content/utility: Limit OOP video decoding/encoding
This CL limits where OOP Video decoding/encoding is launched (as
a service) or supported as a service sandbox, to the linux/CrOS
cases where there is hw acceleration enabled, i.e. when there
is VAAPI or V4L2 build flags enabling it.
This is needed for Linux downstream embedders (e.g. Cobalt) where
there is no HW video decoding, much less in a utility process.
Bug: 402243381, 414459315
Change-Id: Ia0120f9fdf3694e27091c10cb4cabceb06724879
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6482045
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Jordan Bayles <jophba@chromium.org>
Reviewed-by: Andres Calderon Jaramillo <andrescj@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: Miguel Casas-Sanchez <mcasas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1455316}
NOKEYCHECK=True
GitOrigin-RevId: 9fd9c8ba24ff1b0fe02882c009ea35687d20d8dd
diff --git a/policy/BUILD.gn b/policy/BUILD.gn
index 793c68d..d8b04f5 100644
--- a/policy/BUILD.gn
+++ b/policy/BUILD.gn
@@ -6,6 +6,7 @@
import("//build/config/cast.gni")
import("//build/config/sanitizers/sanitizers.gni")
import("//chromeos/ash/components/assistant/assistant.gni")
+import("//media/gpu/args.gni")
import("//testing/test.gni")
# Most consumers of sandbox::policy should depend on this target.
@@ -92,12 +93,11 @@
"linux/sandbox_seccomp_bpf_linux.cc",
"linux/sandbox_seccomp_bpf_linux.h",
]
- if (is_linux || is_chromeos) {
+ if (use_linux_video_acceleration) {
sources += [
"linux/bpf_hardware_video_decoding_policy_linux.cc",
"linux/bpf_hardware_video_decoding_policy_linux.h",
]
- deps += [ "//media/gpu:buildflags" ]
}
if (is_linux) {
deps += [ "//net" ] # TODO(crbug.com/40220507): remove this.
@@ -108,6 +108,7 @@
]
deps += [
":chromecast_sandbox_allowlist_buildflags",
+ "//media/gpu:buildflags",
"//sandbox:sandbox_buildflags",
"//sandbox/linux:sandbox_services",
"//sandbox/linux:seccomp_bpf",
diff --git a/policy/linux/sandbox_seccomp_bpf_linux.cc b/policy/linux/sandbox_seccomp_bpf_linux.cc
index 6879a82..b673ffe 100644
--- a/policy/linux/sandbox_seccomp_bpf_linux.cc
+++ b/policy/linux/sandbox_seccomp_bpf_linux.cc
@@ -18,6 +18,7 @@
#include "base/feature_list.h"
#include "base/notreached.h"
#include "build/build_config.h"
+#include "media/gpu/buildflags.h"
#include "ppapi/buildflags/buildflags.h"
#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
#include "sandbox/linux/bpf_dsl/trap_registry.h"
@@ -223,17 +224,17 @@
case sandbox::mojom::Sandbox::kVideoEffects:
return std::make_unique<ServiceProcessPolicy>();
#endif // BUILDFLAG(IS_LINUX)
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(USE_LINUX_VIDEO_ACCELERATION)
case sandbox::mojom::Sandbox::kHardwareVideoDecoding:
return std::make_unique<HardwareVideoDecodingProcessPolicy>(
HardwareVideoDecodingProcessPolicy::ComputePolicyType(
options.use_amd_specific_policies));
-#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
case sandbox::mojom::Sandbox::kHardwareVideoEncoding:
// TODO(b/255554267): we're using the GPU process sandbox policy for now
// as a transition step. However, we should create a policy that's tighter
// just for hardware video encoding.
return GetGpuProcessSandbox(options);
+#endif
#if BUILDFLAG(IS_CHROMEOS)
case sandbox::mojom::Sandbox::kIme:
return std::make_unique<ImeProcessPolicy>();
@@ -291,9 +292,10 @@
CHECK_EQ(EPERM, errno);
#endif // !defined(NDEBUG)
} break;
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(USE_LINUX_VIDEO_ACCELERATION)
case sandbox::mojom::Sandbox::kHardwareVideoDecoding:
-#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+ case sandbox::mojom::Sandbox::kHardwareVideoEncoding:
+#endif
#if BUILDFLAG(IS_CHROMEOS)
case sandbox::mojom::Sandbox::kIme:
case sandbox::mojom::Sandbox::kTts:
@@ -304,7 +306,6 @@
#endif // BUILDFLAG(IS_CHROMEOS)
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
case sandbox::mojom::Sandbox::kScreenAI:
- case sandbox::mojom::Sandbox::kHardwareVideoEncoding:
#endif
#if BUILDFLAG(IS_LINUX)
case sandbox::mojom::Sandbox::kVideoEffects:
