gpu: Add sandboxing support for pvr.

BUG=chromium:892280
TEST=glxgears with virtio-gpu on hana

Change-Id: Ib92b21c124e30eacb3fc28558e2eb5d8d4a92567
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1717739
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: David Riley <davidriley@chromium.org>
Commit-Queue: David Riley <davidriley@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Auto-Submit: David Riley <davidriley@chromium.org>

seccomp/arm/gpu_device.policy

@@ -44,6 +44,7 @@ sendto: 1
 set_robust_list: 1
 sigaltstack: 1
 write: 1
+writev: 1
 
 ## Rules specific to gpu
 connect: 1
@@ -62,3 +63,13 @@ ioctl: arg1 & 0x6400 || arg1 & 0x8000
 ## mmap/mprotect/open/openat differ from the common_device.policy
 mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
+
+## Rules specific to pvr
+geteuid32: 1
+getuid32: 1
+lstat64: 1
+readlink: 1
+gettid: 1
+fcntl64: 1
+tgkill: 1
+clock_gettime: 1

src/linux.rs

@@ -623,6 +623,15 @@ fn create_gpu_device(
 
             add_crosvm_user_to_jail(&mut jail, "gpu")?;
 
+            // pvr driver requires read access to /proc/self/task/*/comm.
+            let proc_path = Path::new("/proc");
+            jail.mount(
+                proc_path,
+                proc_path,
+                "proc",
+                (libc::MS_NOSUID | libc::MS_NODEV | libc::MS_NOEXEC | libc::MS_RDONLY) as usize,
+            )?;
+
             Some(jail)
         }
         None => None,