From 0332234e4d8cf7adcb301ce9c604f30080cce274 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 14 Oct 2025 22:22:42 -0400 Subject: [PATCH 01/64] feat(gpusandbox): add some basic logic to handle gpu sandbox autoconfig --- patches/linux-gpu-sandbox.patch | 104 ++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 8b3fb91f..23ffee49 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -156,3 +156,107 @@ index 90fdecdb76..f852c64078 100644 if (IsArchitectureArm()) { return std::make_unique( mremap_policy, base::CommandLine::ForCurrentProcess()->HasSwitch( +diff --git a/content/public/browser/gpu_utils.cc b/content/public/browser/gpu_utils.cc +index 65dea86a65..1c875d46dd 100644 +--- a/content/public/browser/gpu_utils.cc ++++ b/content/public/browser/gpu_utils.cc +@@ -82,6 +82,15 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { + gpu_preferences.gpu_sandbox_start_early = + command_line->HasSwitch(switches::kGpuSandboxStartEarly); + ++ gpu_preferences.gpu_sandbox_linux = ++#if BUILDFLAG(IS_LINUX) ++ command_line->HasSwitch("enable-gpu-sandbox-linux") && ++ command_line->HasSwitch("ozone-platform") && ++ command_line->GetSwitchValueASCII("ozone-platform") == "wayland"; ++#else ++ false; ++#endif ++ + gpu_preferences.enable_vulkan_protected_memory = + command_line->HasSwitch(switches::kEnableVulkanProtectedMemory); + gpu_preferences.disable_vulkan_fallback_to_gl_for_testing = +diff --git a/gpu/config/gpu_preferences.h b/gpu/config/gpu_preferences.h +index 7da57a4b42..02be997c1d 100644 +--- a/gpu/config/gpu_preferences.h ++++ b/gpu/config/gpu_preferences.h +@@ -134,6 +134,9 @@ struct GPU_CONFIG_EXPORT GpuPreferences { + // Starts the GPU sandbox before creating a GL context. + bool gpu_sandbox_start_early = false; + ++ // Enable the GPU sandbox on Linux, implies gpu_sandbox_start_early ++ bool gpu_sandbox_linux = false; ++ + // Enables using CODECAPI_AVLowLatencyMode. Windows only. + bool enable_low_latency_dxva = true; + +diff --git a/gpu/ipc/common/gpu_preferences.mojom b/gpu/ipc/common/gpu_preferences.mojom +index 9cc16eaa45..39fc10f9f8 100644 +--- a/gpu/ipc/common/gpu_preferences.mojom ++++ b/gpu/ipc/common/gpu_preferences.mojom +@@ -59,6 +59,7 @@ struct GpuPreferences { + bool gpu_startup_dialog; + bool disable_gpu_watchdog; + bool gpu_sandbox_start_early; ++ bool gpu_sandbox_linux; + + // TODO(http://crbug.com/676224) Support preprocessing of mojoms. Following + // variables should be used on Windows only. +diff --git a/gpu/ipc/common/gpu_preferences_mojom_traits.h b/gpu/ipc/common/gpu_preferences_mojom_traits.h +index 28d9ac5174..84cf63972b 100644 +--- a/gpu/ipc/common/gpu_preferences_mojom_traits.h ++++ b/gpu/ipc/common/gpu_preferences_mojom_traits.h +@@ -221,6 +221,7 @@ struct GPU_IPC_COMMON_EXPORT StructTraitsgpu_startup_dialog = prefs.gpu_startup_dialog(); + out->disable_gpu_watchdog = prefs.disable_gpu_watchdog(); + out->gpu_sandbox_start_early = prefs.gpu_sandbox_start_early(); ++ out->gpu_sandbox_linux = prefs.gpu_sandbox_linux(); + out->enable_low_latency_dxva = prefs.enable_low_latency_dxva(); + out->enable_zero_copy_dxgi_video = prefs.enable_zero_copy_dxgi_video(); + out->enable_nv12_dxgi_video = prefs.enable_nv12_dxgi_video(); +@@ -325,6 +326,9 @@ struct GPU_IPC_COMMON_EXPORT StructTraits + #endif + ++#if BUILDFLAG(IS_LINUX) ++#include "third_party/angle/src/gpu_info_util/SystemInfo.h" ++#endif ++ + #if BUILDFLAG(IS_OZONE) + #include "gpu/command_buffer/service/drm_modifiers_filter_vulkan.h" + #include "ui/ozone/public/drm_modifiers_filter.h" +@@ -417,8 +421,10 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, + enable_watchdog = false; + #endif + ++ bool gpu_sandbox_linux = gpu_preferences_.gpu_sandbox_linux; + #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) +- bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; ++ bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early || ++ (gpu_sandbox_linux && !features::IsUsingVulkan()); + #else // !(BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)) + // For some reasons MacOSX's VideoToolbox might crash when called after + // initializing GL, see crbug.com/1047643 and crbug.com/871280. On other +@@ -459,7 +465,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, + // On Chrome OS ARM Mali, GPU driver userspace creates threads when + // initializing a GL context, so start the sandbox early. + // TODO(zmo): Need to collect OS version before this. +- if (gpu_preferences_.gpu_sandbox_start_early) { ++ if (gpu_sandbox_start_early) { + gpu_info_.sandboxed = sandbox_helper_->EnsureSandboxInitialized( + watchdog_thread_.get(), &gpu_info_, gpu_preferences_); + attempted_startsandbox = true; From 7c079ef79b17c7c3dd7264a7fa3bbf85323be332 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Wed, 15 Oct 2025 09:26:24 -0400 Subject: [PATCH 02/64] feat(gpusandbox): add basic logic for detecting system primary GPU --- patches/linux-gpu-sandbox.patch | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 23ffee49..587d7490 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -224,8 +224,8 @@ index 28d9ac5174..84cf63972b 100644 static bool enable_low_latency_dxva(const gpu::GpuPreferences& prefs) { return prefs.enable_low_latency_dxva; } -diff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc -index cc568a7b4e..c850ab2058 100644 +iff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc +index cc568a7b4e..26328a9f11 100644 --- a/gpu/ipc/service/gpu_init.cc +++ b/gpu/ipc/service/gpu_init.cc @@ -53,6 +53,10 @@ @@ -239,19 +239,27 @@ index cc568a7b4e..c850ab2058 100644 #if BUILDFLAG(IS_OZONE) #include "gpu/command_buffer/service/drm_modifiers_filter_vulkan.h" #include "ui/ozone/public/drm_modifiers_filter.h" -@@ -417,8 +421,10 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -417,8 +421,18 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, enable_watchdog = false; #endif + bool gpu_sandbox_linux = gpu_preferences_.gpu_sandbox_linux; #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; ++ if (gpu_sandbox_linux) { ++ // Only enable on platforms where the sandbox works ++ gpu_sandbox_linux = (angle::IsAMD(gpu_info_.active_gpu().vendor_id) ++ //|| angle::IsVirtIO(gpu_info_.active_gpu().vendor_id) ++ //|| angle::IsNVIDIA(gpu_info_.active_gpu().vendor_id) ++ || angle::IsIntel(gpu_info_.active_gpu().vendor_id)); ++ } + bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early || ++ // The sandbox does not work with Vulkan currently + (gpu_sandbox_linux && !features::IsUsingVulkan()); #else // !(BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)) // For some reasons MacOSX's VideoToolbox might crash when called after // initializing GL, see crbug.com/1047643 and crbug.com/871280. On other -@@ -459,7 +465,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -459,7 +473,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, // On Chrome OS ARM Mali, GPU driver userspace creates threads when // initializing a GL context, so start the sandbox early. // TODO(zmo): Need to collect OS version before this. From 6b17230dca0688ffcfa159b5d953465a46251395 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Wed, 15 Oct 2025 09:26:46 -0400 Subject: [PATCH 03/64] fix(typo) --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 587d7490..830db4fd 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -224,7 +224,7 @@ index 28d9ac5174..84cf63972b 100644 static bool enable_low_latency_dxva(const gpu::GpuPreferences& prefs) { return prefs.enable_low_latency_dxva; } -iff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc +diff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc index cc568a7b4e..26328a9f11 100644 --- a/gpu/ipc/service/gpu_init.cc +++ b/gpu/ipc/service/gpu_init.cc From ed1c6a80ad87f0beba089494d2b76476d2414892 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Wed, 15 Oct 2025 21:18:56 -0400 Subject: [PATCH 04/64] chore(gpusandbox): check secondary GPUs as well --- patches/linux-gpu-sandbox.patch | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 830db4fd..77282386 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -225,7 +225,7 @@ index 28d9ac5174..84cf63972b 100644 return prefs.enable_low_latency_dxva; } diff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc -index cc568a7b4e..26328a9f11 100644 +index cc568a7b4e..579582d235 100644 --- a/gpu/ipc/service/gpu_init.cc +++ b/gpu/ipc/service/gpu_init.cc @@ -53,6 +53,10 @@ @@ -239,7 +239,7 @@ index cc568a7b4e..26328a9f11 100644 #if BUILDFLAG(IS_OZONE) #include "gpu/command_buffer/service/drm_modifiers_filter_vulkan.h" #include "ui/ozone/public/drm_modifiers_filter.h" -@@ -417,8 +421,18 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -417,8 +421,27 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, enable_watchdog = false; #endif @@ -248,10 +248,19 @@ index cc568a7b4e..26328a9f11 100644 - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; + if (gpu_sandbox_linux) { + // Only enable on platforms where the sandbox works -+ gpu_sandbox_linux = (angle::IsAMD(gpu_info_.active_gpu().vendor_id) ++ gpu_sandbox_linux = angle::IsAMD(gpu_info_.active_gpu().vendor_id) ++ //|| andle::IsARM(gpu_info_.active_gpu().vendor_id) + //|| angle::IsVirtIO(gpu_info_.active_gpu().vendor_id) + //|| angle::IsNVIDIA(gpu_info_.active_gpu().vendor_id) -+ || angle::IsIntel(gpu_info_.active_gpu().vendor_id)); ++ || angle::IsIntel(gpu_info_.active_gpu().vendor_id); ++ if (gpu_sandbox_linux) { ++ for (const auto& gpu : gpu_info_.secondary_gpus) { ++ if (!angle::IsAMD(gpu.vendor_id) && !angle::IsIntel(gpu.vendor_id)) { ++ sandbox_supports_gpu = false; ++ break; ++ } ++ } ++ } + } + bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early || + // The sandbox does not work with Vulkan currently @@ -259,7 +268,7 @@ index cc568a7b4e..26328a9f11 100644 #else // !(BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)) // For some reasons MacOSX's VideoToolbox might crash when called after // initializing GL, see crbug.com/1047643 and crbug.com/871280. On other -@@ -459,7 +473,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -459,7 +482,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, // On Chrome OS ARM Mali, GPU driver userspace creates threads when // initializing a GL context, so start the sandbox early. // TODO(zmo): Need to collect OS version before this. From b968f77dda461d9a4ebcb46e69431501b171d815 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Wed, 15 Oct 2025 21:46:18 -0400 Subject: [PATCH 05/64] chore(gpusandbox): disable Intel --- patches/linux-gpu-sandbox.patch | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 77282386..c3e246ac 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -248,14 +248,14 @@ index cc568a7b4e..579582d235 100644 - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; + if (gpu_sandbox_linux) { + // Only enable on platforms where the sandbox works -+ gpu_sandbox_linux = angle::IsAMD(gpu_info_.active_gpu().vendor_id) -+ //|| andle::IsARM(gpu_info_.active_gpu().vendor_id) -+ //|| angle::IsVirtIO(gpu_info_.active_gpu().vendor_id) ++ gpu_sandbox_linux = angle::IsAMD(gpu_info_.active_gpu().vendor_id); ++ //|| angle::IsIntel(gpu_info_.active_gpu().vendor_id) + //|| angle::IsNVIDIA(gpu_info_.active_gpu().vendor_id) -+ || angle::IsIntel(gpu_info_.active_gpu().vendor_id); ++ //|| angle::IsVirtIO(gpu_info_.active_gpu().vendor_id) ++ //|| andle::IsARM(gpu_info_.active_gpu().vendor_id) + if (gpu_sandbox_linux) { + for (const auto& gpu : gpu_info_.secondary_gpus) { -+ if (!angle::IsAMD(gpu.vendor_id) && !angle::IsIntel(gpu.vendor_id)) { ++ if (!angle::IsAMD(gpu.vendor_id)) { + sandbox_supports_gpu = false; + break; + } From f97ff7352d01ac0a267b81660e979451f7141419 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Thu, 16 Oct 2025 01:23:32 -0400 Subject: [PATCH 06/64] Revert checking secondary GPUs --- patches/linux-gpu-sandbox.patch | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index c3e246ac..edf723d8 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -239,7 +239,7 @@ index cc568a7b4e..579582d235 100644 #if BUILDFLAG(IS_OZONE) #include "gpu/command_buffer/service/drm_modifiers_filter_vulkan.h" #include "ui/ozone/public/drm_modifiers_filter.h" -@@ -417,8 +421,27 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -417,8 +421,19 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, enable_watchdog = false; #endif @@ -253,22 +253,13 @@ index cc568a7b4e..579582d235 100644 + //|| angle::IsNVIDIA(gpu_info_.active_gpu().vendor_id) + //|| angle::IsVirtIO(gpu_info_.active_gpu().vendor_id) + //|| andle::IsARM(gpu_info_.active_gpu().vendor_id) -+ if (gpu_sandbox_linux) { -+ for (const auto& gpu : gpu_info_.secondary_gpus) { -+ if (!angle::IsAMD(gpu.vendor_id)) { -+ sandbox_supports_gpu = false; -+ break; -+ } -+ } -+ } -+ } + bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early || + // The sandbox does not work with Vulkan currently + (gpu_sandbox_linux && !features::IsUsingVulkan()); #else // !(BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)) // For some reasons MacOSX's VideoToolbox might crash when called after // initializing GL, see crbug.com/1047643 and crbug.com/871280. On other -@@ -459,7 +482,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -459,7 +474,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, // On Chrome OS ARM Mali, GPU driver userspace creates threads when // initializing a GL context, so start the sandbox early. // TODO(zmo): Need to collect OS version before this. From 27f2b5984b3f338b2ae42ed73f54a0dd0aba64e3 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Thu, 16 Oct 2025 01:36:58 -0400 Subject: [PATCH 07/64] fix --- patches/linux-gpu-sandbox.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index edf723d8..71c20405 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -239,7 +239,7 @@ index cc568a7b4e..579582d235 100644 #if BUILDFLAG(IS_OZONE) #include "gpu/command_buffer/service/drm_modifiers_filter_vulkan.h" #include "ui/ozone/public/drm_modifiers_filter.h" -@@ -417,8 +421,19 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -417,8 +421,18 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, enable_watchdog = false; #endif @@ -259,7 +259,7 @@ index cc568a7b4e..579582d235 100644 #else // !(BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)) // For some reasons MacOSX's VideoToolbox might crash when called after // initializing GL, see crbug.com/1047643 and crbug.com/871280. On other -@@ -459,7 +474,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -459,7 +473,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, // On Chrome OS ARM Mali, GPU driver userspace creates threads when // initializing a GL context, so start the sandbox early. // TODO(zmo): Need to collect OS version before this. From 6854d07e034adfc2ecdc3e0ed5020b539136e59f Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 19 Oct 2025 23:06:19 -0400 Subject: [PATCH 08/64] fix --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 71c20405..3d8eb296 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -246,7 +246,7 @@ index cc568a7b4e..579582d235 100644 + bool gpu_sandbox_linux = gpu_preferences_.gpu_sandbox_linux; #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; -+ if (gpu_sandbox_linux) { ++ if (gpu_sandbox_linux) + // Only enable on platforms where the sandbox works + gpu_sandbox_linux = angle::IsAMD(gpu_info_.active_gpu().vendor_id); + //|| angle::IsIntel(gpu_info_.active_gpu().vendor_id) From 125f40e0546ba136bcfc1107362ad38d0191a532 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Wed, 26 Nov 2025 23:25:21 -0500 Subject: [PATCH 09/64] feat(gpusandbox): automatically detect gallium version --- patches/linux-gpu-sandbox.patch | 125 ++++++++++++++++++++++---------- 1 file changed, 88 insertions(+), 37 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 3d8eb296..65bc8de0 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -11,7 +11,7 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e See the License for the specific language governing permissions and limitations under the License. --- diff --git a/content/common/gpu_pre_sandbox_hook_linux.cc b/content/common/gpu_pre_sandbox_hook_linux.cc -index 2e53794fa3..0ae94f67a4 100644 +index 2e53794fa3..a09d370872 100644 --- a/content/common/gpu_pre_sandbox_hook_linux.cc +++ b/content/common/gpu_pre_sandbox_hook_linux.cc @@ -48,8 +48,8 @@ using sandbox::syscall_broker::BrokerProcess; @@ -43,7 +43,21 @@ index 2e53794fa3..0ae94f67a4 100644 std::vector* permissions) { // For the ANGLE passthrough command decoder. static const char* const kReadOnlyList[] = {"libEGL.so", "libGLESv2.so"}; -@@ -257,6 +257,11 @@ void AddAmdGpuPermissions(std::vector* permissions) { +@@ -115,6 +115,13 @@ void AddStandardChromeOsPermissions( + } + } + ++void AddLibGalliumLinuxPermisions( ++ std::vector* permissions, ++ const std::string driver_version) { ++ const std::string libgallium_path = ++ "/usr/lib64/libgallium-" + driver_version + ".so"; ++ permissions->push_back(BrokerFilePermission::ReadOnly(libgallium_path)); ++} + void AddV4L2GpuPermissions( + std::vector* permissions, + const sandbox::policy::SandboxSeccompBPF::Options& options) { +@@ -257,6 +264,11 @@ void AddAmdGpuPermissions(std::vector* permissions) { // that requires the following libs and files to be accessible. "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", @@ -55,7 +69,7 @@ index 2e53794fa3..0ae94f67a4 100644 "/usr/lib64/libglapi.so.0", "/usr/lib64/libgallium_dri.so", "/usr/lib64/dri/r300_dri.so", -@@ -298,6 +303,9 @@ void AddNvidiaGpuPermissions(std::vector* permissions) { +@@ -298,6 +310,9 @@ void AddNvidiaGpuPermissions(std::vector* permissions) { // that requires the following libs and files to be accessible. "/etc/ld.so.cache", "/usr/lib64/libgallium_dri.so", @@ -65,7 +79,7 @@ index 2e53794fa3..0ae94f67a4 100644 "/usr/lib64/dri/nouveau_dri.so", "/usr/lib64/dri/radeonsi_dri.so", "/usr/lib64/dri/swrast_dri.so", -@@ -324,6 +332,10 @@ void AddIntelGpuPermissions(std::vector* permissions) { +@@ -324,6 +339,10 @@ void AddIntelGpuPermissions(std::vector* permissions) { // To support threads in mesa we use --gpu-sandbox-start-early and // that requires the following libs and files to be accessible. "/usr/lib64/libgallium_dri.so", @@ -76,7 +90,7 @@ index 2e53794fa3..0ae94f67a4 100644 "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", "/usr/lib64/libelf.so.1", "/usr/lib64/libglapi.so.0", "/usr/lib64/libdrm_amdgpu.so.1", "/usr/lib64/libdrm_radeon.so.1", -@@ -363,6 +375,11 @@ void AddVirtIOGpuPermissions(std::vector* permissions) { +@@ -363,6 +382,11 @@ void AddVirtIOGpuPermissions(std::vector* permissions) { "/usr/lib64/libglapi.so.0", "/usr/lib64/libc++.so.1", "/usr/lib64/libgallium_dri.so", @@ -88,7 +102,7 @@ index 2e53794fa3..0ae94f67a4 100644 // If kms_swrast_dri is not usable, swrast_dri is used instead. "/usr/lib64/dri/swrast_dri.so", "/usr/lib64/dri/kms_swrast_dri.so", -@@ -548,11 +565,13 @@ void