From 54e660ba8b912cf9c1fe7837cd42d21b9cfe9133 Mon Sep 17 00:00:00 2001 From: David Riley Date: Wed, 24 Jul 2019 17:22:50 -0700 Subject: [PATCH] gpu: Add sandboxing support for pvr. BUG=chromium:892280 TEST=glxgears with virtio-gpu on hana Change-Id: Ib92b21c124e30eacb3fc28558e2eb5d8d4a92567 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1717739 Tested-by: kokoro Tested-by: David Riley Commit-Queue: David Riley Reviewed-by: Zach Reizner Auto-Submit: David Riley --- seccomp/arm/gpu_device.policy | 11 +++++++++++ src/linux.rs | 9 +++++++++ 2 files changed, 20 insertions(+) diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy index 2e3e1ba0c7..bcd29b6ae4 100644 --- a/seccomp/arm/gpu_device.policy +++ b/seccomp/arm/gpu_device.policy @@ -44,6 +44,7 @@ sendto: 1 set_robust_list: 1 sigaltstack: 1 write: 1 +writev: 1 ## Rules specific to gpu connect: 1 @@ -62,3 +63,13 @@ ioctl: arg1 & 0x6400 || arg1 & 0x8000 ## mmap/mprotect/open/openat differ from the common_device.policy mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ + +## Rules specific to pvr +geteuid32: 1 +getuid32: 1 +lstat64: 1 +readlink: 1 +gettid: 1 +fcntl64: 1 +tgkill: 1 +clock_gettime: 1 diff --git a/src/linux.rs b/src/linux.rs index 46dc48003d..56750ae7c6 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -623,6 +623,15 @@ fn create_gpu_device( add_crosvm_user_to_jail(&mut jail, "gpu")?; + // pvr driver requires read access to /proc/self/task/*/comm. + let proc_path = Path::new("/proc"); + jail.mount( + proc_path, + proc_path, + "proc", + (libc::MS_NOSUID | libc::MS_NODEV | libc::MS_NOEXEC | libc::MS_RDONLY) as usize, + )?; + Some(jail) } None => None,