1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
--- content/utility/utility_main.cc.orig 2022-05-19 14:06:27 UTC
+++ content/utility/utility_main.cc
@@ -32,18 +32,20 @@
#include "third_party/icu/source/common/unicode/unistr.h"
#include "third_party/icu/source/i18n/unicode/timezone.h"
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_BSD)
#include "components/services/screen_ai/sandbox/screen_ai_sandbox_hook_linux.h"
#include "content/utility/speech/speech_recognition_sandbox_hook_linux.h"
#if BUILDFLAG(ENABLE_PRINTING)
#include "printing/sandbox/print_backend_sandbox_hook_linux.h"
#endif
+#if !BUILDFLAG(IS_BSD)
#include "sandbox/policy/linux/sandbox_linux.h"
+#endif
#include "services/audio/audio_sandbox_hook_linux.h"
#include "services/network/network_sandbox_hook_linux.h"
#endif
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH) || BUILDFLAG(IS_BSD)
#include "gpu/config/gpu_info_collector.h"
#include "media/gpu/sandbox/hardware_video_decoding_sandbox_hook_linux.h"
@@ -52,6 +54,10 @@
#include "third_party/angle/src/gpu_info_util/SystemInfo.h" // nogncheck
#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
+#if BUILDFLAG(IS_BSD)
+#include "sandbox/policy/openbsd/sandbox_openbsd.h"
+#endif
+
#if BUILDFLAG(IS_CHROMEOS_ASH)
#include "ash/services/ime/ime_sandbox_hook.h"
#include "chromeos/assistant/buildflags.h"
@@ -139,7 +145,7 @@ int UtilityMain(MainFunctionParams parameters) {
}
}
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_BSD)
// Initializes the sandbox before any threads are created.
// TODO(jorgelo): move this after GTK initialization when we enable a strict
// Seccomp-BPF policy.
@@ -165,7 +171,7 @@ int UtilityMain(MainFunctionParams parameters) {
case sandbox::mojom::Sandbox::kScreenAI:
pre_sandbox_hook = base::BindOnce(&screen_ai::ScreenAIPreSandboxHook);
break;
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH) || BUILDFLAG(IS_BSD)
case sandbox::mojom::Sandbox::kHardwareVideoDecoding:
pre_sandbox_hook =
base::BindOnce(&media::HardwareVideoDecodingPreSandboxHook);
@@ -188,10 +194,11 @@ int UtilityMain(MainFunctionParams parameters) {
default:
break;
}
+#if !BUILDFLAG(IS_BSD)
if (!sandbox::policy::IsUnsandboxedSandboxType(sandbox_type) &&
(parameters.zygote_child || !pre_sandbox_hook.is_null())) {
sandbox::policy::SandboxLinux::Options sandbox_options;
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS_ASH) || BUILDFLAG(IS_BSD)
if (sandbox_type == sandbox::mojom::Sandbox::kHardwareVideoDecoding) {
// The kHardwareVideoDecoding sandbox needs to know the GPU type in order
// to select the right policy.
@@ -204,6 +211,11 @@ int UtilityMain(MainFunctionParams parameters) {
sandbox::policy::Sandbox::Initialize(
sandbox_type, std::move(pre_sandbox_hook), sandbox_options);
}
+#else
+ sandbox::policy::Sandbox::Initialize(
+ sandbox_type, std::move(pre_sandbox_hook),
+ sandbox::policy::SandboxLinux::Options());
+#endif
#elif BUILDFLAG(IS_WIN)
g_utility_target_services = parameters.sandbox_info->target_services;
#endif
|