diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 3e0ecd78..fb981835 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -1,4 +1,4 @@ -Copyright 2024-2025 The Trivalent Authors +Copyright 2024-2026 The Trivalent Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -11,21 +11,25 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e See the License for the specific language governing permissions and limitations under the License. --- diff --git a/content/common/gpu_pre_sandbox_hook_linux.cc b/content/common/gpu_pre_sandbox_hook_linux.cc -index 2e53794fa3..986d44ab5d 100644 +index 2e53794fa3..059e71b3ff 100644 --- a/content/common/gpu_pre_sandbox_hook_linux.cc +++ b/content/common/gpu_pre_sandbox_hook_linux.cc -@@ -48,8 +48,8 @@ using sandbox::syscall_broker::BrokerProcess; - namespace content { - namespace { +@@ -56,6 +56,14 @@ inline bool IsChromeOS() { + #endif + } --inline bool IsChromeOS() { --#if BUILDFLAG(IS_CHROMEOS) +inline bool IsLinux() { +#if BUILDFLAG(IS_LINUX) ++ return true; ++#else ++ return false; ++#endif ++} ++ + inline bool UseChromecastSandboxAllowlist() { + #if BUILDFLAG(ENABLE_CHROMECAST_GPU_SANDBOX_ALLOWLIST) return true; - #else - return false; -@@ -86,7 +86,7 @@ inline bool UseV4L2Codec( +@@ -86,7 +94,7 @@ inline bool UseV4L2Codec( static const char kMaliConfPath[] = "/etc/mali_platform.conf"; #endif @@ -34,20 +38,11 @@ index 2e53794fa3..986d44ab5d 100644 static const char kLibGlesPath[] = "/usr/lib64/libGLESv2.so.2"; static const char kLibEglPath[] = "/usr/lib64/libEGL.so.1"; static const char kLibMaliPath[] = "/usr/lib64/libmali.so"; -@@ -100,7 +100,7 @@ static const char kLibTegraPath[] = "/usr/lib/libtegrav4l2.so"; - - constexpr int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; - --void AddStandardChromeOsPermissions( -+void AddStandardLinuxPermissions( - std::vector* permissions) { - // For the ANGLE passthrough command decoder. - static const char* const kReadOnlyList[] = {"libEGL.so", "libGLESv2.so"}; -@@ -115,6 +115,18 @@ void AddStandardChromeOsPermissions( +@@ -115,6 +123,18 @@ void AddStandardChromeOsPermissions( } } -+void AddLibGalliumLinuxPermissions( ++void AddLibGalliumPermissionsLinux( + std::vector* permissions, + const std::string driver_version) { + if (driver_version.empty()) { @@ -62,67 +57,234 @@ index 2e53794fa3..986d44ab5d 100644 void AddV4L2GpuPermissions( std::vector* permissions, const sandbox::policy::SandboxSeccompBPF::Options& options) { -@@ -257,6 +269,11 @@ void AddAmdGpuPermissions(std::vector* permissions) { - // that requires the following libs and files to be accessible. - "/usr/lib64/libEGL.so.1", - "/usr/lib64/libGLESv2.so.2", -+#if !BUILDFLAG(IS_CHROMEOS) // Linux AMD +@@ -292,6 +312,52 @@ void AddAmdGpuPermissions(std::vector* permissions) { + } + } + ++void AddAmdGpuPermissionsLinux(std::vector* permissions) { ++ static const char* const kReadOnlyList[] = { ++ // Trivalent added + "/usr/lib64/libwayland-server.so.0", + "/usr/lib64/gbm/dri_gbm.so", + "/usr/lib64/dri/iHD_drv_video.so", -+#endif - "/usr/lib64/libglapi.so.0", - "/usr/lib64/libgallium_dri.so", - "/usr/lib64/dri/r300_dri.so", -@@ -298,6 +315,9 @@ void AddNvidiaGpuPermissions(std::vector* permissions) { - // that requires the following libs and files