LoadArmGpuLibraries() { +@@ -548,11 +572,13 @@ void LoadArmGpuLibraries() { } bool LoadAmdGpuLibraries() { @@ -102,7 +116,7 @@ index 2e53794fa3..0ae94f67a4 100644 const char* radeonsi_lib = "/usr/lib64/dri/radeonsi_dri.so"; #if defined(DRI_DRIVER_DIR) -@@ -609,7 +628,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( +@@ -609,7 +635,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( command_set.set(sandbox::syscall_broker::COMMAND_ACCESS); command_set.set(sandbox::syscall_broker::COMMAND_OPEN); command_set.set(sandbox::syscall_broker::COMMAND_STAT); @@ -111,7 +125,17 @@ index 2e53794fa3..0ae94f67a4 100644 (options.use_amd_specific_policies || options.use_intel_specific_policies || options.use_nvidia_specific_policies || -@@ -628,9 +647,9 @@ std::vector FilePermissionsForGpu( +@@ -620,7 +646,8 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( + } + + std::vector FilePermissionsForGpu( +- const sandbox::policy::SandboxSeccompBPF::Options& options) { ++ const sandbox::policy::SandboxSeccompBPF::Options& options, ++ const std:string& driver_version) { + // All GPU process policies need this file brokered out. + static const char kDriRcPath[] = "/etc/drirc"; + std::vector permissions = { +@@ -628,9 +655,10 @@ std::vector FilePermissionsForGpu( AddVulkanICDPermissions(&permissions); @@ -120,10 +144,11 @@ index 2e53794fa3..0ae94f67a4 100644 // Permissions are additive, there can be multiple GPUs in the system. - AddStandardChromeOsPermissions(&permissions); + AddStandardLinuxPermissions(&permissions); ++ AddLibGalliumLinuxPermissions(&permissions, driver_version); if (UseV4L2Codec(options)) { AddV4L2GpuPermissions(&permissions, options); } -@@ -678,7 +697,7 @@ bool LoadLibrariesForGpu( +@@ -678,7 +706,7 @@ bool LoadLibrariesForGpu( if (IsArchitectureArm()) { LoadArmGpuLibraries(); } @@ -132,32 +157,34 @@ index 2e53794fa3..0ae94f67a4 100644 if (options.use_amd_specific_policies) { if (!LoadAmdGpuLibraries()) return false; -diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc -index 90fdecdb76..f852c64078 100644 ---- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc -+++ b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc -@@ -98,8 +98,8 @@ namespace { - // nacl_helper needs to be tiny and includes only part of content/ - // in its dependencies. Make sure to not link things that are not needed. - #if !defined(IN_NACL_HELPER) --inline bool IsChromeOS() { --#if BUILDFLAG(IS_CHROMEOS) -+inline bool IsLinux() { -+#if BUILDFLAG(IS_LINUX) +@@ -695,9 +723,10 @@ bool LoadLibrariesForGpu( return true; - #else - return false; -@@ -125,7 +125,7 @@ inline bool IsArchitectureArm() { - std::unique_ptr GetGpuProcessSandbox( - const SandboxSeccompBPF::Options& options, - MremapPolicy mremap_policy) { -- if (IsChromeOS() || UseChromecastSandboxAllowlist()) { -+ if (IsLinux() || UseChromecastSandboxAllowlist()) { - if (IsArchitectureArm()) { - return std::make_unique( - mremap_policy, base::CommandLine::ForCurrentProcess()->HasSwitch( + } + +-bool GpuPreSandboxHook(sandbox::policy::SandboxLinux::Options options) { ++bool GpuPreSandboxHook(sandbox::policy::SandboxLinux::Options options, ++ const std::string driver_version) { + sandbox::policy::SandboxLinux::GetInstance()->StartBrokerProcess( +- CommandSetForGPU(options), FilePermissionsForGpu(options), options); ++ CommandSetForGPU(options), FilePermissionsForGpu(options, driver_version), options); + + if (!LoadLibrariesForGpu(options)) + return false; +diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc +index 30cc1d4a17..d441fb0704 100644 +--- a/content/gpu/gpu_main.cc ++++ b/content/gpu/gpu_main.cc +@@ -550,7 +550,7 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, + bool res = sandbox::policy::SandboxLinux::GetInstance()->InitializeSandbox( + sandbox::policy::SandboxTypeFromCommandLine( + *base::CommandLine::ForCurrentProcess()), +- base::BindOnce(GpuPreSandboxHook), sandbox_options); ++ base::BindOnce(GpuPreSandboxHook), sandbox_options, gpu_info->gpu.driver_versio); + + if (watchdog_thread) { + watchdog_thread->Start(); diff --git a/content/public/browser/gpu_utils.cc b/content/public/browser/gpu_utils.cc -index 65dea86a65..1c875d46dd 100644 +index 65dea86a65..3222da15ed 100644 --- a/content/public/browser/gpu_utils.cc +++ b/content/public/browser/gpu_utils.cc @@ -82,6 +82,15 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { @@ -225,10 +252,10 @@ index 28d9ac5174..84cf63972b 100644 return prefs.enable_low_latency_dxva; } diff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc -index cc568a7b4e..579582d235 100644 +index 6ea960c6f8..1f83c81812 100644 --- a/gpu/ipc/service/gpu_init.cc +++ b/gpu/ipc/service/gpu_init.cc -@@ -53,6 +53,10 @@ +@@ -54,6 +54,10 @@ #include #endif @@ -239,7 +266,7 @@ index cc568a7b4e..579582d235 100644 #if BUILDFLAG(IS_OZONE) #include "gpu/command_buffer/service/drm_modifiers_filter_vulkan.h" #include "ui/ozone/public/drm_modifiers_filter.h" -@@ -417,8 +421,18 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -418,8 +422,18 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, enable_watchdog = false; #endif @@ -259,7 +286,7 @@ index cc568a7b4e..579582d235 100644 #else // !(BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)) // For some reasons MacOSX's VideoToolbox might crash when called after // initializing GL, see crbug.com/1047643 and crbug.com/871280. On other -@@ -459,7 +473,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -460,7 +474,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, // On Chrome OS ARM Mali, GPU driver userspace creates threads when // initializing a GL context, so start the sandbox early. // TODO(zmo): Need to collect OS version before this. @@ -268,3 +295,27 @@ index cc568a7b4e..579582d235 100644 gpu_info_.sandboxed = sandbox_helper_->EnsureSandboxInitialized( watchdog_thread_.get(), &gpu_info_, gpu_preferences_); attempted_startsandbox = true; +diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc +index 4de13fe88b..aaebda0773 100644 +--- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc ++++ b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc +@@ -94,8 +94,8 @@ namespace { + // nacl_helper needs to be tiny and includes only part of content/ + // in its dependencies. Make sure to not link things that are not needed. + #if !defined(IN_NACL_HELPER) +-inline bool IsChromeOS() { +-#if BUILDFLAG(IS_CHROMEOS) ++inline bool IsLinux() { ++#if BUILDFLAG(IS_LINUX) + return true; + #else + return false; +@@ -121,7 +121,7 @@ inline bool IsArchitectureArm() { + std::unique_ptr GetGpuProcessSandbox( + const SandboxSeccompBPF::Options& options, + MremapPolicy mremap_policy) { +- if (IsChromeOS() || UseChromecastSandboxAllowlist()) { ++ if (IsLinux() || UseChromecastSandboxAllowlist()) { + if (IsArchitectureArm()) { + return std::make_unique( + mremap_policy, base::CommandLine::ForCurrentProcess()->HasSwitch( From 3f44201dd0fa55b3c8108d48a95fd59a43257218 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Wed, 26 Nov 2025 23:52:27 -0500 Subject: [PATCH 10/64] feat(gpusandbox): enable intel in autoconfig --- patches/linux-gpu-sandbox.patch | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 65bc8de0..da0e7a4f 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -275,11 +275,11 @@ index 6ea960c6f8..1f83c81812 100644 - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; + if (gpu_sandbox_linux) + // Only enable on platforms where the sandbox works -+ gpu_sandbox_linux = angle::IsAMD(gpu_info_.active_gpu().vendor_id); -+ //|| angle::IsIntel(gpu_info_.active_gpu().vendor_id) -+ //|| angle::IsNVIDIA(gpu_info_.active_gpu().vendor_id) -+ //|| angle::IsVirtIO(gpu_info_.active_gpu().vendor_id) -+ //|| andle::IsARM(gpu_info_.active_gpu().vendor_id) ++ gpu_sandbox_linux = angle::IsAMD(gpu_info_.active_gpu().vendor_id) ++ || angle::IsIntel(gpu_info_.active_gpu().vendor_id); ++ //|| angle::IsNVIDIA(gpu_info_.active_gpu().vendor_id) ++ //|| angle::IsVirtIO(gpu_info_.active_gpu().vendor_id) ++ //|| andle::IsARM(gpu_info_.active_gpu().vendor_id) + bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early || + // The sandbox does not work with Vulkan currently + (gpu_sandbox_linux && !features::IsUsingVulkan()); From db9d9de1999668fa087187d20fb35b967297e7a2 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Thu, 27 Nov 2025 01:06:18 -0500 Subject: [PATCH 11/64] fix(typo) --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index da0e7a4f..3e4980a5 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -179,7 +179,7 @@ index 30cc1d4a17..d441fb0704 100644 sandbox::policy::SandboxTypeFromCommandLine( *base::CommandLine::ForCurrentProcess()), - base::BindOnce(GpuPreSandboxHook), sandbox_options); -+ base::BindOnce(GpuPreSandboxHook), sandbox_options, gpu_info->gpu.driver_versio); ++ base::BindOnce(GpuPreSandboxHook), sandbox_options, gpu_info->gpu.driver_version); if (watchdog_thread) { watchdog_thread->Start(); From 5db5114df17633c6ac66397d59a9570fdf58a263 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Thu, 27 Nov 2025 08:39:36 -0500 Subject: [PATCH 12/64] fix --- patches/linux-gpu-sandbox.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 3e4980a5..f367dac1 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -47,7 +47,7 @@ index 2e53794fa3..a09d370872 100644 } } -+void AddLibGalliumLinuxPermisions( ++void AddLibGalliumLinuxPermissions( + std::vector* permissions, + const std::string driver_version) { + const std::string libgallium_path = @@ -131,7 +131,7 @@ index 2e53794fa3..a09d370872 100644 std::vector FilePermissionsForGpu( - const sandbox::policy::SandboxSeccompBPF::Options& options) { + const sandbox::policy::SandboxSeccompBPF::Options& options, -+ const std:string& driver_version) { ++ const std::string& driver_version) { // All GPU process policies need this file brokered out. static const char kDriRcPath[] = "/etc/drirc"; std::vector permissions = { From b00767cc5092889b9879ab1338568c4ba55981d0 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Thu, 27 Nov 2025 21:45:36 -0500 Subject: [PATCH 13/64] fix(gpusandbox): various definitions and function calls --- patches/linux-gpu-sandbox.patch | 132 ++++++++++++++++++++++++-------- 1 file changed, 98 insertions(+), 34 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index f367dac1..f0f12c0f 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -11,13 +11,13 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e See the License for the specific language governing permissions and limitations under the License. --- diff --git a/content/common/gpu_pre_sandbox_hook_linux.cc b/content/common/gpu_pre_sandbox_hook_linux.cc -index 2e53794fa3..a09d370872 100644 +index 2e53794fa3..0afc17a200 100644 --- a/content/common/gpu_pre_sandbox_hook_linux.cc +++ b/content/common/gpu_pre_sandbox_hook_linux.cc @@ -48,8 +48,8 @@ using sandbox::syscall_broker::BrokerProcess; namespace content { namespace { - + -inline bool IsChromeOS() { -#if BUILDFLAG(IS_CHROMEOS) +inline bool IsLinux() { @@ -28,28 +28,30 @@ index 2e53794fa3..a09d370872 100644 @@ -86,7 +86,7 @@ inline bool UseV4L2Codec( static const char kMaliConfPath[] = "/etc/mali_platform.conf"; #endif - + -#if BUILDFLAG(IS_CHROMEOS) && defined(__aarch64__) +#if defined(__aarch64__) static const char kLibGlesPath[] = "/usr/lib64/libGLESv2.so.2"; static const char kLibEglPath[] = "/usr/lib64/libEGL.so.1"; static const char kLibMaliPath[] = "/usr/lib64/libmali.so"; @@ -100,7 +100,7 @@ static const char kLibTegraPath[] = "/usr/lib/libtegrav4l2.so"; - + constexpr int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; - + -void AddStandardChromeOsPermissions( +void AddStandardLinuxPermissions( std::vector* permissions) { // For the ANGLE passthrough command decoder. static const char* const kReadOnlyList[] = {"libEGL.so", "libGLESv2.so"}; -@@ -115,6 +115,13 @@ void AddStandardChromeOsPermissions( +@@ -115,6 +115,15 @@ void AddStandardChromeOsPermissions( } } - + +void AddLibGalliumLinuxPermissions( + std::vector* permissions, -+ const std::string driver_version) { ++ const std::string& driver_version) { ++ if (driver_version.empty()) ++ return; + const std::string libgallium_path = + "/usr/lib64/libgallium-" + driver_version + ".so"; + permissions->push_back(BrokerFilePermission::ReadOnly(libgallium_path)); @@ -57,7 +59,7 @@ index 2e53794fa3..a09d370872 100644 void AddV4L2GpuPermissions( std::vector* permissions, const sandbox::policy::SandboxSeccompBPF::Options& options) { -@@ -257,6 +264,11 @@ void AddAmdGpuPermissions(std::vector* permissions) { +@@ -257,6 +266,11 @@ void AddAmdGpuPermissions(std::vector* permissions) { // that requires