Roll src/third_party/WebKit a452221:9ff6d11 (svn 202117:202119)
[chromium-blink-merge.git] / content / common / sandbox_linux / bpf_gpu_policy_linux.cc
blobe4984ba6cf0da795a9635e33272f3d4e803ca27f
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h"
7 #include <dlfcn.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sys/socket.h>
11 #include <sys/stat.h>
12 #include <sys/types.h>
13 #include <unistd.h>
15 #include <string>
16 #include <vector>
18 #include "base/bind.h"
19 #include "base/command_line.h"
20 #include "base/compiler_specific.h"
21 #include "base/logging.h"
22 #include "base/memory/scoped_ptr.h"
23 #include "build/build_config.h"
24 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
25 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
26 #include "content/common/set_process_title.h"
27 #include "content/public/common/content_switches.h"
28 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
29 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
30 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
31 #include "sandbox/linux/syscall_broker/broker_file_permission.h"
32 #include "sandbox/linux/syscall_broker/broker_process.h"
33 #include "sandbox/linux/system_headers/linux_syscalls.h"
35 using sandbox::arch_seccomp_data;
36 using sandbox::bpf_dsl::Allow;
37 using sandbox::bpf_dsl::ResultExpr;
38 using sandbox::bpf_dsl::Trap;
39 using sandbox::syscall_broker::BrokerFilePermission;
40 using sandbox::syscall_broker::BrokerProcess;
41 using sandbox::SyscallSets;
43 namespace content {
45 namespace {
47 inline bool IsChromeOS() {
48 #if defined(OS_CHROMEOS)
49 return true;
50 #else
51 return false;
52 #endif
55 inline bool IsArchitectureX86_64() {
56 #if defined(__x86_64__)
57 return true;
58 #else
59 return false;
60 #endif
63 inline bool IsArchitectureI386() {
64 #if defined(__i386__)
65 return true;
66 #else
67 return false;
68 #endif
71 inline bool IsArchitectureArm() {
72 #if defined(__arm__) || defined(__aarch64__)
73 return true;
74 #else
75 return false;
76 #endif
79 inline bool IsOzone() {
80 #if defined(USE_OZONE)
81 return true;
82 #else
83 return false;
84 #endif
87 inline bool UseLibV4L2() {
88 #if defined(USE_LIBV4L2)
89 return true;
90 #else
91 return false;
92 #endif
95 bool IsAcceleratedVaapiVideoEncodeEnabled() {
96 bool accelerated_encode_enabled = false;
97 #if defined(OS_CHROMEOS)
98 const base::CommandLine& command_line =
99 *base::CommandLine::ForCurrentProcess();
100 accelerated_encode_enabled =
101 !command_line.HasSwitch(switches::kDisableVaapiAcceleratedVideoEncode);
102 #endif
103 return accelerated_encode_enabled;
106 bool IsAcceleratedVideoDecodeEnabled() {
107 const base::CommandLine& command_line =
108 *base::CommandLine::ForCurrentProcess();
109 return !command_line.HasSwitch(switches::kDisableAcceleratedVideoDecode);
112 intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args,
113 void* aux_broker_process) {
114 RAW_CHECK(aux_broker_process);
115 BrokerProcess* broker_process =
116 static_cast<BrokerProcess*>(aux_broker_process);
117 switch (args.nr) {
118 #if !defined(__aarch64__)
119 case __NR_access:
120 return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
121 static_cast<int>(args.args[1]));
122 case __NR_open:
123 #if defined(MEMORY_SANITIZER)
124 // http://crbug.com/372840
125 __msan_unpoison_string(reinterpret_cast<const char*>(args.args[0]));
126 #endif
127 return broker_process->Open(reinterpret_cast<const char*>(args.args[0]),
128 static_cast<int>(args.args[1]));
129 #endif // !defined(__aarch64__)
130 case __NR_faccessat:
131 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
132 return
133 broker_process->Access(reinterpret_cast<const char*>(args.args[1]),
134 static_cast<int>(args.args[2]));
135 } else {
136 return -EPERM;
138 case __NR_openat:
139 // Allow using openat() as open().
