gpu: add sandboxing via minijail for virtio gpu device.

Sandboxing only works when started as chronos via concierge client.  If
started directly via crosvm as root, the jail will not have proper group
permissions to access the Wayland socket.

BUG=chromium:837073
TEST=build with --features=gpu; null_platform_test without --disable-sandbox
CQ-DEPEND=CL:1213779

Change-Id: I6331f7ae1f5b99d31ad44cf158f72337294771f0
Reviewed-on: https://chromium-review.googlesource.com/1181168
Commit-Ready: David Riley <davidriley@chromium.org>
Tested-by: David Riley <davidriley@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>

3 files changed, 68 insertions, 30 deletions

diff --git a/gpu_display/src/display_wl.c b/gpu_display/src/display_wl.c
index e0c4e24..e308506 100644
--- a/gpu_display/src/display_wl.c
+++ b/gpu_display/src/display_wl.c
@@ -374,9 +374,9 @@ void dwl_context_destroy(struct dwl_context **self)
 	*self = NULL;
 }
 
-bool dwl_context_setup(struct dwl_context *self)
+bool dwl_context_setup(struct dwl_context *self, const char *socket_path)
 {
-	struct wl_display *display = wl_display_connect(NULL);
+	struct wl_display *display = wl_display_connect(socket_path);
 	if (!display) {
 		printf("failed to connect to display\n");
 		return false;
diff --git a/gpu_display/src/dwl.rs b/gpu_display/src/dwl.rs
index 9101c82..cbe337d 100644
--- a/gpu_display/src/dwl.rs
+++ b/gpu_display/src/dwl.rs
@@ -1,19 +1,58 @@
 /* automatically generated by rust-bindgen */
 
-# [ repr ( C ) ]
-# [ derive ( Debug , Copy , Clone ) ]
-pub struct dwl_context {
+
+/// @page page_xdg_shell_unstable_v6 The xdg_shell_unstable_v6 protocol
+/// @section page_ifaces_xdg_shell_unstable_v6 Interfaces
+/// - @subpage page_iface_zxdg_shell_v6 - create desktop-style surfaces
+/// - @subpage page_iface_zxdg_positioner_v6 - child surface positioner
+/// - @subpage page_iface_zxdg_surface_v6 - desktop user interface surface base interface
+/// - @subpage page_iface_zxdg_toplevel_v6 - toplevel surface
+/// - @subpage page_iface_zxdg_popup_v6 - short-lived, popup surfaces for menus
+/// @section page_copyright_xdg_shell_unstable_v6 Copyright
+/// <pre>
+///
+/// Copyright © 2008-2013 Kristian Høgsberg
+/// Copyright © 2013      Rafael Antognolli
+/// Copyright © 2013      Jasper St. Pierre
+/// Copyright © 2010-2013 Intel Corporation
+///
+/// Permission is hereby granted, free of charge, to any person obtaining a
+/// copy of this software and associated documentation files (the "Software"),
+/// to deal in the Software without restriction, including without limitation
+/// the rights to use, copy, modify, merge, publish, distribute, sublicense,
+/// and/or sell copies of the Software, and to permit persons to whom the
+/// Software is furnished to do so, subject to the following conditions:
+///
+/// The above copyright notice and this permission notice (including the next
+/// paragraph) shall be included in all copies or substantial portions of the
+/// Software.
+///
+/// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+/// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+/// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+/// THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+/// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+/// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+/// DEALINGS IN THE SOFTWARE.
+/// </pre>
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct wl_output {
     _unused: [u8; 0],
 }
-# [ repr ( C ) ]
-# [ derive ( Debug , Copy , Clone ) ]
+#[repr(C)]
+pub struct dwl_context {
+    pub _bindgen_opaque_blob: [u64; 52usize],
+}
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct dwl_dmabuf {
-    _unused: [u8; 0],
+    pub _bindgen_opaque_blob: [u64; 3usize],
 }
-# [ repr ( C ) ]
-# [ derive ( Debug , Copy , Clone ) ]
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct dwl_surface {
-    _unused: [u8; 0],
+    pub _bindgen_opaque_blob: [u64; 12usize],
 }
 extern "C" {
     pub fn dwl_context_new() -> *mut dwl_context;
@@ -22,7 +61,9 @@ extern "C" {
     pub fn dwl_context_destroy(self_: *mut *mut dwl_context);
 }
 extern "C" {
-    pub fn dwl_context_setup(self_: *mut dwl_context) -> bool;
+    pub fn dwl_context_setup(self_: *mut dwl_context,
+                             socket_path: *const ::std::os::raw::c_char)
+                             -> bool;
 }
 extern "C" {
     pub fn dwl_context_fd(self_: *mut dwl_context) -> ::std::os::raw::c_int;
@@ -42,9 +83,6 @@ extern "C" {
                                   -> *mut dwl_dmabuf;
 }
 extern "C" {
-    pub fn dwl_dmabuf_in_use(self_: *mut dwl_dmabuf) -> bool;
-}
-extern "C" {
     pub fn dwl_dmabuf_destroy(self_: *mut *mut dwl_dmabuf);
 }
 extern "C" {
@@ -78,4 +116,4 @@ extern "C" {
 }
 extern "C" {
     pub fn dwl_surface_set_position(self_: *mut dwl_surface, x: u32, y: u32);
-}
\ No newline at end of file
+}
diff --git a/gpu_display/src/lib.rs b/gpu_display/src/lib.rs
index 7f2b775..7ff116a 100644
--- a/gpu_display/src/lib.rs
+++ b/gpu_display/src/lib.rs
@@ -11,8 +11,9 @@ mod dwl;
 