the following libs and files to be accessible. "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", @@ -69,7 +71,7 @@ index 2e53794fa3..a09d370872 100644 "/usr/lib64/libglapi.so.0", "/usr/lib64/libgallium_dri.so", "/usr/lib64/dri/r300_dri.so", -@@ -298,6 +310,9 @@ void AddNvidiaGpuPermissions(std::vector* permissions) { +@@ -298,6 +312,9 @@ void AddNvidiaGpuPermissions(std::vector* permissions) { // that requires the following libs and files to be accessible. "/etc/ld.so.cache", "/usr/lib64/libgallium_dri.so", @@ -79,7 +81,7 @@ index 2e53794fa3..a09d370872 100644 "/usr/lib64/dri/nouveau_dri.so", "/usr/lib64/dri/radeonsi_dri.so", "/usr/lib64/dri/swrast_dri.so", -@@ -324,6 +339,10 @@ void AddIntelGpuPermissions(std::vector* permissions) { +@@ -324,6 +341,10 @@ void AddIntelGpuPermissions(std::vector* permissions) { // To support threads in mesa we use --gpu-sandbox-start-early and // that requires the following libs and files to be accessible. "/usr/lib64/libgallium_dri.so", @@ -90,7 +92,7 @@ index 2e53794fa3..a09d370872 100644 "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", "/usr/lib64/libelf.so.1", "/usr/lib64/libglapi.so.0", "/usr/lib64/libdrm_amdgpu.so.1", "/usr/lib64/libdrm_radeon.so.1", -@@ -363,6 +382,11 @@ void AddVirtIOGpuPermissions(std::vector* permissions) { +@@ -363,6 +384,11 @@ void AddVirtIOGpuPermissions(std::vector* permissions) { "/usr/lib64/libglapi.so.0", "/usr/lib64/libc++.so.1", "/usr/lib64/libgallium_dri.so", @@ -102,9 +104,9 @@ index 2e53794fa3..a09d370872 100644 // If kms_swrast_dri is not usable, swrast_dri is used instead. "/usr/lib64/dri/swrast_dri.so", "/usr/lib64/dri/kms_swrast_dri.so", -@@ -548,11 +572,13 @@ void LoadArmGpuLibraries() { +@@ -548,11 +574,13 @@ void LoadArmGpuLibraries() { } - + bool LoadAmdGpuLibraries() { +#if BUILDFLAG(IS_CHROMEOS) // Preload the amdgpu-dependent libraries. @@ -113,10 +115,10 @@ index 2e53794fa3..a09d370872 100644 return false; } +#endif // IS_CHROMEOS - + const char* radeonsi_lib = "/usr/lib64/dri/radeonsi_dri.so"; #if defined(DRI_DRIVER_DIR) -@@ -609,7 +635,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( +@@ -609,7 +637,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( command_set.set(sandbox::syscall_broker::COMMAND_ACCESS); command_set.set(sandbox::syscall_broker::COMMAND_OPEN); command_set.set(sandbox::syscall_broker::COMMAND_STAT); @@ -125,9 +127,9 @@ index 2e53794fa3..a09d370872 100644 (options.use_amd_specific_policies || options.use_intel_specific_policies || options.use_nvidia_specific_policies || -@@ -620,7 +646,8 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( +@@ -620,7 +648,8 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( } - + std::vector FilePermissionsForGpu( - const sandbox::policy::SandboxSeccompBPF::Options& options) { + const sandbox::policy::SandboxSeccompBPF::Options& options, @@ -135,10 +137,10 @@ index 2e53794fa3..a09d370872 100644 // All GPU process policies need this file brokered out. static const char kDriRcPath[] = "/etc/drirc"; std::vector permissions = { -@@ -628,9 +655,10 @@ std::vector FilePermissionsForGpu( - +@@ -628,9 +657,10 @@ std::vector FilePermissionsForGpu( + AddVulkanICDPermissions(&permissions); - + - if (IsChromeOS()) { + if (IsLinux()) { // Permissions are additive, there can be multiple GPUs in the system. @@ -148,7 +150,7 @@ index 2e53794fa3..a09d370872 100644 if (UseV4L2Codec(options)) { AddV4L2GpuPermissions(&permissions, options); } -@@ -678,7 +706,7 @@ bool LoadLibrariesForGpu( +@@ -678,7 +708,7 @@ bool LoadLibrariesForGpu( if (IsArchitectureArm()) { LoadArmGpuLibraries(); } @@ -157,21 +159,21 @@ index 2e53794fa3..a09d370872 100644 if (options.use_amd_specific_policies) { if (!LoadAmdGpuLibraries()) return false; -@@ -695,9 +723,10 @@ bool LoadLibrariesForGpu( +@@ -695,9 +725,10 @@ bool LoadLibrariesForGpu( return true; } - + -bool GpuPreSandboxHook(sandbox::policy::SandboxLinux::Options options) { +bool GpuPreSandboxHook(sandbox::policy::SandboxLinux::Options options, + const std::string driver_version) { sandbox::policy::SandboxLinux::GetInstance()->StartBrokerProcess( - CommandSetForGPU(options), FilePermissionsForGpu(options), options); + CommandSetForGPU(options), FilePermissionsForGpu(options, driver_version), options); - + if (!LoadLibrariesForGpu(options)) return false; diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc -index 30cc1d4a17..d441fb0704 100644 +index 30cc1d4a17..6bb3cdbb89 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc @@ -550,7 +550,7 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, @@ -180,7 +182,7 @@ index 30cc1d4a17..d441fb0704 100644 *base::CommandLine::ForCurrentProcess()), - base::BindOnce(GpuPreSandboxHook), sandbox_options); + base::BindOnce(GpuPreSandboxHook), sandbox_options, gpu_info->gpu.driver_version); - + if (watchdog_thread) { watchdog_thread->Start(); diff --git a/content/public/browser/gpu_utils.cc b/content/public/browser/gpu_utils.cc @@ -190,7 +192,7 @@ index 65dea86a65..3222da15ed 100644 @@ -82,6 +82,15 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { gpu_preferences.gpu_sandbox_start_early = command_line->HasSwitch(switches::kGpuSandboxStartEarly); - + + gpu_preferences.gpu_sandbox_linux = +#if BUILDFLAG(IS_LINUX) + command_line->HasSwitch("enable-gpu-sandbox-linux") && @@ -210,13 +212,13 @@ index 7da57a4b42..02be997c1d 100644 @@ -134,6 +134,9 @@ struct GPU_CONFIG_EXPORT GpuPreferences { // Starts the GPU sandbox before creating a GL context. bool gpu_sandbox_start_early = false; - + + // Enable the GPU sandbox on Linux, implies gpu_sandbox_start_early + bool gpu_sandbox_linux = false; + // Enables using CODECAPI_AVLowLatencyMode. Windows only. bool enable_low_latency_dxva = true; - + diff --git a/gpu/ipc/common/gpu_preferences.mojom b/gpu/ipc/common/gpu_preferences.mojom index 9cc16eaa45..39fc10f9f8 100644 --- a/gpu/ipc/common/gpu_preferences.mojom @@ -226,7 +228,7 @@ index 9cc16eaa45..39fc10f9f8 100644 bool disable_gpu_watchdog; bool gpu_sandbox_start_early; + bool gpu_sandbox_linux; - + // TODO(http://crbug.com/676224) Support preprocessing of mojoms. Following // variables should be used on Windows only. diff --git a/gpu/ipc/common/gpu_preferences_mojom_traits.h b/gpu/ipc/common/gpu_preferences_mojom_traits.h @@ -252,13 +254,13 @@ index 