diff options
| author | David Riley <davidriley@chromium.org> | 2018-08-20 08:11:42 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-09-17 13:18:06 -0700 |
| commit | b22b6137aa398223daf54b66f8229119c301225b (patch) | |
| tree | 74b0a58b44a5adb75fccc8b493c55bdc61bd57e4 /devices/src/virtio/gpu/mod.rs | |
| parent | 9fbac2cf59eb87bff7ab423076d63a6b89c91bd8 (diff) | |
| download | crosvm-b22b6137aa398223daf54b66f8229119c301225b.tar crosvm-b22b6137aa398223daf54b66f8229119c301225b.tar.gz crosvm-b22b6137aa398223daf54b66f8229119c301225b.tar.bz2 crosvm-b22b6137aa398223daf54b66f8229119c301225b.tar.lz crosvm-b22b6137aa398223daf54b66f8229119c301225b.tar.xz crosvm-b22b6137aa398223daf54b66f8229119c301225b.tar.zst crosvm-b22b6137aa398223daf54b66f8229119c301225b.zip | |
gpu: add sandboxing via minijail for virtio gpu device.
Sandboxing only works when started as chronos via concierge client. If started directly via crosvm as root, the jail will not have proper group permissions to access the Wayland socket. BUG=chromium:837073 TEST=build with --features=gpu; null_platform_test without --disable-sandbox CQ-DEPEND=CL:1213779 Change-Id: I6331f7ae1f5b99d31ad44cf158f72337294771f0 Reviewed-on: https://chromium-review.googlesource.com/1181168 Commit-Ready: David Riley <davidriley@chromium.org> Tested-by: David Riley <davidriley@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'devices/src/virtio/gpu/mod.rs')
| -rw-r--r-- | devices/src/virtio/gpu/mod.rs | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/devices/src/virtio/gpu/mod.rs b/devices/src/virtio/gpu/mod.rs index 65c01c5..38efa41 100644 --- a/devices/src/virtio/gpu/mod.rs +++ b/devices/src/virtio/gpu/mod.rs @@ -13,7 +13,8 @@ use std::cell::RefCell; use std::collections::VecDeque; use std::i64; use std::mem::size_of; -use std::os::unix::io::RawFd; +use std::os::unix::io::{AsRawFd, RawFd}; +use std::path::{Path, PathBuf}; use std::rc::Rc; use std::sync::Arc; use std::sync::atomic::{AtomicUsize, Ordering}; @@ -587,14 +588,16 @@ pub struct Gpu { config_event: bool, exit_evt: EventFd, kill_evt: Option<EventFd>, + wayland_socket_path: PathBuf, } impl Gpu { - pub fn new(exit_evt: EventFd) -> Gpu { + pub fn new<P: AsRef<Path>>(exit_evt: EventFd, wayland_socket_path: P) -> Gpu { Gpu { config_event: false, exit_evt, kill_evt: None, + wayland_socket_path: wayland_socket_path.as_ref().to_path_buf(), } } @@ -623,7 +626,9 @@ impl Drop for Gpu { impl VirtioDevice for Gpu { fn keep_fds(&self) -> Vec<RawFd> { - Vec::new() + let mut keep_fds = Vec::new(); + keep_fds.push(self.exit_evt.as_raw_fd()); + keep_fds } fn device_type(&self) -> u32 { @@ -706,6 +711,7 @@ impl VirtioDevice for Gpu { let ctrl_evt = queue_evts.remove(0); let cursor_queue = queues.remove(0); let cursor_evt = queue_evts.remove(0); + let socket_path = self.wayland_socket_path.clone(); spawn(move || { const UNDESIRED_CARDS: &[&str] = &["vgem", "pvr"]; let drm_card = match gpu_buffer::rendernode::open_device(UNDESIRED_CARDS) { @@ -724,10 +730,10 @@ impl VirtioDevice for Gpu { } }; - let display = match GpuDisplay::new() { + let display = match GpuDisplay::new(socket_path) { Ok(c) => c, Err(e) => { - error!("{:?}", e); + error!("failed to open display: {:?}", e); return; } }; |