2 files changed, 82 insertions, 4 deletions
diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy
new file mode 100644
index 0000000..2e3e1ba
--- /dev/null
+++ b/seccomp/arm/gpu_device.policy
@@ -0,0 +1,64 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Rules from common_device.policy with some rules removed because they block certain flags needed
+# for gpu.
+brk: 1
+clone: arg0 & CLONE_THREAD
+close: 1
+dup2: 1
+dup: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
+eventfd2: 1
+exit: 1
+exit_group: 1
+futex: 1
+getpid: 1
+gettimeofday: 1
+kill: 1
+madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
+mremap: 1
+munmap: 1
+nanosleep: 1
+open: return ENOENT
+openat: return ENOENT
+pipe2: 1
+poll: 1
+ppoll: 1
+prctl: arg0 == PR_SET_NAME
+read: 1
+readv: 1
+recv: 1
+recvfrom: 1
+recvmsg: 1
+restart_syscall: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+rt_sigreturn: 1
+sched_getaffinity: 1
+sendmsg: 1
+sendto: 1
+set_robust_list: 1
+sigaltstack: 1
+write: 1
+
+## Rules specific to gpu
+connect: 1
+getrandom: 1
+openat: 1
+socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
+_llseek: 1
+ftruncate64: 1
+stat64: 1
+fstat64: 1
+getdents64: 1
+
+# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali)
+ioctl: arg1 & 0x6400 || arg1 & 0x8000
+
+## mmap/mprotect/open/openat differ from the common_device.policy
+mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
+mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
diff --git a/src/linux.rs b/src/linux.rs
index 58a0e10..46dc480 100644
--- a/src/linux.rs
+++ b/src/linux.rs
@@ -597,11 +597,25 @@ fn create_gpu_device(
             let drm_dri_path = Path::new("/dev/dri");
             jail.mount_bind(drm_dri_path, drm_dri_path, false)?;
 
+            // If the ARM specific devices exist on the host, bind mount them in.
+            let mali0_path = Path::new("/dev/mali0");
+            if mali0_path.exists() {
+                jail.mount_bind(mali0_path, mali0_path, true)?;
+            }
+
+            let pvr_sync_path = Path::new("/dev/pvr_sync");
+            if pvr_sync_path.exists() {
+                jail.mount_bind(pvr_sync_path, pvr_sync_path, true)?;
+            }
+
             // Libraries that are required when mesa drivers are dynamically loaded.
-            let lib_path = Path::new("/lib64");
-            jail.mount_bind(lib_path, lib_path, false)?;
-            let usr_lib_path = Path::new("/usr/lib64");
-            jail.mount_bind(usr_lib_path, usr_lib_path, false)?;
+            let lib_dirs = &["/usr/lib", "/usr/lib64", "/lib", "/lib64"];
+            for dir in lib_dirs {
+                let dir_path = Path::new(dir);
+                if dir_path.exists() {
+                    jail.mount_bind(dir_path, dir_path, false)?;
+                }
+            }
 
             // Bind mount the wayland socket into jail's root. This is necessary since each
             // new wayland context must open() the socket.