Replace uses of 'whitelist' and 'blacklist' in sandbox.

BUG=842296 Change-Id: Ia27b79b64f1e9ad6c3d63409a5b3bbe921649f5d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2292792Reviewed-by: Zhenyao Mo <zmo@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Auto-Submit: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#788868}

Replace uses of 'whitelist' and 'blacklist' in sandbox.
BUG=842296 Change-Id: Ia27b79b64f1e9ad6c3d63409a5b3bbe921649f5d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2292792Reviewed-by: Zhenyao Mo <zmo@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Auto-Submit: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#788868}
0310c119 · Will Harris · Commit Bot · 930e44d2 · 0310c119 · 0310c119
Commit 0310c119 authored Jul 16, 2020 by Will Harris Committed by Commit Bot Jul 16, 2020
11 changed files
--- a/content/gpu/BUILD.gn
+++ b/content/gpu/BUILD.gn
@@ -73,7 +73,7 @@ target(link_target_type, "gpu_sources") {
    "//components/viz/service/main",
    "//media/gpu/ipc/service",
    "//media/mojo/clients:clients",
-    "//sandbox/policy:chromecast_sandbox_whitelist_buildflags",
+    "//sandbox/policy:chromecast_sandbox_allowlist_buildflags",
    "//services/service_manager/embedder",
    "//services/service_manager/public/cpp",
    "//services/service_manager/public/mojom",

--- a/content/gpu/gpu_sandbox_hook_linux.cc
+++ b/content/gpu/gpu_sandbox_hook_linux.cc
@@ -26,7 +26,7 @@
 #include "sandbox/linux/syscall_broker/broker_command.h"
 #include "sandbox/linux/syscall_broker/broker_file_permission.h"
 #include "sandbox/linux/syscall_broker/broker_process.h"
-#include "sandbox/policy/chromecast_sandbox_whitelist_buildflags.h"
+#include "sandbox/policy/chromecast_sandbox_allowlist_buildflags.h"
 #include "sandbox/policy/linux/bpf_cros_amd_gpu_policy_linux.h"
 #include "sandbox/policy/linux/bpf_cros_arm_gpu_policy_linux.h"
 #include "sandbox/policy/linux/bpf_gpu_policy_linux.h"
@@ -48,8 +48,8 @@ inline bool IsChromeOS() {
 #endif
 }

-inline bool UseChromecastSandboxWhitelist() {
-#if BUILDFLAG(ENABLE_CHROMECAST_GPU_SANDBOX_WHITELIST)
+inline bool UseChromecastSandboxAllowlist() {
+#if BUILDFLAG(ENABLE_CHROMECAST_GPU_SANDBOX_ALLOWLIST)
  return true;
 #else
  return false;
@@ -153,7 +153,7 @@ void AddV4L2GpuWhitelist(
  static const char kDevJpegEncPath[] = "/dev/jpeg-enc";
  permissions->push_back(BrokerFilePermission::ReadWrite(kDevJpegEncPath));

-  if (UseChromecastSandboxWhitelist()) {
+  if (UseChromecastSandboxAllowlist()) {
    static const char kAmlogicAvcEncoderPath[] = "/dev/amvenc_avc";
    permissions->push_back(
        BrokerFilePermission::ReadWrite(kAmlogicAvcEncoderPath));
@@ -346,7 +346,7 @@ std::vector<BrokerFilePermission> FilePermissionsForGpu(
    }
  }

-  if (UseChromecastSandboxWhitelist()) {
+  if (UseChromecastSandboxAllowlist()) {
    if (UseV4L2Codec())
      AddV4L2GpuWhitelist(&permissions, options);

@@ -362,7 +362,7 @@ std::vector<BrokerFilePermission> FilePermissionsForGpu(

 void LoadArmGpuLibraries() {
  // Preload the Mali library.
-  if (UseChromecastSandboxWhitelist()) {
+  if (UseChromecastSandboxAllowlist()) {
    for (const char* path : kWhitelistedChromecastPaths) {
      const std::string library_path(std::string(path) +
                                     std::string("libMali.so"));
@@ -433,7 +433,7 @@ bool LoadLibrariesForGpu(
    }
    if (options.use_amd_specific_policies)
      return LoadAmdGpuLibraries();
-  } else if (UseChromecastSandboxWhitelist() && IsArchitectureArm()) {
+  } else if (UseChromecastSandboxAllowlist() && IsArchitectureArm()) {
    LoadArmGpuLibraries();
    if (UseV4L2Codec())
      LoadChromecastV4L2Libraries();