to be accessible. - "/etc/ld.so.cache", - "/usr/lib64/libgallium_dri.so", -+#if !BUILDFLAG(IS_CHROMEOS) // Linux Nvidia ++ // To support threads in mesa we use --gpu-sandbox-start-early and ++ // that requires the following libs and files to be accessible. ++ "/etc/ld.so.cache", ++ "/usr/lib64/libEGL.so.1", ++ "/usr/lib64/libGLESv2.so.2", ++ "/usr/lib64/libglapi.so.0", ++ "/usr/lib64/libgallium_dri.so", ++ "/usr/lib64/dri/r300_dri.so", ++ "/usr/lib64/dri/r600_dri.so", ++ "/usr/lib64/dri/radeonsi_dri.so", ++ // Allow libglvnd files and libs. ++ "/usr/share/glvnd/egl_vendor.d", ++ "/usr/share/glvnd/egl_vendor.d/50_mesa.json", ++ "/usr/lib64/libEGL_mesa.so.0", ++ "/usr/lib64/libGLdispatch.so.0"}; ++ for (const char* item : kReadOnlyList) ++ permissions->push_back(BrokerFilePermission::ReadOnly(item)); ++ ++ AddDrmGpuPermissions(permissions); ++ ++ // NOTE: control nodes are probably not required: ++ // NOTE: amdgpu.ids should probably be read-only: ++ static const char* const kReadWriteList[] = { ++ "/dev/dri/controlD64", ++ "/sys/class/drm/card0/device/config", ++ "/sys/class/drm/controlD64/device/config", ++ "/sys/class/drm/renderD128/device/config", ++ "/usr/share/libdrm/amdgpu.ids"}; ++ for (const char* item : kReadWriteList) ++ permissions->push_back(BrokerFilePermission::ReadWrite(item)); ++ ++ static const char* kDevices[] = {"/sys/dev/char", "/sys/devices"}; ++ for (const char* item : kDevices) { ++ std::string path(item); ++ permissions->push_back( ++ BrokerFilePermission::StatOnlyWithIntermediateDirs(path)); ++ permissions->push_back(BrokerFilePermission::ReadOnlyRecursive(path + "/")); ++ } ++} ++ + void AddNvidiaGpuPermissions(std::vector* permissions) { + static const char* const kReadOnlyList[] = { + // To support threads in mesa we use --gpu-sandbox-start-early and +@@ -319,6 +385,61 @@ void AddNvidiaGpuPermissions(std::vector* permissions) { + AddDrmGpuPermissions(permissions); + } + ++void AddNvidiaGpuPermissionsLinux(std::vector* permissions) { ++ static const char* const kReadOnlyList[] = { ++ // Trivalent added + "/usr/lib64/gbm/dri_gbm.so", -+#endif - "/usr/lib64/dri/nouveau_dri.so", - "/usr/lib64/dri/radeonsi_dri.so", - "/usr/lib64/dri/swrast_dri.so", -@@ -324,6 +344,11 @@ void AddIntelGpuPermissions(std::vector* permissions) { ++ // To support threads in mesa we use --gpu-sandbox-start-early and ++ // that requires the following libs and files to be accessible. ++ "/etc/ld.so.cache", ++ "/usr/lib64/libgallium_dri.so", ++ "/usr/lib64/dri/nouveau_dri.so", ++ "/usr/lib64/dri/radeonsi_dri.so", ++ "/usr/lib64/dri/swrast_dri.so", ++ "/usr/lib64/libEGL.so.1", ++ "/usr/lib64/libEGL_mesa.so.0", ++ "/usr/lib64/libGLESv2.so.2", ++ "/usr/lib64/libGLdispatch.so.0", ++ "/usr/lib64/libdrm_amdgpu.so.1", ++ "/usr/lib64/libdrm_nouveau.so.2", ++ "/usr/lib64/libdrm_radeon.so.1", ++ "/usr/lib64/libelf.so.1", ++ "/usr/lib64/libglapi.so.0", ++ "/usr/share/glvnd/egl_vendor.d", ++ "/usr/share/glvnd/egl_vendor.d/50_mesa.json"}; ++ for (const char* item : kReadOnlyList) { ++ permissions->push_back(BrokerFilePermission::ReadOnly(item)); ++ } ++ ++ AddDrmGpuPermissions(permissions); ++ ++ static const char kDriCardBasePath[] = "/dev/dri/card"; ++ static const char kNvidiaCtlPath[] = "/dev/nvidiactl"; ++ static const char kNvidiaDeviceBasePath[] = "/dev/nvidia"; ++ static const char kNvidiaDeviceModeSetPath[] = "/dev/nvidia-modeset"; ++ static const char kNvidiaParamsPath[] = "/proc/driver/nvidia/params"; ++ static const char kDevShm[] = "/dev/shm/"; ++ // For shared memory. ++ permissions->push_back( ++ BrokerFilePermission::ReadWriteCreateTemporaryRecursive(kDevShm)); ++ ++ // For DRI cards. ++ for (int i = 0; i <= 9; ++i) { ++ permissions->push_back(BrokerFilePermission::ReadWrite( ++ base::StringPrintf("%s%d", kDriCardBasePath, i))); ++ } ++ ++ // For Nvidia GLX driver. ++ permissions->push_back(BrokerFilePermission::ReadWrite(kNvidiaCtlPath)); ++ for (int i = 0; i < 10; ++i) { ++ permissions->push_back(BrokerFilePermission::ReadWrite( ++ base::StringPrintf("%s%d", kNvidiaDeviceBasePath, i))); ++ } ++ permissions->push_back( ++ BrokerFilePermission::ReadWrite(kNvidiaDeviceModeSetPath)); ++ permissions->push_back(BrokerFilePermission::ReadOnly(kNvidiaParamsPath)); ++} ++ + void AddIntelGpuPermissions(std::vector* permissions) { + static const char* const kReadOnlyList[] = { // To support threads in mesa we use --gpu-sandbox-start-early and - // that requires the following libs and files to be accessible. - "/usr/lib64/libgallium_dri.so", -+#if !BUILDFLAG(IS_CHROMEOS) // Linux Intel +@@ -343,6 +464,35 @@ void AddIntelGpuPermissions(std::vector* permissions) { + AddDrmGpuPermissions(permissions); + } + ++void AddIntelGpuPermissionsLinux(std::vector* permissions) { ++ static const char* const kReadOnlyList[] = { ++ // Trivalent added + "/usr/lib64/gbm/dri_gbm.so", + "/usr/lib64/dri/iHD_drv_video.so", + "/usr/lib64/libsensors.so.4", -+#endif - "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", - "/usr/lib64/libelf.so.1", "/usr/lib64/libglapi.so.0", - "/usr/lib64/libdrm_amdgpu.so.1", "/usr/lib64/libdrm_radeon.so.1", -@@ -363,6 +388,11 @@ void AddVirtIOGpuPermissions(std::vector* permissions) { - "/usr/lib64/libglapi.so.0", - "/usr/lib64/libc++.so.1", - "/usr/lib64/libgallium_dri.so", -+#if !BUILDFLAG(IS_CHROMEOS) // Linux VirtIO -+ "/usr/lib64/dri/virtio_gpu_drv_video.so", ++ "/usr/lib64/libdrm_intel.so.1", ++ // To support threads in mesa we use --gpu-sandbox-start-early and ++ // that requires the following libs and files to be accessible. ++ "/usr/lib64/libgallium_dri.so", ++ "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", ++ "/usr/lib64/libelf.so.1", "/usr/lib64/libglapi.so.0", ++ "/usr/lib64/libdrm_amdgpu.so.1", "/usr/lib64/libdrm_radeon.so.1", ++ "/usr/lib64/libdrm_nouveau.so.2", "/usr/lib64/dri/crocus_dri.so", ++ "/usr/lib64/dri/i965_dri.so", "/usr/lib64/dri/iris_dri.so", ++ "/usr/lib64/dri/swrast_dri.so", "/usr/lib64/libzstd.so.1", ++ // Allow libglvnd files and libs. ++ "/usr/share/glvnd/egl_vendor.d", ++ "/usr/share/glvnd/egl_vendor.d/50_mesa.json", ++ "/usr/lib64/libEGL_mesa.so.0", "/usr/lib64/libGLdispatch.so.0", ++ // Case of when the only libc++abi.so.1 is preloaded. ++ // See: crbug.com/1366646 ++ "/usr/lib64/libc++.so.1"}; ++ for (const char* item : kReadOnlyList) ++ permissions->push_back(BrokerFilePermission::ReadOnly(item)); ++ ++ AddDrmGpuPermissions(permissions); ++} ++ + void AddVirtIOGpuPermissions(std::vector* permissions) { + static const