Add permissions for creating /run/user/$UID/pulse in audio sandbox policy.

On some pulse audio configs, creating a new pulse audio context requires creating /run/user/$UID/pulse directory and subsequent files in this path. Bug: 903929,903788 Change-Id: I7cf018a30428e024480c0215f4a17a85dfa826c2 Reviewed-on: https://chromium-review.googlesource.com/c/1331467Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Marina Ciocea <marinaciocea@chromium.org> Cr-Commit-Position: refs/heads/master@{#607931}

Add permissions for creating /run/user/$UID/pulse in audio sandbox policy.
On some pulse audio configs, creating a new pulse audio context requires creating /run/user/$UID/pulse directory and subsequent files in this path. Bug: 903929,903788 Change-Id: I7cf018a30428e024480c0215f4a17a85dfa826c2 Reviewed-on: https://chromium-review.googlesource.com/c/1331467Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Marina Ciocea <marinaciocea@chromium.org> Cr-Commit-Position: refs/heads/master@{#607931}
70e9f7bc · Marina Ciocea · Commit Bot · 6b0833d4 · 70e9f7bc
Commit 70e9f7bc authored Nov 14, 2018 by Marina Ciocea Committed by Commit Bot Nov 14, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 5 deletions

services/audio/audio_sandbox_hook_linux.cc services/audio/audio_sandbox_hook_linux.cc +16 -5

No files found.
--- a/services/audio/audio_sandbox_hook_linux.cc
+++ b/services/audio/audio_sandbox_hook_linux.cc
@@ -5,6 +5,7 @@
 #include "services/audio/audio_sandbox_hook_linux.h"
 #include <dlfcn.h>
+#include <unistd.h>
 #include <string>
 #include <vector>
@@ -73,6 +74,13 @@ void AddPulseAudioFilePermissions(
                                              kConfigPulsePath.value()};
  for (const auto& path : kReadOnlyRecursivePaths)
    permissions->push_back(BrokerFilePermission::ReadOnlyRecursive(path));
+  const std::string kRunUserPath = base::StringPrintf("/run/user/%d", getuid());
+  permissions->push_back(BrokerFilePermission::ReadWriteCreate(kRunUserPath));
+  permissions->push_back(
+      BrokerFilePermission::ReadWriteCreate(kRunUserPath + "/pulse"));
+  permissions->push_back(
+      BrokerFilePermission::ReadWriteCreateRecursive(kRunUserPath + "/pulse/"));
 }
 #endif
@@ -111,11 +119,14 @@ bool AudioPreSandboxHook(service_manager::SandboxLinux::Options options) {
  LoadAudioLibraries();
  auto* instance = service_manager::SandboxLinux::GetInstance();
  instance->StartBrokerProcess(MakeBrokerCommandSet({
-                                   sandbox::syscall_broker::COMMAND_ACCESS,
+                                 sandbox::syscall_broker::COMMAND_ACCESS,
-                                   sandbox::syscall_broker::COMMAND_OPEN,
+#if defined(USE_PULSEAUDIO)
-                                   sandbox::syscall_broker::COMMAND_READLINK,
+                                     sandbox::syscall_broker::COMMAND_MKDIR,
-                                   sandbox::syscall_broker::COMMAND_STAT,
+#endif
-                                   sandbox::syscall_broker::COMMAND_UNLINK,
+                                     sandbox::syscall_broker::COMMAND_OPEN,
+                                     sandbox::syscall_broker::COMMAND_READLINK,
+                                     sandbox::syscall_broker::COMMAND_STAT,
+                                     sandbox::syscall_broker::COMMAND_UNLINK,
                               }),
                               GetAudioFilePermissions(),
                               service_manager::SandboxLinux::PreSandboxHook(),