--- a/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc
+++ b/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc
@@ -126,12 +126,12 @@ SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
  }
 }

-// A simple blacklist test
+// A simple denylist test

-class BlacklistNanosleepPolicy : public Policy {
+class DenylistNanosleepPolicy : public Policy {
 public:
-  BlacklistNanosleepPolicy() {}
-  ~BlacklistNanosleepPolicy() override {}
+  DenylistNanosleepPolicy() {}
+  ~DenylistNanosleepPolicy() override {}

  ResultExpr EvaluateSyscall(int sysno) const override {
    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
@@ -151,14 +151,14 @@ class BlacklistNanosleepPolicy : public Policy {
  }

 private:
-  DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepPolicy);
+  DISALLOW_COPY_AND_ASSIGN(DenylistNanosleepPolicy);
 };

-BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
-  BlacklistNanosleepPolicy::AssertNanosleepFails();
+BPF_TEST_C(SandboxBPF, ApplyBasicDenylistPolicy, DenylistNanosleepPolicy) {
+  DenylistNanosleepPolicy::AssertNanosleepFails();
 }

-BPF_TEST_C(SandboxBPF, UseVsyscall, BlacklistNanosleepPolicy) {
+BPF_TEST_C(SandboxBPF, UseVsyscall, DenylistNanosleepPolicy) {
  time_t current_time;
  // time() is implemented as a vsyscall. With an older glibc, with
  // vsyscall=emulate and some versions of the seccomp BPF patch
@@ -186,12 +186,12 @@ bool IsSyscallForTestHarness(int sysno) {
  return false;
 }

-// Now do a simple whitelist test
+// Now do a simple allowlist test

-class WhitelistGetpidPolicy : public Policy {
+class AllowlistGetpidPolicy : public Policy {
 public:
-  WhitelistGetpidPolicy() {}
-  ~WhitelistGetpidPolicy() override {}
+  AllowlistGetpidPolicy() {}
+  ~AllowlistGetpidPolicy() override {}

  ResultExpr EvaluateSyscall(int sysno) const override {
    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
@@ -202,10 +202,10 @@ class WhitelistGetpidPolicy : public Policy {
  }

 private:
-  DISALLOW_COPY_AND_ASSIGN(WhitelistGetpidPolicy);
+  DISALLOW_COPY_AND_ASSIGN(AllowlistGetpidPolicy);
 };

-BPF_TEST_C(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
+BPF_TEST_C(SandboxBPF, ApplyBasicAllowlistPolicy, AllowlistGetpidPolicy) {
  // getpid() should be allowed
  errno = 0;
  BPF_ASSERT(sys_getpid() > 0);
@@ -216,7 +216,7 @@ BPF_TEST_C(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
  BPF_ASSERT(errno == ENOMEM);
 }

-// A simple blacklist policy, with a SIGSYS handler
+// A simple denylist policy, with a SIGSYS handler
 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) {
  // We also check that the auxiliary data is correct
  SANDBOX_ASSERT(aux);
@@ -224,10 +224,10 @@ intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) {
  return -ENOMEM;
 }

-class BlacklistNanosleepTrapPolicy : public Policy {
+class DenylistNanosleepTrapPolicy : public Policy {
 public:
-  explicit BlacklistNanosleepTrapPolicy(int* aux) : aux_(aux) {}
-  ~BlacklistNanosleepTrapPolicy() override {}
+  explicit DenylistNanosleepTrapPolicy(int* aux) : aux_(aux) {}
+  ~DenylistNanosleepTrapPolicy() override {}

  ResultExpr EvaluateSyscall(int sysno) const override {
    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
@@ -242,12 +242,12 @@ class BlacklistNanosleepTrapPolicy : public Policy {
 private:
  int* aux_;