char* const kReadOnlyList[] = { + "/etc/ld.so.cache", +@@ -387,6 +537,56 @@ void AddVirtIOGpuPermissions(std::vector* permissions) { + AddDrmGpuPermissions(permissions); + } + ++void AddVirtIOGpuPermissionsLinux(std::vector* permissions) { ++ static const char* const kReadOnlyList[] = { ++ // Trivalent added + "/usr/lib64/libwayland-server.so.0", + "/usr/lib64/gbm/dri_gbm.so", -+#endif - // If kms_swrast_dri is not usable, swrast_dri is used instead. - "/usr/lib64/dri/swrast_dri.so", - "/usr/lib64/dri/kms_swrast_dri.so", -@@ -548,11 +578,13 @@ void LoadArmGpuLibraries() { - } ++ "/usr/lib64/dri/iHD_drv_video.so", ++ "/usr/lib64/libsensors.so.4", ++ "/usr/lib64/libdrm_intel.so.1", ++ // To support threads in mesa we use --gpu-sandbox-start-early and ++ // that requires the following libs and files to be accessible. ++ // "/sys", "/sys/dev", "/sys/dev/char", "/sys/devices" are probed in order ++ // to use kms_swrast. ++ "/etc/ld.so.cache", ++ "/sys", ++ "/sys/dev", ++ "/usr/lib64/libdrm_amdgpu.so.1", ++ "/usr/lib64/libdrm_radeon.so.1", ++ "/usr/lib64/libdrm_nouveau.so.2", ++ "/usr/lib64/libelf.so.1", ++ "/usr/lib64/libEGL.so.1", ++ "/usr/lib64/libGLESv2.so.2", ++ "/usr/lib64/libEGL_mesa.so.0", ++ "/usr/lib64/libGLdispatch.so.0", ++ "/usr/lib64/libglapi.so.0", ++ "/usr/lib64/libc++.so.1", ++ "/usr/lib64/libgallium_dri.so", ++ // If kms_swrast_dri is not usable, swrast_dri is used instead. ++ "/usr/lib64/dri/swrast_dri.so", ++ "/usr/lib64/dri/kms_swrast_dri.so", ++ "/usr/lib64/dri/virtio_gpu_dri.so", ++ "/usr/share/glvnd/egl_vendor.d", ++ "/usr/share/glvnd/egl_vendor.d/50_mesa.json", ++ }; ++ ++ for (const char* item : kReadOnlyList) { ++ permissions->push_back(BrokerFilePermission::ReadOnly(item)); ++ } ++ ++ static const char* kDevices[] = {"/sys/dev/char", "/sys/devices"}; ++ for (const char* item : kDevices) { ++ std::string path(item); ++ permissions->push_back( ++ BrokerFilePermission::StatOnlyWithIntermediateDirs(path)); ++ permissions->push_back(BrokerFilePermission::ReadOnly(path)); ++ permissions->push_back(BrokerFilePermission::ReadOnlyRecursive(path + "/")); ++ } ++ ++ AddDrmGpuPermissions(permissions); ++} ++ + void AddArmGpuPermissions(std::vector* permissions) { + static const char kLdSoCache[] = "/etc/ld.so.cache"; - bool LoadAmdGpuLibraries() { -+#if BUILDFLAG(IS_CHROMEOS) - // Preload the amdgpu-dependent libraries. - if (nullptr == dlopen("libglapi.so", dlopen_flag)) { - LOG(ERROR) << "dlopen(libglapi.so) failed with error: " << dlerror(); - return false; - } -+#endif // IS_CHROMEOS +@@ -565,6 +765,18 @@ bool LoadAmdGpuLibraries() { + return true; + } - const char* radeonsi_lib = "/usr/lib64/dri/radeonsi_dri.so"; - #if defined(DRI_DRIVER_DIR) -@@ -609,7 +641,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( ++bool LoadAmdGpuLinuxLibraries() { ++ const char* radeonsi_lib = "/usr/lib64/dri/radeonsi_dri.so"; ++#if defined(DRI_DRIVER_DIR) ++ radeonsi_lib = DRI_DRIVER_DIR "/radeonsi_dri.so"; ++#endif ++ if (nullptr == dlopen(radeonsi_lib, dlopen_flag)) { ++ LOG(ERROR) << "dlopen(radeonsi_dri.so) failed with error: " << dlerror(); ++ return false; ++ } ++ return true; ++} ++ + bool LoadNvidiaLibraries() { + // The driver may lazily load several XCB libraries. It's not an