Fix crash with --use-gl=egl on Linux.

eglCreateWindowSurface() in mesa egl driver needs mincore() system call, so allow gpu process to call mincore(). BUG=423674 Review URL: https://codereview.chromium.org/656023003 Cr-Commit-Position: refs/heads/master@{#300445}

Fix crash with --use-gl=egl on Linux.
eglCreateWindowSurface() in mesa egl driver needs mincore() system call, so allow gpu process to call mincore(). BUG=423674 Review URL: https://codereview.chromium.org/656023003 Cr-Commit-Position: refs/heads/master@{#300445}
43815b01 · dongseong.hwang · Commit bot · 94ac8b9f · 43815b01 · 43815b01
Commit 43815b01 authored Oct 21, 2014 by dongseong.hwang Committed by Commit bot Oct 21, 2014
3 changed files
--- a/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
+++ b/content/common/sandbox_linux/bpf_gpu_policy_linux.cc
@@ -169,7 +169,12 @@ bool UpdateProcessTypeAndEnableSandbox(sandbox::bpf_dsl::SandboxBPFDSLPolicy* (

 }  // namespace

-GpuProcessPolicy::GpuProcessPolicy() : broker_process_(NULL) {}
+GpuProcessPolicy::GpuProcessPolicy() : GpuProcessPolicy(false) {
+}
+
+GpuProcessPolicy::GpuProcessPolicy(bool allow_mincore)
+    : broker_process_(NULL), allow_mincore_(allow_mincore) {
+}

 GpuProcessPolicy::~GpuProcessPolicy() {}

@@ -177,6 +182,13 @@ GpuProcessPolicy::~GpuProcessPolicy() {}
 ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
  switch (sysno) {
    case __NR_ioctl:
+      return Allow();
+    case __NR_mincore:
+      if (allow_mincore_) {
+        return Allow();
+      } else {
+        return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
+      }
 #if defined(__i386__) || defined(__x86_64__) || defined(__mips__)
    // The Nvidia driver uses flags not in the baseline policy
    // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)

--- a/content/common/sandbox_linux/bpf_gpu_policy_linux.h
+++ b/content/common/sandbox_linux/bpf_gpu_policy_linux.h
@@ -20,6 +20,7 @@ namespace content {
 class GpuProcessPolicy : public SandboxBPFBasePolicy {
 public:
  GpuProcessPolicy();
+  explicit GpuProcessPolicy(bool allow_mincore);
  virtual ~GpuProcessPolicy();

  virtual sandbox::bpf_dsl::ResultExpr EvaluateSyscall(
@@ -51,6 +52,10 @@ class GpuProcessPolicy : public SandboxBPFBasePolicy {
  // This is allocated by InitGpuBrokerProcess, called from PreSandboxHook(),
  // which executes iff the sandbox is going to be enabled afterwards.
  sandbox::BrokerProcess* broker_process_;
+
+  // eglCreateWindowSurface() needs mincore().
+  bool allow_mincore_;
+
  DISALLOW_COPY_AND_ASSIGN(GpuProcessPolicy);
 };


--- a/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc
+++ b/content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc
@@ -34,6 +34,10 @@
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/services/linux_syscalls.h"

+#if !defined(IN_NACL_HELPER)
+#include "ui/gl/gl_switches.h"
+#endif
+
 using sandbox::BaselinePolicy;
 using sandbox::SandboxBPF;
 using sandbox::SyscallSets;
@@ -167,7 +171,11 @@ scoped_ptr<SandboxBPFBasePolicy> GetGpuProcessSandbox() {
    return scoped_ptr<SandboxBPFBasePolicy>(
        new CrosArmGpuProcessPolicy(allow_sysv_shm));
  } else {
-    return scoped_ptr<SandboxBPFBasePolicy>(new GpuProcessPolicy);
+    bool allow_mincore = command_line.HasSwitch(switches::kUseGL) &&
+                         command_line.GetSwitchValueASCII(switches::kUseGL) ==
+                             gfx::kGLImplementationEGLName;
+    return scoped_ptr<SandboxBPFBasePolicy>(
+        new GpuProcessPolicy(allow_mincore));
  }
 }