140 if (static_cast<int>(args.args[0]) == AT_FDCWD) {
141 return
142 broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
143 static_cast<int>(args.args[2]));
144 } else {
145 return -EPERM;
147 default:
148 RAW_CHECK(false);
149 return -ENOSYS;
153 void AddV4L2GpuWhitelist(std::vector<BrokerFilePermission>* permissions) {
154 if (IsAcceleratedVideoDecodeEnabled()) {
155 // Device node for V4L2 video decode accelerator drivers.
156 static const char kDevVideoDecPath[] = "/dev/video-dec";
157 permissions->push_back(BrokerFilePermission::ReadWrite(kDevVideoDecPath));
160 // Device node for V4L2 video encode accelerator drivers.
161 static const char kDevVideoEncPath[] = "/dev/video-enc";
162 permissions->push_back(BrokerFilePermission::ReadWrite(kDevVideoEncPath));
164 // Device node for V4L2 JPEG decode accelerator drivers.
165 static const char kDevJpegDecPath[] = "/dev/jpeg-dec";
166 permissions->push_back(BrokerFilePermission::ReadWrite(kDevJpegDecPath));
169 class GpuBrokerProcessPolicy : public GpuProcessPolicy {
170 public:
171 static sandbox::bpf_dsl::Policy* Create() {
172 return new GpuBrokerProcessPolicy();
174 ~GpuBrokerProcessPolicy() override {}
176 ResultExpr EvaluateSyscall(int system_call_number) const override;
178 private:
179 GpuBrokerProcessPolicy() {}
180 DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy);
183 // x86_64/i386 or desktop ARM.
184 // A GPU broker policy is the same as a GPU policy with access, open,
185 // openat and in the non-Chrome OS case unlink allowed.
186 ResultExpr GpuBrokerProcessPolicy::EvaluateSyscall(int sysno) const {
187 switch (sysno) {
188 #if !defined(__aarch64__)
189 case __NR_access:
190 case __NR_open:
191 #endif // !defined(__aarch64__)
192 case __NR_faccessat:
193 case __NR_openat:
194 #if !defined(OS_CHROMEOS)
195 // The broker process needs to able to unlink the temporary
196 // files that it may create. This is used by DRI3.
197 case __NR_unlink:
198 #endif
199 return Allow();
200 default:
201 return GpuProcessPolicy::EvaluateSyscall(sysno);
205 void UpdateProcessTypeToGpuBroker() {
206 base::CommandLine::StringVector exec =
207 base::CommandLine::ForCurrentProcess()->GetArgs();
208 base::CommandLine::Reset();
209 base::CommandLine::Init(0, NULL);
210 base::CommandLine::ForCurrentProcess()->InitFromArgv(exec);
211 base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
212 switches::kProcessType, "gpu-broker");
214 // Update the process title. The argv was already cached by the call to
215 // SetProcessTitleFromCommandLine in content_main_runner.cc, so we can pass
216 // NULL here (we don't have the original argv at this point).
217 SetProcessTitleFromCommandLine(NULL);
220 bool UpdateProcessTypeAndEnableSandbox(
221 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void)) {
222 DCHECK(broker_sandboxer_allocator);
223 UpdateProcessTypeToGpuBroker();
224 return SandboxSeccompBPF::StartSandboxWithExternalPolicy(
225 make_scoped_ptr(broker_sandboxer_allocator()), base::ScopedFD());
228 } // namespace
230 GpuProcessPolicy::GpuProcessPolicy() : GpuProcessPolicy(false) {
233 GpuProcessPolicy::GpuProcessPolicy(bool allow_mincore)
234 : broker_process_(NULL), allow_mincore_(allow_mincore) {
237 GpuProcessPolicy::~GpuProcessPolicy() {}
239 // Main policy for x86_64/i386. Extended by CrosArmGpuProcessPolicy.
240 ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
241 switch (sysno) {
242 #if !defined(OS_CHROMEOS)
243 case __NR_ftruncate:
244 #endif
245 case __NR_ioctl:
246 return Allow();
247 case __NR_mincore:
248 if (allow_mincore_) {
249 return Allow();
250 } else {
251 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
253 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
254 // The Nvidia driver uses flags not in the baseline policy
255 // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
256 case __NR_mmap:
257 #endif
258 // We also hit this on the linux_chromeos bot but don't yet know what
259 // weird flags were involved.