28d9ac5174..84cf63972b 100644 return prefs.enable_low_latency_dxva; } diff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc -index 6ea960c6f8..1f83c81812 100644 +index 6ea960c6f8..a55023a3c6 100644 --- a/gpu/ipc/service/gpu_init.cc +++ b/gpu/ipc/service/gpu_init.cc @@ -54,6 +54,10 @@ #include #endif - + +#if BUILDFLAG(IS_LINUX) +#include "third_party/angle/src/gpu_info_util/SystemInfo.h" +#endif @@ -269,7 +271,7 @@ index 6ea960c6f8..1f83c81812 100644 @@ -418,8 +422,18 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, enable_watchdog = false; #endif - + + bool gpu_sandbox_linux = gpu_preferences_.gpu_sandbox_linux; #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; @@ -295,6 +297,68 @@ index 6ea960c6f8..1f83c81812 100644 gpu_info_.sandboxed = sandbox_helper_->EnsureSandboxInitialized( watchdog_thread_.get(), &gpu_info_, gpu_preferences_); attempted_startsandbox = true; +diff --git a/sandbox/policy/linux/sandbox_linux.cc b/sandbox/policy/linux/sandbox_linux.cc +index 714cb2e115..ec235757fa 100644 +--- a/sandbox/policy/linux/sandbox_linux.cc ++++ b/sandbox/policy/linux/sandbox_linux.cc +@@ -304,7 +304,8 @@ SetuidSandboxClient* SandboxLinux::setuid_sandbox_client() const { + // For seccomp-bpf, we use the SandboxSeccompBPF class. + bool SandboxLinux::StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, + PreSandboxHook hook, +- const Options& options) { ++ const Options& options, ++ const std::string& gpu_driver_version) { + CHECK(!seccomp_bpf_started_); + CHECK(pre_initialized_); + #if BUILDFLAG(USE_SECCOMP_BPF) +@@ -318,7 +319,7 @@ bool SandboxLinux::StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, + } + + if (hook) +- CHECK(std::move(hook).Run(options)); ++ CHECK(std::move(hook).Run(options, gpu_driver_version)); + + // If we allow threads *and* have multiple threads, try to use TSYNC. + SandboxBPF::SeccompLevel seccomp_level = +@@ -344,6 +345,13 @@ bool SandboxLinux::StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, + bool SandboxLinux::InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, + SandboxLinux::PreSandboxHook hook, + const Options& options) { ++ return InitializeSandbox(sandbox_type, std::move(hook), options, ""); ++} ++ ++bool SandboxLinux::InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, ++ SandboxLinux::PreSandboxHook hook, ++ const Options& options, ++ const std::string& gpu_driver_version) { + DCHECK(!initialize_sandbox_ran_); + initialize_sandbox_ran_ = true; + +@@ -454,7 +462,7 @@ bool SandboxLinux::InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, + PCHECK(limited_as); + } + +- return StartSeccompBPF(sandbox_type, std::move(hook), options); ++ return StartSeccompBPF(sandbox_type, std::move(hook), options, gpu_driver_version); + } + + void SandboxLinux::StopThread(base::Thread* thread) { +diff --git a/sandbox/policy/linux/sandbox_linux.h b/sandbox/policy/linux/sandbox_linux.h +index 76e20d21b7..ef899efe9e 100644 +--- a/sandbox/policy/linux/sandbox_linux.h ++++ b/sandbox/policy/linux/sandbox_linux.h +@@ -168,6 +168,11 @@ class SANDBOX_POLICY_EXPORT SandboxLinux { + PreSandboxHook hook, + const Options& options); + ++ bool InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, ++ PreSandboxHook hook, ++ const Options& options, ++ const std::string& gpu_driver_version); ++ + // Stop |thread| in a way that can be trusted by the sandbox. + void StopThread(base::Thread* thread); + diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc index 4de13fe88b..aaebda0773 100644 --- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc From ffab97b08ea61c459f6d8fcc4805a8ec2ba54014 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Fri, 28 Nov 2025 09:12:55 -0500 Subject: [PATCH 14/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index f0f12c0f..6f40768d 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -344,13 +344,13 @@ index 714cb2e115..ec235757fa 100644 void SandboxLinux::StopThread(base::Thread* thread) { diff --git a/sandbox/policy/linux/sandbox_linux.h b/sandbox/policy/linux/sandbox_linux.h -index 76e20d21b7..ef899efe9e 100644 +index 76e20d21b7..beba850dcc 100644 --- a/sandbox/policy/linux/sandbox_linux.h +++ b/sandbox/policy/linux/sandbox_linux.h @@ -168,6 +168,11 @@ class SANDBOX_POLICY_EXPORT SandboxLinux { PreSandboxHook hook, const Options& options); - + + bool InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, + PreSandboxHook hook, + const Options& options, @@ -358,7 +358,17 @@ index 76e20d21b7..ef899efe9e 100644 + // Stop |thread| in a way that can be trusted by the sandbox. void StopThread(base::Thread* thread); - + +@@ -199,7 +204,8 @@ class SANDBOX_POLICY_EXPORT SandboxLinux { + // multiple threads as a fatal error. + bool StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, + PreSandboxHook hook, +- const Options& options); ++ const Options& options, ++ const std::string gpu_driver_version); + + // Limit the address space of the current process (and its children) to make + // some vulnerabilities harder to exploit. Writes the errno due to setrlimit diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc index 4de13fe88b..aaebda0773 100644 --- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc From aab2cda3d33accf81cdd463081ad72c3f172a299 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Fri, 28 Nov 2025 20:35:53 -0500 Subject: [PATCH 15/64] chore(gpusandbox): rework --- patches/linux-gpu-sandbox.patch | 138 ++++++++------------------------ 1 file changed, 34 insertions(+), 104 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 6f40768d..35f5e97a 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -11,7 +11,7 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e See the License for the specific language governing permissions and limitations under the License. --- diff --git a/content/common/gpu_pre_sandbox_hook_linux.cc b/content/common/gpu_pre_sandbox_hook_linux.cc -index 2e53794fa3..0afc17a200 100644 +index 2e53794fa3..e38a8a24b3 100644 --- a/content/common/gpu_pre_sandbox_hook_linux.cc +++ b/content/common/gpu_pre_sandbox_hook_linux.cc @@ -48,8 +48,8 @@ using sandbox::syscall_broker::BrokerProcess; @@ -49,7 +49,7 @@ index 2e53794fa3..0afc17a200 100644 +void AddLibGalliumLinuxPermissions( + std::vector* permissions, -+ const std::string& driver_version) { ++ const std::string