gpu: Add sandboxing support for mali/ARM.

ARM platforms have different library locations and also required GPU devices to be availble to the GPU process. BUG=chromium:892280 TEST=glxgears with virtio-gpu on kevin and nami Change-Id: If1baeb1edda76d057e88ab5e88ce22f02e5d30a0 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1717738 Reviewed-by: Zach Reizner <zachr@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Tested-by: David Riley <davidriley@chromium.org> Commit-Queue: David Riley <davidriley@chromium.org> Auto-Submit: David Riley <davidriley@chromium.org>
2025-02-05 18:20:34 +00:00 · 2019-07-24 12:09:07 -07:00 · 2019-07-24 12:09:07 -07:00 · 06787c5b6c
commit 06787c5b6c
parent 62c533c9a3
2 changed files with 82 additions and 4 deletions
--- a/seccomp/arm/gpu_device.policy
+++ b/seccomp/arm/gpu_device.policy
@ -0,0 +1,64 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Rules from common_device.policy with some rules removed because they block certain flags needed
+# for gpu.
+brk: 1
+clone: arg0 & CLONE_THREAD
+close: 1
+dup2: 1
+dup: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
+eventfd2: 1
+exit: 1
+exit_group: 1
+futex: 1
+getpid: 1
+gettimeofday: 1
+kill: 1
+madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
+mremap: 1
+munmap: 1
+nanosleep: 1
+open: return ENOENT
+openat: return ENOENT
+pipe2: 1
+poll: 1
+ppoll: 1
+prctl: arg0 == PR_SET_NAME
+read: 1
+readv: 1
+recv: 1
+recvfrom: 1
+recvmsg: 1
+restart_syscall: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+rt_sigreturn: 1
+sched_getaffinity: 1
+sendmsg: 1
+sendto: 1
+set_robust_list: 1
+sigaltstack: 1
+write: 1
+
+## Rules specific to gpu
+connect: 1
+getrandom: 1
+openat: 1
+socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
+_llseek: 1
+ftruncate64: 1
+stat64: 1
+fstat64: 1
+getdents64: 1
+
+# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali)
+ioctl: arg1 & 0x6400 || arg1 & 0x8000
+
+## mmap/mprotect/open/openat differ from the common_device.policy
+mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
+mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
--- a/src/linux.rs
+++ b/src/linux.rs
@ -597,11 +597,25 @@ fn create_gpu_device(
            let drm_dri_path = Path::new("/dev/dri");
            jail.mount_bind(drm_dri_path, drm_dri_path, false)?;

+            // If the ARM specific devices exist on the host, bind mount them in.
+            let mali0_path = Path::new("/dev/mali0");
+            if mali0_path.exists() {
+                jail.mount_bind(mali0_path, mali0_path, true)?;
+            }
+
+            let pvr_sync_path = Path::new("/dev/pvr_sync");
+            if pvr_sync_path.exists() {
+                jail.mount_bind(pvr_sync_path, pvr_sync_path, true)?;
+            }
+
            // Libraries that are required when mesa drivers are dynamically loaded.
-            let lib_path = Path::new("/lib64");
-            jail.mount_bind(lib_path, lib_path, false)?;
-            let usr_lib_path = Path::new("/usr/lib64");
-            jail.mount_bind(usr_lib_path, usr_lib_path, false)?;
+            let lib_dirs = &["/usr/lib", "/usr/lib64", "/lib", "/lib64"];
+            for dir in lib_dirs {
+                let dir_path = Path::new(dir);
+                if dir_path.exists() {
+                    jail.mount_bind(dir_path, dir_path, false)?;
+                }
+            }

            // Bind mount the wayland socket into jail's root. This is necessary since each
            // new wayland context must open() the socket.