mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2025-02-05 18:20:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

crosvm: sandbox changes for udmabuf

Browse source 
Allow:
   - UDMABUF_CREATE_LIST -- needed to create udmabuf
   - DMA_BUF_IOCTL_SYNC -- to flush the udmabuf.
     virtio-wl already allows this everywhere so
     this should be fine.

Also add the path to minijail.

BUG=chromium:892806, b:173630595
TEST=no sandbox violations

Change-Id: I70ace6ef0349c4b133615eb41f9f56ccd7121e4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2786287
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Gurchetan Singh <gurchetansingh@chromium.org>
Commit-Queue: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
This commit is contained in:
Gurchetan Singh 2019-11-08 10:41:29 -08:00 committed by Commit Bot
parent dda58b774f
commit b66d6f62dc
4 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
seccomp/aarch64/gpu_device.policy
View file

@ -59,8 +59,8 @@ newfstatat: 1
getdents64: 1
sysinfo: 1
# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali)
ioctl: arg1 & 0x6400 || arg1 & 0x8000
# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST
ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543
## mmap/mprotect differ from the common_device.policy
mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ

4
seccomp/arm/gpu_device.policy
View file

@ -65,8 +65,8 @@ getdents: 1
getdents64: 1
sysinfo: 1
# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali)
ioctl: arg1 & 0x6400 || arg1 & 0x8000
# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST
ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543
# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
memfd_create: arg1 == 3

3
seccomp/x86_64/gpu_device.policy
View file

@ -58,7 +58,8 @@ getdents64: 1
geteuid: 1
getrandom: 1
getuid: 1
ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400
# 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x6400 == DRM_IOCTL_BASE, 0x40087543 == UDMABUF_CREATE_LIST
ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400 || arg1 == 0x40087543
lseek: 1
lstat: 1
# Used for sharing memory with wayland. Also internally by Intel anv.

6
src/linux.rs
View file

@ -945,6 +945,12 @@ fn create_gpu_device(
jail.mount_bind(pvr_sync_path, pvr_sync_path, true)?;
}
// If the udmabuf driver exists on the host, bind mount it in.
let udmabuf_path = Path::new("/dev/udmabuf");
if udmabuf_path.exists() {
jail.mount_bind(udmabuf_path, udmabuf_path, true)?;
}
// Libraries that are required when mesa drivers are dynamically loaded.
let lib_dirs = &[
"/usr/lib",