gpu: Add sandboxing support for pvr.

BUG=chromium:892280 TEST=glxgears with virtio-gpu on hana Change-Id: Ib92b21c124e30eacb3fc28558e2eb5d8d4a92567 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1717739 Tested-by: kokoro <noreply+kokoro@google.com> Tested-by: David Riley <davidriley@chromium.org> Commit-Queue: David Riley <davidriley@chromium.org> Reviewed-by: Zach Reizner <zachr@chromium.org> Auto-Submit: David Riley <davidriley@chromium.org>
2024-11-24 20:48:55 +00:00 · 2019-07-24 17:22:50 -07:00 · 2019-07-24 17:22:50 -07:00 · 54e660ba8b
commit 54e660ba8b
parent 06787c5b6c
2 changed files with 20 additions and 0 deletions
--- a/seccomp/arm/gpu_device.policy
+++ b/seccomp/arm/gpu_device.policy
@ -44,6 +44,7 @@ sendto: 1
 set_robust_list: 1
 sigaltstack: 1
 write: 1
+writev: 1

 ## Rules specific to gpu
 connect: 1
@ -62,3 +63,13 @@ ioctl: arg1 & 0x6400 || arg1 & 0x8000
 ## mmap/mprotect/open/openat differ from the common_device.policy
 mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
+
+## Rules specific to pvr
+geteuid32: 1
+getuid32: 1
+lstat64: 1
+readlink: 1
+gettid: 1
+fcntl64: 1
+tgkill: 1
+clock_gettime: 1
--- a/src/linux.rs
+++ b/src/linux.rs
@ -623,6 +623,15 @@ fn create_gpu_device(

            add_crosvm_user_to_jail(&mut jail, "gpu")?;

+            // pvr driver requires read access to /proc/self/task/*/comm.
+            let proc_path = Path::new("/proc");
+            jail.mount(
+                proc_path,
+                proc_path,
+                "proc",
+                (libc::MS_NOSUID | libc::MS_NODEV | libc::MS_NOEXEC | libc::MS_RDONLY) as usize,
+            )?;
+
            Some(jail)
        }
        None => None,