Update to 65.0.3325.181-5

3 files changed, 98 insertions, 3 deletions

diff --git a/.SRCINFO b/.SRCINFO
index cf12581ffc2e..78a509e40808 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = chromium-vaapi
 	pkgdesc = Chromium compiled with VA-API support for Intel Graphics
 	pkgver = 65.0.3325.181
-	pkgrel = 4
+	pkgrel = 5
 	url = https://www.chromium.org/Home
 	install = chromium.install
 	arch = x86_64
@@ -56,6 +56,7 @@ pkgbase = chromium-vaapi
 	source = chromium-launcher-6.tar.gz::https://github.com/foutrelis/chromium-launcher/archive/v6.tar.gz
 	source = chromium-65.0.3325.181.txt::https://chromium.googlesource.com/chromium/src.git/+/65.0.3325.181?format=TEXT
 	source = fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch
+	source = allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
 	source = chromium-skia-harmony.patch
 	source = chromium-clang-r2.patch
 	source = chromium-math.h-r0.patch
@@ -67,6 +68,7 @@ pkgbase = chromium-vaapi
 	sha256sums = 04917e3cd4307d8e31bfb0027a5dce6d086edb10ff8a716024fbb8bb0c7dccf1
 	sha256sums = 2771c049b66c9aba3b945fe065f2610f164d55506eb5d71751a26aaf8b40d4ee
 	sha256sums = e3fb73b43bb8c69ff517e66b2cac73d6e759fd240003eb35598df9af442422fe
+	sha256sums = 4327289866d0b3006de62799ec06b07198a738e50e0a5c2e41ff62dbe00b4a2c
 	sha256sums = feca54ab09ac0fc9d0626770a6b899a6ac5a12173c7d0c1005bc3964ec83e7b3
 	sha256sums = 4495e8b29dae242c79ffe4beefc5171eb3c7aacb7e9aebfd2d4d69b9d8c958d3
 	sha256sums = fe0ab86aa5b0072db730eccda3e1582ebed4af25815bfd49fe0da24cf63ca902
diff --git a/PKGBUILD b/PKGBUILD
index 501b6e01c9bb..6795c59361e0 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -11,7 +11,7 @@
 
 pkgname=chromium-vaapi
 pkgver=65.0.3325.181
-pkgrel=4
+pkgrel=5
 _launcher_ver=6
 pkgdesc="Chromium compiled with VA-API support for Intel Graphics"
 arch=('x86_64')
@@ -34,6 +34,7 @@ source=(https://commondatastorage.googleapis.com/chromium-browser-official/chrom
         chromium-launcher-$_launcher_ver.tar.gz::https://github.com/foutrelis/chromium-launcher/archive/v$_launcher_ver.tar.gz
         chromium-$pkgver.txt::https://chromium.googlesource.com/chromium/src.git/+/$pkgver?format=TEXT
         fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch
+        allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
         chromium-skia-harmony.patch
         chromium-clang-r2.patch
         chromium-math.h-r0.patch
@@ -46,6 +47,7 @@ sha256sums=('93666448c6b96ec83e6a35a64cff40db4eb92a154fe1db4e7dab4761d0e38687'
             '04917e3cd4307d8e31bfb0027a5dce6d086edb10ff8a716024fbb8bb0c7dccf1'
             '2771c049b66c9aba3b945fe065f2610f164d55506eb5d71751a26aaf8b40d4ee'
             'e3fb73b43bb8c69ff517e66b2cac73d6e759fd240003eb35598df9af442422fe'
+            '4327289866d0b3006de62799ec06b07198a738e50e0a5c2e41ff62dbe00b4a2c'
             'feca54ab09ac0fc9d0626770a6b899a6ac5a12173c7d0c1005bc3964ec83e7b3'
             '4495e8b29dae242c79ffe4beefc5171eb3c7aacb7e9aebfd2d4d69b9d8c958d3'
             'fe0ab86aa5b0072db730eccda3e1582ebed4af25815bfd49fe0da24cf63ca902'
@@ -114,6 +116,9 @@ prepare() {
   # https://crbug.com/822820
   patch -Np1 -i ../fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch
 
+  # https://crbug.com/817400
+  patch -Np1 -i ../allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
+
   # https://crbug.com/skia/6663#c10
   patch -Np4 -i ../chromium-skia-harmony.patch
 
