push_back(BrokerFilePermission::ReadOnly(kDriRcPath));
332 if (!IsChromeOS()) {
333 permissions.push_back(
334 BrokerFilePermission::ReadWriteCreateUnlinkRecursive(kDevShm));
335 } else if (IsArchitectureArm() || IsOzone()){
336 AddV4L2GpuWhitelist(&permissions);
337 if (UseLibV4L2()) {
338 dlopen("/usr/lib/libv4l2.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
339 // This is a device-specific encoder plugin.
340 dlopen("/usr/lib/libv4l/plugins/libv4l-encplugin.so",
341 RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
342 }
343 }
344
345 // Add eventual extra files from permissions_extra.
346 for (const auto& perm : permissions_extra) {
347 permissions.push_back(perm);
348 }
349
350 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions);
351 // The initialization callback will perform generic initialization and then
352 // call broker_sandboxer_callback.
353 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,
354 broker_sandboxer_allocator)));
355 }
356
357 } // namespace content