devices: video: update jail settings to support VAAPI backend

VAAPI requires one more system call and access to the mesa drivers on the host. BUG=b:262824148 TEST=presubmit Change-Id: I8c382472675d61365167ec2a8a3f1544e35858c4 Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4744561 Auto-Submit: Alexandre Courbot <acourbot@chromium.org> Commit-Queue: Keiichi Watanabe <keiichiw@chromium.org> Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
2024-11-24 20:48:55 +00:00 · 2023-08-02 12:37:19 +09:00 · 2023-08-02 12:37:19 +09:00 · 8e1f220c69
commit 8e1f220c69
parent 68c1a7eec1
2 changed files with 4 additions and 1 deletions
--- a/jail/seccomp/x86_64/video_device.policy
+++ b/jail/seccomp/x86_64/video_device.policy
@ -103,3 +103,6 @@ prctl: arg0 == PR_SET_NAME
 userfaultfd: 1
 # 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW
 ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00
+
+# Required by VAAPI backend
+access: 1
--- a/src/crosvm/sys/unix/device_helpers.rs
+++ b/src/crosvm/sys/unix/device_helpers.rs
@ -1019,7 +1019,7 @@ pub fn create_video_device(
            jail.mount_bind(sys_devices_path, sys_devices_path, false)?;

            // Required for loading dri libraries loaded by minigbm on AMD devices.
-            jail_mount_bind_if_exists(&mut jail, &["/usr/lib64"])?;
+            jail_mount_bind_if_exists(&mut jail, &["/usr/lib64", "/usr/lib"])?;
        }

        // Device nodes required by libchrome which establishes Mojo connection in libvda.