-  DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepTrapPolicy);
+  DISALLOW_COPY_AND_ASSIGN(DenylistNanosleepTrapPolicy);
 };

 BPF_TEST(SandboxBPF,
-         BasicBlacklistWithSigsys,
-         BlacklistNanosleepTrapPolicy,
+         BasicDenylistWithSigsys,
+         DenylistNanosleepTrapPolicy,
         int /* (*BPF_AUX) */) {
  // getpid() should work properly
  errno = 0;
@@ -2134,7 +2134,7 @@ void* TsyncApplyToTwoThreadsFunc(void* cond_ptr) {

  BPF_ASSERT(event->IsSignaled());

-  BlacklistNanosleepPolicy::AssertNanosleepFails();
+  DenylistNanosleepPolicy::AssertNanosleepFails();

  return nullptr;
 }
@@ -2167,11 +2167,11 @@ SANDBOX_TEST(SandboxBPF, Tsync) {
  BPF_ASSERT_EQ(0, HANDLE_EINTR(syscall(__NR_nanosleep, &ts, NULL)));

  // Engage the sandbox.
-  SandboxBPF sandbox(std::make_unique<BlacklistNanosleepPolicy>());
+  SandboxBPF sandbox(std::make_unique<DenylistNanosleepPolicy>());
  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::SeccompLevel::MULTI_THREADED));

  // This thread should have the filter applied as well.
-  BlacklistNanosleepPolicy::AssertNanosleepFails();
+  DenylistNanosleepPolicy::AssertNanosleepFails();

  // Signal the condition to invoke the system call.
  event.Signal();

--- a/sandbox/linux/syscall_broker/broker_file_permission.cc
+++ b/sandbox/linux/syscall_broker/broker_file_permission.cc
@@ -53,15 +53,15 @@ bool BrokerFilePermission::ValidatePath(const char* path) {
 // methods are async signal safe in common standard libs.
 // TODO(leecam): remove dependency on std::string
 bool BrokerFilePermission::MatchPath(const char* requested_filename) const {
-  // Note: This recursive match will allow any path under the whitelisted
-  // path, for any number of directory levels. E.g. if the whitelisted
+  // Note: This recursive match will allow any path under the allowlisted
+  // path, for any number of directory levels. E.g. if the allowlisted
  // path is /good/ then the following will be permitted by the policy.
  //   /good/file1
  //   /good/folder/file2
  //   /good/folder/folder2/file3
  // If an attacker could make 'folder' a symlink to ../../ they would have
  // access to the entire filesystem.
-  // Whitelisting with multiple depths is useful, e.g /proc/ but
+  // Allowlisting with multiple depths is useful, e.g /proc/ but
  // the system needs to ensure symlinks can not be created!
  // That said if an attacker can convert any of the absolute paths
  // to a symlink they can control any file on the system also.
@@ -255,7 +255,7 @@ BrokerFilePermission::BrokerFilePermission(
  // Must have enough length for a '/'
  CHECK(path_.length() > 0) << GetErrorMessageForTests();

-  // Whitelisted paths must be absolute.
+  // Allowlisted paths must be absolute.
  CHECK(path_[0] == '/') << GetErrorMessageForTests();

  // Don't allow temporary creation without create permission

--- a/sandbox/linux/syscall_broker/broker_file_permission.h
+++ b/sandbox/linux/syscall_broker/broker_file_permission.h
@@ -23,11 +23,11 @@ enum class StatWithIntermediatesPermission {
  kAllowStatWithIntermediates
 };