 use std::cell::Cell;
 use std::collections::HashMap;
-use std::ffi::CStr;
+use std::ffi::{CStr, CString};
 use std::os::unix::io::{AsRawFd, RawFd};
+use std::path::Path;
 use std::ptr::null_mut;
 
 use data_model::{VolatileSlice, VolatileMemory};
@@ -40,6 +41,8 @@ pub enum GpuDisplayError {
     FailedImport,
     /// The surface ID is invalid.
     InvalidSurfaceId,
+    /// The path is invalid.
+    InvalidPath,
 }
 
 struct DwlContext(*mut dwl_context);
@@ -108,15 +111,23 @@ pub struct GpuDisplay {
 
 impl GpuDisplay {
     /// Opens a fresh connection to the compositor.
-    pub fn new() -> Result<GpuDisplay, GpuDisplayError> {
+    pub fn new<P: AsRef<Path>>(wayland_path: P) -> Result<GpuDisplay, GpuDisplayError> {
         // The dwl_context_new call should always be safe to call, and we check its result.
         let ctx = DwlContext(unsafe { dwl_context_new() });
         if ctx.0.is_null() {
             return Err(GpuDisplayError::Allocate);
         }
+
         // The dwl_context_setup call is always safe to call given that the supplied context is
         // valid. and we check its result.
-        let setup_success = unsafe { dwl_context_setup(ctx.0) };
+        let cstr_path = match wayland_path.as_ref().as_os_str().to_str() {
+            Some(str) => match CString::new(str) {
+                Ok(cstr) => cstr,
+                Err(_) => return Err(GpuDisplayError::InvalidPath),
+            },
+            None => return Err(GpuDisplayError::InvalidPath),
+        };
+        let setup_success = unsafe { dwl_context_setup(ctx.0, cstr_path.as_ptr() ) };
         if !setup_success {
             return Err(GpuDisplayError::Connect);
         }
@@ -171,17 +182,6 @@ impl GpuDisplay {
         Ok(next_id)
     }
 
-    pub fn import_in_use(&mut self, import_id: u32) -> bool {
-        match self.dmabufs.get(&import_id) {
-            // Safe because only a valid dmabuf is used.
-            Some(dmabuf) => unsafe { dwl_dmabuf_in_use(dmabuf.0) },
-            None => {
-                debug_assert!(false, "invalid import_id {}", import_id);
-                false
-            }
-        }
-    }
-
     /// Releases a previously imported dmabuf identified by the given handle.
     pub fn release_import(&mut self, import_id: u32) {
         self.dmabufs.remove(&import_id);