@@ -171,7 +176,7 @@ build() {
     'custom_toolchain="//build/toolchain/linux/unbundle:default"'
     'host_toolchain="//build/toolchain/linux/unbundle:default"'
     'clang_use_chrome_plugins=false'
-    'is_official_build=true'
+    'is_official_build=true' # implies is_cfi=true on x86_64
     'is_debug=false'
     'treat_warnings_as_errors=false'
     'fieldtrial_testing_like_official_build=true'
diff --git a/allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch b/allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
new file mode 100644
index 000000000000..327d8c3bb569
--- /dev/null
+++ b/allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
@@ -0,0 +1,88 @@
+From 6b1b6d3a8555075e23cca89335e855d55f35fba9 Mon Sep 17 00:00:00 2001
+From: Zhenyao Mo <zmo@chromium.org>
+Date: Thu, 29 Mar 2018 23:48:19 +0000
+Subject: [PATCH] Allow `stat` in Linux for GPU process for a list of files.
+
+This is to unblock certain NVidia driver's glReadPixels calls in the sandboxed
+GPU process.
+
+Note that the needed file /dev/nvidiactl is already in the list for read/write.
+
+BUG=817400
+TEST=manual
+R=tsepez@chromium.org
+
+Change-Id: I9074a8335a9c4df1487f5a288d5e284bbedf67c3
+Reviewed-on: https://chromium-review.googlesource.com/965462
+Reviewed-by: Zhenyao Mo <zmo@chromium.org>
+Reviewed-by: Tom Sepez <tsepez@chromium.org>
+Reviewed-by: Robert Sesek <rsesek@chromium.org>
+Reviewed-by: Kenneth Russell <kbr@chromium.org>
+Commit-Queue: Zhenyao Mo <zmo@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#547027}
+---
+ content/gpu/gpu_sandbox_hook_linux.cc                     |  5 ++++-
+ .../service_manager/sandbox/linux/bpf_gpu_policy_linux.cc | 15 ++++++++++++++-
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/content/gpu/gpu_sandbox_hook_linux.cc b/content/gpu/gpu_sandbox_hook_linux.cc
+index ddd7b99485fe..cd914e2f9926 100644
+--- a/content/gpu/gpu_sandbox_hook_linux.cc
++++ b/content/gpu/gpu_sandbox_hook_linux.cc
+@@ -153,6 +153,7 @@ void AddStandardGpuWhiteList(std::vector<BrokerFilePermission>* permissions) {
+   static const char kDriCardBasePath[] = "/dev/dri/card";
+   static const char kNvidiaCtlPath[] = "/dev/nvidiactl";
+   static const char kNvidiaDeviceBasePath[] = "/dev/nvidia";
++  static const char kNvidiaDeviceModeSetPath[] = "/dev/nvidia-modeset";
+   static const char kNvidiaParamsPath[] = "/proc/driver/nvidia/params";
+   static const char kDevShm[] = "/dev/shm/";
+ 
+@@ -172,6 +173,8 @@ void AddStandardGpuWhiteList(std::vector<BrokerFilePermission>* permissions) {
+     permissions->push_back(BrokerFilePermission::ReadWrite(
+         base::StringPrintf("%s%d", kNvidiaDeviceBasePath, i)));
+   }
++  permissions->push_back(
++      BrokerFilePermission::ReadWrite(kNvidiaDeviceModeSetPath));
+   permissions->push_back(BrokerFilePermission::ReadOnly(kNvidiaParamsPath));
+ }
+ 
+@@ -262,9 +265,9 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU(
+   sandbox::syscall_broker::BrokerCommandSet command_set;
+   command_set.set(sandbox::syscall_broker::COMMAND_ACCESS);
+   command_set.set(sandbox::syscall_broker::COMMAND_OPEN);
++  command_set.set(sandbox::syscall_broker::COMMAND_STAT);
+   if (IsChromeOS() && options.use_amd_specific_policies) {
+     command_set.set(sandbox::syscall_broker::COMMAND_READLINK);
+-    command_set.set(sandbox::syscall_broker::COMMAND_STAT);
+   }
+   return command_set;
+ }
+diff --git a/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc b/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc
+index bc16952c0898..d683aacc76f4 100644
+--- a/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc
++++ b/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc
+@@ -61,7 +61,20 @@ ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
+     case __NR_open:
+ #endif  // !defined(__aarch64__)
+     case __NR_faccessat:
+-    case __NR_openat: {
++    case __NR_openat:
++#if defined(__NR_stat)
++    case __NR_stat:
++#endif
++#if defined(__NR_stat64)
++    case __NR_stat64:
++#endif
++#if defined(__NR_fstatat)
++    case __NR_fstatat:
++#endif
++#if defined(__NR_newfstatat)
++    case __NR_newfstatat:
++#endif
++    {
+       auto* broker_process = SandboxLinux::GetInstance()->broker_process();
+       DCHECK(broker_process);
+       return Trap(BrokerProcess::SIGSYS_Handler, broker_process);
+-- 
+2.16.2
+