-// BrokerFilePermission defines a path for whitelisting.
+// BrokerFilePermission defines a path for allowlisting.
 // Pick the correct static factory method to create a permission.
 // CheckOpen and CheckAccess are async signal safe.
-// Constuction and Destruction are not async signal safe.
-// |path| is the path to be whitelisted.
+// Construction and Destruction are not async signal safe.
+// |path| is the path to be allowlisted.
 class SANDBOX_EXPORT BrokerFilePermission {
 public:
  ~BrokerFilePermission() {}
@@ -116,7 +116,7 @@ class SANDBOX_EXPORT BrokerFilePermission {
  // by this permission as per access(2).
  // If |file_to_access| is not NULL, it is set to point to either
  // the |requested_filename| in the case of a recursive match,
-  // or a pointer to the matched path in the whitelist if an absolute
+  // or a pointer to the matched path in the allowlist if an absolute
  // match.
  // |mode| is per mode argument of access(2).
  // Async signal safe if |file_to_access| is NULL
@@ -128,7 +128,7 @@ class SANDBOX_EXPORT BrokerFilePermission {
  // by this permission.
  // If |file_to_open| is not NULL it is set to point to either
  // the |requested_filename| in the case of a recursive match,
-  // or a pointer the matched path in the whitelist if an absolute
+  // or a pointer the matched path in the allowlist if an absolute
  // match.
  // If not NULL, |unlink_after_open| is set to point to true if the
  // caller is required to unlink the path after opening.
@@ -144,7 +144,7 @@ class SANDBOX_EXPORT BrokerFilePermission {
  // stat() on all of its leading components.
  // If |file_to_open| is not NULL, it is set to point to either
  // the |requested_filename| in the case of a recursive match,
-  // or a pointer to the matched path in the whitelist if an absolute
+  // or a pointer to the matched path in the allowlist if an absolute
  // match.
  // Async signal safe if |file_to_access| is NULL
  bool CheckStat(const char* requested_filename,

--- a/sandbox/linux/syscall_broker/broker_permission_list.cc
+++ b/sandbox/linux/syscall_broker/broker_permission_list.cc
@@ -57,7 +57,7 @@ BrokerPermissionList::~BrokerPermissionList() {}
 // confusing. We're checking if calling access() should even be allowed with
 // the same policy we would use for open().
 // If |file_to_access| is not nullptr, we will return the matching pointer from
-// the whitelist. For paranoia a caller should then use |file_to_access|. See
+// the allowlist. For paranoia a caller should then use |file_to_access|. See
 // GetFileNameIfAllowedToOpen() for more explanation.
 // return true if calling access() on this file should be allowed, false
 // otherwise.
@@ -80,7 +80,7 @@ bool BrokerPermissionList::GetFileNameIfAllowedToAccess(

 // Check if |requested_filename| can be opened with flags |requested_flags|.
 // If |file_to_open| is not nullptr, we will return the matching pointer from
-// the whitelist. For paranoia, a caller should then use |file_to_open| rather
+// the allowlist. For paranoia, a caller should then use |file_to_open| rather
 // than |requested_filename|, so that it never attempts to open an
 // attacker-controlled file name, even if an attacker managed to fool the
 // string comparison mechanism.

--- a/sandbox/linux/syscall_broker/broker_permission_list.h
+++ b/sandbox/linux/syscall_broker/broker_permission_list.h
@@ -25,7 +25,7 @@ class BrokerPermissionList {
 public:
  // |denied_errno| is the error code returned when IPC requests for system
  // calls such as open() or access() are denied because a file is not in the
-  // whitelist. EACCESS would be a typical value.
+  // allowlist. EACCESS would be a typical value.
  // |permissions| is a list of BrokerPermission objects that define
  // what the broker will allow.
  BrokerPermissionList(int denied_errno,
@@ -40,7 +40,7 @@ class BrokerPermissionList {
  // If |file_to_open| is not NULL, a pointer to the path will be returned.
  // In the case of a recursive match, this will be the requested_filename,
  // otherwise it will return the matching pointer from the
-  // whitelist. For paranoia a caller should then use |file_to_access|. See
+  // allowlist. For paranoia a caller should then use |file_to_access|. See
  // GetFileNameIfAllowedToOpen() for more explanation.
  // return true if calling access() on this file should be allowed, false
  // otherwise.
@@ -53,7 +53,7 @@ class BrokerPermissionList {
  // If |file_to_open| is not NULL, a pointer to the path will be returned.
  // In the case of a recursive match, this will be the requested_filename,
  // otherwise it will return the matching pointer from the
-  // whitelist. For paranoia, a caller should then use |file_to_open| rather
+  // allowlist. For paranoia, a caller should then use |file_to_open| rather
  // than |requested_filename|, so that it never attempts to open an
  // attacker-controlled file name, even if an attacker managed to fool the
  // string comparison mechanism.

