gpu: Add sandboxing support for pvr.

BUG=chromium:892280
TEST=glxgears with virtio-gpu on hana

Change-Id: Ib92b21c124e30eacb3fc28558e2eb5d8d4a92567
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1717739
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: David Riley <davidriley@chromium.org>
Commit-Queue: David Riley <davidriley@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Auto-Submit: David Riley <davidriley@chromium.org>

1 files changed, 9 insertions, 0 deletions

diff --git a/src/linux.rs b/src/linux.rs
index 46dc480..56750ae 100644
--- a/src/linux.rs
+++ b/src/linux.rs
@@ -623,6 +623,15 @@ fn create_gpu_device(
 
             add_crosvm_user_to_jail(&mut jail, "gpu")?;
 
+            // pvr driver requires read access to /proc/self/task/*/comm.
+            let proc_path = Path::new("/proc");
+            jail.mount(
+                proc_path,
+                proc_path,
+                "proc",
+                (libc::MS_NOSUID | libc::MS_NODEV | libc::MS_NOEXEC | libc::MS_RDONLY) as usize,
+            )?;
+
             Some(jail)
         }
         None => None,