260 case __NR_mprotect:
261 // TODO(jln): restrict prctl.
262 case __NR_prctl:
263 return Allow();
264 #if !defined(__aarch64__)
265 case __NR_access:
266 case __NR_open:
267 #endif // !defined(__aarch64__)
268 case __NR_faccessat:
269 case __NR_openat:
270 DCHECK(broker_process_);
271 return Trap(GpuSIGSYS_Handler, broker_process_);
272 case __NR_sched_getaffinity:
273 case __NR_sched_setaffinity:
274 return sandbox::RestrictSchedTarget(GetPolicyPid(), sysno);
275 default:
276 if (SyscallSets::IsEventFd(sysno))
277 return Allow();
279 // Default on the baseline policy.
280 return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
284 bool GpuProcessPolicy::PreSandboxHook() {
285 // Warm up resources needed by the policy we're about to enable and
286 // eventually start a broker process.
287 const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm();
288 // This policy is for x86 or Desktop.
289 DCHECK(!chromeos_arm_gpu);
291 DCHECK(!broker_process());
292 // Create a new broker process.
293 InitGpuBrokerProcess(
294 GpuBrokerProcessPolicy::Create,
295 std::vector<BrokerFilePermission>()); // No extra files in whitelist.
297 if (IsArchitectureX86_64() || IsArchitectureI386()) {
298 // Accelerated video dlopen()'s some shared objects
299 // inside the sandbox, so preload them now.
300 if (IsAcceleratedVaapiVideoEncodeEnabled() ||
301 IsAcceleratedVideoDecodeEnabled()) {
302 const char* I965DrvVideoPath = NULL;
304 if (IsArchitectureX86_64()) {
305 I965DrvVideoPath = "/usr/lib64/va/drivers/i965_drv_video.so";
306 } else if (IsArchitectureI386()) {
307 I965DrvVideoPath = "/usr/lib/va/drivers/i965_drv_video.so";
310 dlopen(I965DrvVideoPath, RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
311 dlopen("libva.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
312 #if defined(USE_OZONE)
313 dlopen("libva-drm.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
314 #elif defined(USE_X11)
315 dlopen("libva-x11.so.1", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
316 #endif
320 return true;
323 void GpuProcessPolicy::InitGpuBrokerProcess(
324 sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void),
325 const std::vector<BrokerFilePermission>& permissions_extra) {
326 static const char kDriRcPath[] = "/etc/drirc";
327 static const char kDriCard0Path[] = "/dev/dri/card0";
328 static const char kDevShm[] = "/dev/shm/";
330 CHECK(broker_process_ == NULL);
332 // All GPU process policies need these files brokered out.
333 std::vector<BrokerFilePermission> permissions;
334 permissions.push_back(BrokerFilePermission::ReadWrite(kDriCard0Path));
335 permissions.push_back(BrokerFilePermission::ReadOnly(kDriRcPath));
336 if (!IsChromeOS()) {
337 permissions.push_back(
338 BrokerFilePermission::ReadWriteCreateUnlinkRecursive(kDevShm));
339 } else if (IsArchitectureArm() || IsOzone()){
340 AddV4L2GpuWhitelist(&permissions);
341 if (UseLibV4L2()) {
342 dlopen("/usr/lib/libv4l2.so", RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
343 // This is a device-specific encoder plugin.
344 dlopen("/usr/lib/libv4l/plugins/libv4l-encplugin.so",
345 RTLD_NOW|RTLD_GLOBAL|RTLD_NODELETE);
349 // Add eventual extra files from permissions_extra.
350 for (const auto& perm : permissions_extra) {
351 permissions.push_back(perm);
354 broker_process_ = new BrokerProcess(GetFSDeniedErrno(), permissions);
355 // The initialization callback will perform generic initialization and then
356 // call broker_sandboxer_callback.
357 CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,
358 broker_sandboxer_allocator)));
361 } // namespace content