--- a/sandbox/linux/syscall_broker/broker_process.h
+++ b/sandbox/linux/syscall_broker/broker_process.h
@@ -33,7 +33,7 @@ class BrokerFilePermission;
 // signal handler.
 // A process would typically create a broker process before entering
 // sandboxing.
-// 1. BrokerProcess open_broker(read_whitelist, write_whitelist);
+// 1. BrokerProcess open_broker(read_allowlist, write_allowlist);
 // 2. CHECK(open_broker.Init(NULL));
 // 3. Enable sandbox.
 // 4. Use open_broker.Open() to open files.
@@ -45,10 +45,10 @@ class SANDBOX_EXPORT BrokerProcess {
                                 void* aux_broker_process);

  // |denied_errno| is the error code returned when methods such as Open()
-  // or Access() are invoked on a file which is not in the whitelist (EACCESS
+  // or Access() are invoked on a file which is not in the allowlist (EACCESS
  // would be a typical value).  |allowed_command_mask| is a bitwise-or of
  // kBrokerCommand*Mask constants from broker_command.h that further restrict
-  // the syscalls to execute. |permissions| describes the whitelisted set
+  // the syscalls to execute. |permissions| describes the allowlisted set
  // of files the broker is is allowed to access. |fast_check_in_client|
  // controls whether doomed requests are first filtered on the client side
  // before being proxied. Apart from tests, this should always be true since
@@ -131,7 +131,7 @@ class SANDBOX_EXPORT BrokerProcess {
  const bool quiet_failures_for_tests_;
  syscall_broker::BrokerCommandSet allowed_command_set_;
  syscall_broker::BrokerPermissionList
-      broker_permission_list_;  // File access whitelist.
+      broker_permission_list_;  // File access allowlist.
  std::unique_ptr<syscall_broker::BrokerClient> broker_client_;

  DISALLOW_COPY_AND_ASSIGN(BrokerProcess);

--- a/sandbox/linux/syscall_broker/broker_process_unittest.cc
+++ b/sandbox/linux/syscall_broker/broker_process_unittest.cc
@@ -87,138 +87,138 @@ TEST(BrokerProcess, TestOpenAccessNull) {
 }

 void TestOpenFilePerms(bool fast_check_in_client, int denied_errno) {
-  const char kR_WhiteListed[] = "/proc/DOESNOTEXIST1";
+  const char kR_AllowListed[] = "/proc/DOESNOTEXIST1";
  // We can't debug the init process, and shouldn't be able to access
  // its auxv file.
-  const char kR_WhiteListedButDenied[] = "/proc/1/auxv";
-  const char kW_WhiteListed[] = "/proc/DOESNOTEXIST2";
-  const char kRW_WhiteListed[] = "/proc/DOESNOTEXIST3";
-  const char k_NotWhitelisted[] = "/proc/DOESNOTEXIST4";
+  const char kR_AllowListedButDenied[] = "/proc/1/auxv";
+  const char kW_AllowListed[] = "/proc/DOESNOTEXIST2";
+  const char kRW_AllowListed[] = "/proc/DOESNOTEXIST3";
+  const char k_NotAllowlisted[] = "/proc/DOESNOTEXIST4";

  BrokerCommandSet command_set =
      MakeBrokerCommandSet({COMMAND_ACCESS, COMMAND_OPEN});

  std::vector<BrokerFilePermission> permissions = {
-      BrokerFilePermission::ReadOnly(kR_WhiteListed),
-      BrokerFilePermission::ReadOnly(kR_WhiteListedButDenied),
-      BrokerFilePermission::WriteOnly(kW_WhiteListed),
-      BrokerFilePermission::ReadWrite(kRW_WhiteListed)};
+      BrokerFilePermission::ReadOnly(kR_AllowListed),
+      BrokerFilePermission::ReadOnly(kR_AllowListedButDenied),
+      BrokerFilePermission::WriteOnly(kW_AllowListed),
+      BrokerFilePermission::ReadWrite(kRW_AllowListed)};
  BrokerProcess open_broker(denied_errno, command_set, permissions,
                            fast_check_in_client);
  ASSERT_TRUE(open_broker.Init(base::BindOnce(&NoOpCallback)));

