Update GPU sandbox to whitelist NVIDIA and Vulkan ICD paths

This makes it possible to use WebGPU on Linux NVIDIA without disabling the GPU sandbox. It still requires --use-vulkan so that Chrome loads the Vulkan driver before creating the GPU sandbox. Bug: 852089 Change-Id: I80ea898af221e48c5dd6a471a468628b47cc1992 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2013474 Commit-Queue: Austin Eng <enga@chromium.org> Reviewed-by: Kenneth Russell <kbr@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#735108}

Update GPU sandbox to whitelist NVIDIA and Vulkan ICD paths
This makes it possible to use WebGPU on Linux NVIDIA without disabling the GPU sandbox. It still requires --use-vulkan so that Chrome loads the Vulkan driver before creating the GPU sandbox. Bug: 852089 Change-Id: I80ea898af221e48c5dd6a471a468628b47cc1992 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2013474 Commit-Queue: Austin Eng <enga@chromium.org> Reviewed-by: Kenneth Russell <kbr@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#735108}
376014f2 · Austin Eng · Commit Bot · 5904234f · 376014f2 · 376014f2
Commit 376014f2 authored Jan 24, 2020 by Austin Eng Committed by Commit Bot Jan 24, 2020
3 changed files
--- a/content/gpu/gpu_sandbox_hook_linux.cc
+++ b/content/gpu/gpu_sandbox_hook_linux.cc
@@ -267,6 +267,9 @@ void AddStandardGpuWhiteList(std::vector<BrokerFilePermission>* permissions) {
  static const char kNvidiaDeviceModeSetPath[] = "/dev/nvidia-modeset";
  static const char kNvidiaParamsPath[] = "/proc/driver/nvidia/params";
  static const char kDevShm[] = "/dev/shm/";
+  static const char kVulkanIcdPath[] = "/usr/share/vulkan/icd.d";
+  static const char kNvidiaVulkanIcd[] =
+      "/usr/share/vulkan/icd.d/nvidia_icd.json";

  // For shared memory.
  permissions->push_back(
@@ -287,6 +290,9 @@ void AddStandardGpuWhiteList(std::vector<BrokerFilePermission>* permissions) {
  permissions->push_back(
      BrokerFilePermission::ReadWrite(kNvidiaDeviceModeSetPath));
  permissions->push_back(BrokerFilePermission::ReadOnly(kNvidiaParamsPath));
+
+  permissions->push_back(BrokerFilePermission::ReadOnly(kVulkanIcdPath));
+  permissions->push_back(BrokerFilePermission::ReadOnly(kNvidiaVulkanIcd));
 }

 std::vector<BrokerFilePermission> FilePermissionsForGpu(

--- a/testing/buildbot/chromium.dawn.json
+++ b/testing/buildbot/chromium.dawn.json
@@ -202,7 +202,7 @@
          "--additional-expectations=../../third_party/blink/web_tests/WebGPUExpectations",
          "--isolated-script-test-filter=wpt_internal/webgpu/*",
          "--no-xvfb",
-          "--additional-driver-flag=--disable-gpu-sandbox"
+          "--additional-driver-flag=--use-vulkan=native"
        ],
        "isolate_name": "blink_web_tests",
        "merge": {
@@ -425,7 +425,7 @@
          "--additional-expectations=../../third_party/blink/web_tests/WebGPUExpectations",
          "--isolated-script-test-filter=wpt_internal/webgpu/*",
          "--no-xvfb",
-          "--additional-driver-flag=--disable-gpu-sandbox"
+          "--additional-driver-flag=--use-vulkan=native"
        ],
        "isolate_name": "blink_web_tests",
        "merge": {

--- a/testing/buildbot/test_suites.pyl
+++ b/testing/buildbot/test_suites.pyl
@@ -2542,7 +2542,7 @@
        ],
        'linux_args': [
          '--no-xvfb',
-          '--additional-driver-flag=--disable-gpu-sandbox',
+          '--additional-driver-flag=--use-vulkan=native',
        ],
        'merge': {
          'args': [