sandbox: whitelist IMG gpu for Chrome OS platforms

This change gives the IMG gpu process access to its own device node
/dev/pvr_sync for Chrome OS platform only.

BUG=b:117489304
TEST=Build Chrome, deploy it, boot a PowerVR based device, verify that the UI
starts and the sandbox is enabled

R=bhthompson@chromium.org, djkurtz@chromium.org, drinkcat@chromium.org
Signed-off-by: Luigi Santivetti <luigi.santivetti@imagination.corp-partner.google.com>
Change-Id: Ifb89cab0b0d372d4e2fe9d882fa3767c1827bb17
Reviewed-on: https://chromium-review.googlesource.com/c/1299077
Commit-Queue: Kenneth Russell <kbr@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#611897}

content/gpu/gpu_sandbox_hook_linux.cc

@@ -139,6 +139,13 @@ void AddArmMaliGpuWhitelist(std::vector<BrokerFilePermission>* permissions) {
   permissions->push_back(BrokerFilePermission::ReadWrite(kDevImageProc0Path));
 }
 
+void AddImgPvrGpuWhitelist(std::vector<BrokerFilePermission>* permissions) {
+  // Device node needed by the IMG GPU userspace.
+  static const char kPvrSyncPath[] = "/dev/pvr_sync";
+
+  permissions->push_back(BrokerFilePermission::ReadWrite(kPvrSyncPath));
+}
+
 void AddAmdGpuWhitelist(std::vector<BrokerFilePermission>* permissions) {
   static const char* const kReadOnlyList[] = {"/etc/ld.so.cache",
                                               "/usr/lib64/libEGL.so.1",
@@ -247,6 +254,7 @@ std::vector<BrokerFilePermission> FilePermissionsForGpu(
     if (UseV4L2Codec())
       AddV4L2GpuWhitelist(&permissions, options);
     if (IsArchitectureArm()) {
+      AddImgPvrGpuWhitelist(&permissions);
       AddArmGpuWhitelist(&permissions);
       return permissions;
     }