  int fd = -1;
-  fd = open_broker.Open(kR_WhiteListed, O_RDONLY);
+  fd = open_broker.Open(kR_AllowListed, O_RDONLY);
  ASSERT_EQ(fd, -ENOENT);
-  fd = open_broker.Open(kR_WhiteListed, O_WRONLY);
+  fd = open_broker.Open(kR_AllowListed, O_WRONLY);
  ASSERT_EQ(fd, -denied_errno);
-  fd = open_broker.Open(kR_WhiteListed, O_RDWR);
+  fd = open_broker.Open(kR_AllowListed, O_RDWR);
  ASSERT_EQ(fd, -denied_errno);
  int ret = -1;
-  ret = open_broker.Access(kR_WhiteListed, F_OK);
+  ret = open_broker.Access(kR_AllowListed, F_OK);
  ASSERT_EQ(ret, -ENOENT);
-  ret = open_broker.Access(kR_WhiteListed, R_OK);
+  ret = open_broker.Access(kR_AllowListed, R_OK);
  ASSERT_EQ(ret, -ENOENT);
-  ret = open_broker.Access(kR_WhiteListed, W_OK);
+  ret = open_broker.Access(kR_AllowListed, W_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(kR_WhiteListed, R_OK | W_OK);
+  ret = open_broker.Access(kR_AllowListed, R_OK | W_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(kR_WhiteListed, X_OK);
+  ret = open_broker.Access(kR_AllowListed, X_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(kR_WhiteListed, R_OK | X_OK);
+  ret = open_broker.Access(kR_AllowListed, R_OK | X_OK);
  ASSERT_EQ(ret, -denied_errno);

  // Android sometimes runs tests as root.
  // This part of the test requires a process that doesn't have
  // CAP_DAC_OVERRIDE. We check against a root euid as a proxy for that.
  if (geteuid()) {
-    fd = open_broker.Open(kR_WhiteListedButDenied, O_RDONLY);
+    fd = open_broker.Open(kR_AllowListedButDenied, O_RDONLY);
    // The broker process will allow this, but the normal permission system
    // won't.
    ASSERT_EQ(fd, -EACCES);
-    fd = open_broker.Open(kR_WhiteListedButDenied, O_WRONLY);
+    fd = open_broker.Open(kR_AllowListedButDenied, O_WRONLY);
    ASSERT_EQ(fd, -denied_errno);
-    fd = open_broker.Open(kR_WhiteListedButDenied, O_RDWR);
+    fd = open_broker.Open(kR_AllowListedButDenied, O_RDWR);
    ASSERT_EQ(fd, -denied_errno);
-    ret = open_broker.Access(kR_WhiteListedButDenied, F_OK);
+    ret = open_broker.Access(kR_AllowListedButDenied, F_OK);
    // The normal permission system will let us check that the file exists.
    ASSERT_EQ(ret, 0);
-    ret = open_broker.Access(kR_WhiteListedButDenied, R_OK);
+    ret = open_broker.Access(kR_AllowListedButDenied, R_OK);
    ASSERT_EQ(ret, -EACCES);
-    ret = open_broker.Access(kR_WhiteListedButDenied, W_OK);
+    ret = open_broker.Access(kR_AllowListedButDenied, W_OK);
    ASSERT_EQ(ret, -denied_errno);
-    ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | W_OK);
+    ret = open_broker.Access(kR_AllowListedButDenied, R_OK | W_OK);
    ASSERT_EQ(ret, -denied_errno);
-    ret = open_broker.Access(kR_WhiteListedButDenied, X_OK);
+    ret = open_broker.Access(kR_AllowListedButDenied, X_OK);
    ASSERT_EQ(ret, -denied_errno);
-    ret = open_broker.Access(kR_WhiteListedButDenied, R_OK | X_OK);
+    ret = open_broker.Access(kR_AllowListedButDenied, R_OK | X_OK);
    ASSERT_EQ(ret, -denied_errno);
  }