diff --git a/policy/mojom/BUILD.gn b/policy/mojom/BUILD.gn
index 1fc5a6f..cdebf6c 100644
--- a/policy/mojom/BUILD.gn
+++ b/policy/mojom/BUILD.gn
@@ -3,6 +3,7 @@
# found in the LICENSE file.
import("//chromeos/ash/components/assistant/assistant.gni")
+import("//media/gpu/args.gni")
import("//mojo/public/tools/bindings/mojom.gni")
import("//ppapi/buildflags/buildflags.gni")
@@ -20,4 +21,7 @@
if (enable_cros_libassistant) {
enabled_features += [ "enable_cros_libassistant" ]
}
+ if (use_linux_video_acceleration) {
+ enabled_features += [ "enable_oop_video_accelerators" ]
+ }
}
diff --git a/policy/mojom/sandbox.mojom b/policy/mojom/sandbox.mojom
index 23f3723..8d0c29b 100644
--- a/policy/mojom/sandbox.mojom
+++ b/policy/mojom/sandbox.mojom
@@ -112,7 +112,7 @@
// TODO(b/195769334): we're using the GPU process sandbox policy for now as a
// transition step. However, we should create a policy that's tighter just for
// hardware video decoding.
- [EnableIf=is_chromeos|is_linux] kHardwareVideoDecoding,
+ [EnableIf=enable_oop_video_accelerators] kHardwareVideoDecoding,
// Used to protect processes that perform hardware video encode acceleration.
// Currently uses the same policy as the GPU process sandbox. Warm-up does
@@ -124,7 +124,7 @@
// TODO(b/248528896): we're using the GPU process sandbox policy for now as a
// transition step. However, we should create a policy that's tighter just for
// hardware video encoding.
- [EnableIf=is_chromeos|is_linux] kHardwareVideoEncoding,
+ [EnableIf=enable_oop_video_accelerators] kHardwareVideoEncoding,
// Hosts Input Method Editors.
[EnableIf=is_chromeos] kIme,
diff --git a/policy/sandbox_type.cc b/policy/sandbox_type.cc
index 89c4fcf..59155ee 100644
--- a/policy/sandbox_type.cc
+++ b/policy/sandbox_type.cc
@@ -17,6 +17,10 @@
#include "chromeos/ash/components/assistant/buildflags.h"
#endif // BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#include "media/gpu/buildflags.h" // nogncheck
+#endif
+
namespace sandbox::policy {
namespace {
@@ -65,9 +69,15 @@
#endif
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+// USE_LINUX_VIDEO_ACCELERATION implies IS_LINUX || IS_CHROMEOS, so this double
+// #if is redundant, however, we cannot include "media/gpu/buildflags.h" on all
+// platforms, only one those that need to evaluate the use..., hence this
+// pattern, here and elsewhere. This problem is specific to this file.
+#if BUILDFLAG(USE_LINUX_VIDEO_ACCELERATION)
constexpr char kHardwareVideoDecodingSandbox[] = "hardware_video_decoding";
constexpr char kHardwareVideoEncodingSandbox[] = "hardware_video_encoding";
-#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#endif
+#endif
#if BUILDFLAG(IS_CHROMEOS)
constexpr char kImeSandbox[] = "ime";
@@ -152,9 +162,11 @@
case Sandbox::kWindowsSystemProxyResolver:
#endif // BUILDFLAG(IS_WIN)
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(USE_LINUX_VIDEO_ACCELERATION)
case Sandbox::kHardwareVideoDecoding:
case Sandbox::kHardwareVideoEncoding:
-#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#endif
+#endif
#if BUILDFLAG(IS_CHROMEOS)
case Sandbox::kIme:
case Sandbox::kTts:
@@ -309,11 +321,13 @@
return kMirroringSandbox;
#endif
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(USE_LINUX_VIDEO_ACCELERATION)
case Sandbox::kHardwareVideoDecoding:
return kHardwareVideoDecodingSandbox;
case Sandbox::kHardwareVideoEncoding:
return kHardwareVideoEncodingSandbox;
-#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#endif
+#endif
#if BUILDFLAG(IS_CHROMEOS)
case Sandbox::kIme:
return kImeSandbox;
@@ -431,13 +445,15 @@
}
#endif
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(USE_LINUX_VIDEO_ACCELERATION)
if (sandbox_string == kHardwareVideoDecodingSandbox) {
return Sandbox::kHardwareVideoDecoding;
}
if (sandbox_string == kHardwareVideoEncodingSandbox) {
return Sandbox::kHardwareVideoEncoding;
}
-#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#endif
+#endif
#if BUILDFLAG(IS_CHROMEOS)
if (sandbox_string == kImeSandbox) {
return Sandbox::kIme;
