class GpuProcessPolicy : public SandboxBPFBasePolicy {
public:
GpuProcessPolicy();
- virtual ~GpuProcessPolicy();
+ explicit GpuProcessPolicy(bool allow_mincore);
+ ~GpuProcessPolicy() override;
- virtual sandbox::bpf_dsl::ResultExpr EvaluateSyscall(
- int system_call_number) const OVERRIDE;
+ sandbox::bpf_dsl::ResultExpr EvaluateSyscall(
+ int system_call_number) const override;
- virtual bool PreSandboxHook() OVERRIDE;
+ bool PreSandboxHook() override;
protected:
// Start a broker process to handle open() inside the sandbox.
// names that should be whitelisted by the broker process, in addition to
// the basic ones.
void InitGpuBrokerProcess(
- sandbox::bpf_dsl::SandboxBPFDSLPolicy* (*broker_sandboxer_allocator)(
- void),
+ sandbox::bpf_dsl::Policy* (*broker_sandboxer_allocator)(void),
const std::vector<std::string>& read_whitelist_extra,
const std::vector<std::string>& write_whitelist_extra);
// This is allocated by InitGpuBrokerProcess, called from PreSandboxHook(),
// which executes iff the sandbox is going to be enabled afterwards.
sandbox::BrokerProcess* broker_process_;
+
+ // eglCreateWindowSurface() needs mincore().
+ bool allow_mincore_;
+
DISALLOW_COPY_AND_ASSIGN(GpuProcessPolicy);
};