-  fd = open_broker.Open(kW_WhiteListed, O_RDONLY);
+  fd = open_broker.Open(kW_AllowListed, O_RDONLY);
  ASSERT_EQ(fd, -denied_errno);
-  fd = open_broker.Open(kW_WhiteListed, O_WRONLY);
+  fd = open_broker.Open(kW_AllowListed, O_WRONLY);
  ASSERT_EQ(fd, -ENOENT);
-  fd = open_broker.Open(kW_WhiteListed, O_RDWR);
+  fd = open_broker.Open(kW_AllowListed, O_RDWR);
  ASSERT_EQ(fd, -denied_errno);
-  ret = open_broker.Access(kW_WhiteListed, F_OK);
+  ret = open_broker.Access(kW_AllowListed, F_OK);
  ASSERT_EQ(ret, -ENOENT);
-  ret = open_broker.Access(kW_WhiteListed, R_OK);
+  ret = open_broker.Access(kW_AllowListed, R_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(kW_WhiteListed, W_OK);
+  ret = open_broker.Access(kW_AllowListed, W_OK);
  ASSERT_EQ(ret, -ENOENT);
-  ret = open_broker.Access(kW_WhiteListed, R_OK | W_OK);
+  ret = open_broker.Access(kW_AllowListed, R_OK | W_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(kW_WhiteListed, X_OK);
+  ret = open_broker.Access(kW_AllowListed, X_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(kW_WhiteListed, R_OK | X_OK);
+  ret = open_broker.Access(kW_AllowListed, R_OK | X_OK);
  ASSERT_EQ(ret, -denied_errno);

-  fd = open_broker.Open(kRW_WhiteListed, O_RDONLY);
+  fd = open_broker.Open(kRW_AllowListed, O_RDONLY);
  ASSERT_EQ(fd, -ENOENT);
-  fd = open_broker.Open(kRW_WhiteListed, O_WRONLY);
+  fd = open_broker.Open(kRW_AllowListed, O_WRONLY);
  ASSERT_EQ(fd, -ENOENT);
-  fd = open_broker.Open(kRW_WhiteListed, O_RDWR);
+  fd = open_broker.Open(kRW_AllowListed, O_RDWR);
  ASSERT_EQ(fd, -ENOENT);
-  ret = open_broker.Access(kRW_WhiteListed, F_OK);
+  ret = open_broker.Access(kRW_AllowListed, F_OK);
  ASSERT_EQ(ret, -ENOENT);
-  ret = open_broker.Access(kRW_WhiteListed, R_OK);
+  ret = open_broker.Access(kRW_AllowListed, R_OK);
  ASSERT_EQ(ret, -ENOENT);
-  ret = open_broker.Access(kRW_WhiteListed, W_OK);
+  ret = open_broker.Access(kRW_AllowListed, W_OK);
  ASSERT_EQ(ret, -ENOENT);
-  ret = open_broker.Access(kRW_WhiteListed, R_OK | W_OK);
+  ret = open_broker.Access(kRW_AllowListed, R_OK | W_OK);
  ASSERT_EQ(ret, -ENOENT);
-  ret = open_broker.Access(kRW_WhiteListed, X_OK);
+  ret = open_broker.Access(kRW_AllowListed, X_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(kRW_WhiteListed, R_OK | X_OK);
+  ret = open_broker.Access(kRW_AllowListed, R_OK | X_OK);
  ASSERT_EQ(ret, -denied_errno);

-  fd = open_broker.Open(k_NotWhitelisted, O_RDONLY);
+  fd = open_broker.Open(k_NotAllowlisted, O_RDONLY);
  ASSERT_EQ(fd, -denied_errno);
-  fd = open_broker.Open(k_NotWhitelisted, O_WRONLY);
+  fd = open_broker.Open(k_NotAllowlisted, O_WRONLY);
  ASSERT_EQ(fd, -denied_errno);
-  fd = open_broker.Open(k_NotWhitelisted, O_RDWR);
+  fd = open_broker.Open(k_NotAllowlisted, O_RDWR);
  ASSERT_EQ(fd, -denied_errno);
-  ret = open_broker.Access(k_NotWhitelisted, F_OK);
+  ret = open_broker.Access(k_NotAllowlisted, F_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(k_NotWhitelisted, R_OK);
+  ret = open_broker.Access(k_NotAllowlisted, R_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(k_NotWhitelisted, W_OK);
+  ret = open_broker.Access(k_NotAllowlisted, W_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(k_NotWhitelisted, R_OK | W_OK);
+  ret = open_broker.Access(k_NotAllowlisted, R_OK | W_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(k_NotWhitelisted, X_OK);
+  ret = open_broker.Access(k_NotAllowlisted, X_OK);
  ASSERT_EQ(ret, -denied_errno);
-  ret = open_broker.Access(k_NotWhitelisted, R_OK | X_OK);
+  ret = open_broker.Access(k_NotAllowlisted, R_OK | X_OK);
  ASSERT_EQ(ret, -denied_errno);