error on + // wayland-only systems for them to be missing. +@@ -609,7 +821,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( command_set.set(sandbox::syscall_broker::COMMAND_ACCESS); command_set.set(sandbox::syscall_broker::COMMAND_OPEN); command_set.set(sandbox::syscall_broker::COMMAND_STAT); @@ -131,39 +293,59 @@ index 2e53794fa3..986d44ab5d 100644 (options.use_amd_specific_policies || options.use_intel_specific_policies || options.use_nvidia_specific_policies || -@@ -628,9 +660,9 @@ std::vector FilePermissionsForGpu( - - AddVulkanICDPermissions(&permissions); +@@ -656,6 +868,32 @@ std::vector FilePermissionsForGpu( + } + return permissions; + } ++ else if (IsLinux()) { ++ AddLibGalliumPermissionsLinux(&permissions, options.driver_version); ++ if (UseV4L2Codec(options)) { ++ AddV4L2GpuPermissions(&permissions, options); ++ } ++ if (IsArchitectureArm()) { ++ AddImgPvrGpuPermissions(&permissions); ++ AddArmGpuPermissions(&permissions); ++ // Add standard DRM permissions for snapdragon: ++ AddDrmGpuPermissions(&permissions); ++ // Following discrete GPUs can be plugged in via USB4 on ARM systems. ++ } ++ if (options.use_amd_specific_policies) { ++ AddAmdGpuPermissionsLinux(&permissions); ++ } ++ if (options.use_intel_specific_policies) { ++ AddIntelGpuPermissionsLinux(&permissions); ++ } ++ if (options.use_nvidia_specific_policies) { ++ AddNvidiaGpuPermissionsLinux(&permissions); ++ } ++ if (options.use_virtio_specific_policies) { ++ AddVirtIOGpuPermissionsLinux(&permissions); ++ } ++ return permissions; ++ } -- if (IsChromeOS()) { -+ if (IsLinux()) { - // Permissions are additive, there can be multiple GPUs in the system. -- AddStandardChromeOsPermissions(&permissions); -+ AddStandardLinuxPermissions(&permissions); + if (UseChromecastSandboxAllowlist()) { if (UseV4L2Codec(options)) { - AddV4L2GpuPermissions(&permissions, options); - } -@@ -643,9 +675,11 @@ std::vector FilePermissionsForGpu( - } - if (options.use_amd_specific_policies) { - AddAmdGpuPermissions(&permissions); -+ AddLibGalliumLinuxPermissions(&permissions, options.driver_version); +@@ -683,11 +921,14 @@ bool LoadLibrariesForGpu( + if (!LoadAmdGpuLibraries()) + return false; } - if (options.use_intel_specific_policies) { - AddIntelGpuPermissions(&permissions); -+ AddLibGalliumLinuxPermissions(&permissions, options.driver_version); +- } else { +- if (UseChromecastSandboxAllowlist() && IsArchitectureArm()) { +- if (UseV4L2Codec(options)) { +- LoadChromecastV4L2Libraries(); +- } ++ } else if (UseChromecastSandboxAllowlist() && IsArchitectureArm()) { ++ if (UseV4L2Codec(options)) { ++ LoadChromecastV4L2Libraries(); ++ } ++ } else if (IsLinux()) { ++ if (options.use_amd_specific_policies) { ++ if (!LoadAmdGpuLinuxLibraries()) ++ return false; } - if (options.use_nvidia_specific_policies) { - AddStandardGpuPermissions(&permissions); -@@ -678,7 +712,7 @@ bool LoadLibrariesForGpu( - if (IsArchitectureArm()) { - LoadArmGpuLibraries(); } -- if (IsChromeOS()) { -+ if (IsLinux()) { - if (options.use_amd_specific_policies) { - if (!LoadAmdGpuLibraries()) - return false; + if (options.use_nvidia_specific_policies) diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc index 30cc1d4a17..a565ea4b5c 100644 --- a/content/gpu/gpu_main.cc