  // We have some extra sanity check for clearly wrong values.
-  fd = open_broker.Open(kRW_WhiteListed, O_RDONLY | O_WRONLY | O_RDWR);
+  fd = open_broker.Open(kRW_AllowListed, O_RDONLY | O_WRONLY | O_RDWR);
  ASSERT_EQ(fd, -denied_errno);

  // It makes no sense to allow O_CREAT in a 2-parameters open. Ensure this
  // is denied.
-  fd = open_broker.Open(kRW_WhiteListed, O_RDWR | O_CREAT);
+  fd = open_broker.Open(kRW_AllowListed, O_RDWR | O_CREAT);
  ASSERT_EQ(fd, -denied_errno);
 }


--- a/sandbox/policy/BUILD.gn
+++ b/sandbox/policy/BUILD.gn
@@ -69,7 +69,7 @@ component("policy") {
      "//media/audio:platform_config",
    ]
    deps += [
-      ":chromecast_sandbox_whitelist_buildflags",
+      ":chromecast_sandbox_allowlist_buildflags",
      "//sandbox:sandbox_buildflags",
      "//sandbox/linux:sandbox_services",
      "//sandbox/linux:seccomp_bpf",
@@ -139,9 +139,9 @@ buildflag_header("sanitizer_buildflags") {
  flags = [ "USING_SANITIZER=$using_sanitizer" ]
 }

-buildflag_header("chromecast_sandbox_whitelist_buildflags") {
-  header = "chromecast_sandbox_whitelist_buildflags.h"
-  flags = [ "ENABLE_CHROMECAST_GPU_SANDBOX_WHITELIST=$is_chromecast" ]
+buildflag_header("chromecast_sandbox_allowlist_buildflags") {
+  header = "chromecast_sandbox_allowlist_buildflags.h"
+  flags = [ "ENABLE_CHROMECAST_GPU_SANDBOX_ALLOWLIST=$is_chromecast" ]
 }

 # TODO(crbug.com/1097376): Figure out a better organization for //sandbox

--- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc
+++ b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc
@@ -49,7 +49,7 @@
 #include "sandbox/policy/linux/bpf_utility_policy_linux.h"

 #if !defined(OS_NACL_NONSFI)
-#include "sandbox/policy/chromecast_sandbox_whitelist_buildflags.h"
+#include "sandbox/policy/chromecast_sandbox_allowlist_buildflags.h"
 #endif  // !defined(OS_NACL_NONSFI)

 #if defined(OS_CHROMEOS)
@@ -89,8 +89,8 @@ inline bool IsChromeOS() {
 #endif
 }

-inline bool UseChromecastSandboxWhitelist() {
-#if BUILDFLAG(ENABLE_CHROMECAST_GPU_SANDBOX_WHITELIST)
+inline bool UseChromecastSandboxAllowlist() {
+#if BUILDFLAG(ENABLE_CHROMECAST_GPU_SANDBOX_ALLOWLIST)
  return true;
 #else
  return false;
@@ -107,7 +107,7 @@ inline bool IsArchitectureArm() {

 std::unique_ptr<BPFBasePolicy> GetGpuProcessSandbox(
    bool use_amd_specific_policies) {
-  if (IsChromeOS() || UseChromecastSandboxWhitelist()) {
+  if (IsChromeOS() || UseChromecastSandboxAllowlist()) {
    if (IsArchitectureArm()) {
      return std::make_unique<CrosArmGpuProcessPolicy>(
          base::CommandLine::ForCurrentProcess()->HasSwitch(