driver_version) { + if (driver_version.empty()) + return; + const std::string libgallium_path = @@ -127,17 +127,7 @@ index 2e53794fa3..0afc17a200 100644 (options.use_amd_specific_policies || options.use_intel_specific_policies || options.use_nvidia_specific_policies || -@@ -620,7 +648,8 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( - } - - std::vector FilePermissionsForGpu( -- const sandbox::policy::SandboxSeccompBPF::Options& options) { -+ const sandbox::policy::SandboxSeccompBPF::Options& options, -+ const std::string& driver_version) { - // All GPU process policies need this file brokered out. - static const char kDriRcPath[] = "/etc/drirc"; - std::vector permissions = { -@@ -628,9 +657,10 @@ std::vector FilePermissionsForGpu( +@@ -628,9 +656,9 @@ std::vector FilePermissionsForGpu( AddVulkanICDPermissions(&permissions); @@ -146,10 +136,21 @@ index 2e53794fa3..0afc17a200 100644 // Permissions are additive, there can be multiple GPUs in the system. - AddStandardChromeOsPermissions(&permissions); + AddStandardLinuxPermissions(&permissions); -+ AddLibGalliumLinuxPermissions(&permissions, driver_version); if (UseV4L2Codec(options)) { AddV4L2GpuPermissions(&permissions, options); } +@@ -643,9 +671,11 @@ std::vector FilePermissionsForGpu( + } + if (options.use_amd_specific_policies) { + AddAmdGpuPermissions(&permissions); ++ AddLibGalliumLinuxPermissions(&permissions, options.gpu_driver_version); + } + if (options.use_intel_specific_policies) { + AddIntelGpuPermissions(&permissions); ++ AddLibGalliumLinuxPermissions(&permissions, options.gpu_driver_version); + } + if (options.use_nvidia_specific_policies) { + AddStandardGpuPermissions(&permissions); @@ -678,7 +708,7 @@ bool LoadLibrariesForGpu( if (IsArchitectureArm()) { LoadArmGpuLibraries(); @@ -159,32 +160,20 @@ index 2e53794fa3..0afc17a200 100644 if (options.use_amd_specific_policies) { if (!LoadAmdGpuLibraries()) return false; -@@ -695,9 +725,10 @@ bool LoadLibrariesForGpu( - return true; - } - --bool GpuPreSandboxHook(sandbox::policy::SandboxLinux::Options options) { -+bool GpuPreSandboxHook(sandbox::policy::SandboxLinux::Options options, -+ const std::string driver_version) { - sandbox::policy::SandboxLinux::GetInstance()->StartBrokerProcess( -- CommandSetForGPU(options), FilePermissionsForGpu(options), options); -+ CommandSetForGPU(options), FilePermissionsForGpu(options, driver_version), options); - - if (!LoadLibrariesForGpu(options)) - return false; diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc -index 30cc1d4a17..6bb3cdbb89 100644 +index 30cc1d4a17..23c42cf0d4 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -550,7 +550,7 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, - bool res = sandbox::policy::SandboxLinux::GetInstance()->InitializeSandbox( - sandbox::policy::SandboxTypeFromCommandLine( - *base::CommandLine::ForCurrentProcess()), -- base::BindOnce(GpuPreSandboxHook), sandbox_options); -+ base::BindOnce(GpuPreSandboxHook), sandbox_options, gpu_info->gpu.driver_version); +@@ -533,6 +533,9 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, + sandbox_options.accelerated_video_encode_enabled = + !gpu_prefs.disable_accelerated_video_encode; - if (watchdog_thread) { - watchdog_thread->Start(); ++ sandbox_options.gpu_driver_version = ++ gpu_info->gpu.driver_version; ++ + #if BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_LINUX) + // Video decoding of many video streams can use thousands of FDs as well as + // Exo clients. diff --git a/content/public/browser/gpu_utils.cc b/content/public/browser/gpu_utils.cc index 65dea86a65..3222da15ed 100644 --- a/content/public/browser/gpu_utils.cc @@ -297,78 +286,19 @@ index 6ea960c6f8..a55023a3c6 100644 gpu_info_.sandboxed = sandbox_helper_->EnsureSandboxInitialized( watchdog_thread_.get(), &gpu_info_, gpu_preferences_); attempted_startsandbox = true; -diff --git a/sandbox/policy/linux/sandbox_linux.cc b/sandbox/policy/linux/sandbox_linux.cc -index 714cb2e115..ec235757fa 100644 ---- a/sandbox/policy/linux/sandbox_linux.cc -+++ b/sandbox/policy/linux/sandbox_linux.cc -@@ -304,7 +304,8 @@ SetuidSandboxClient* SandboxLinux::setuid_sandbox_client() const { - // For seccomp-bpf, we use the SandboxSeccompBPF class. - bool SandboxLinux::StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, - PreSandboxHook hook, -- const Options& options) { -+ const Options& options, -+ const std::string& gpu_driver_version) { - CHECK(!seccomp_bpf_started_); - CHECK(pre_initialized_); - #if BUILDFLAG(USE_SECCOMP_BPF) -@@ -318,7 +319,7 @@ bool SandboxLinux::StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, - } - - if (hook) -- CHECK(std::move(hook).Run(options)); -+ CHECK(std::move(hook).Run(options, gpu_driver_version)); - - // If we allow threads *and* have multiple threads, try to use TSYNC. - SandboxBPF::SeccompLevel seccomp_level = -@@ -344,6 +345,13 @@ bool SandboxLinux::StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, - bool SandboxLinux::InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, - SandboxLinux::PreSandboxHook hook, - const Options& options) { -+ return InitializeSandbox(sandbox_type, std::move(hook), options, ""); -+} -+ -+bool SandboxLinux::InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, -+ SandboxLinux::PreSandboxHook hook, -+ const Options& options, -+ const std::string& gpu_driver_version) { - DCHECK(!initialize_sandbox_ran_); - initialize_sandbox_ran_ = true; - -@@ -454,7 +462,7 @@ bool SandboxLinux::InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, - PCHECK(limited_as); - } - -- return StartSeccompBPF(sandbox_type, std::move(hook), options); -+ return StartSeccompBPF(sandbox_type, std::move(hook), options, gpu_driver_version); - } - - void SandboxLinux::StopThread(base::Thread* thread) { diff --git a/sandbox/policy/linux/sandbox_linux.h b/sandbox/policy/linux/sandbox_linux.h -index 76e20d21b7..beba850dcc 100644 +index 76e20d21b7..8fc32294bb 100644 --- a/sandbox/policy/linux/sandbox_linux.h +++ b/sandbox/policy/linux/sandbox_linux.h -@@ -168,6 +168,11 @@ class SANDBOX_POLICY_EXPORT SandboxLinux { - PreSandboxHook hook, - const Options& options); - -+ bool InitializeSandbox(sandbox::mojom::Sandbox sandbox_type, -+ PreSandboxHook hook, -+ const Options& options, -+ const std::string& gpu_driver_version); +@@ -112,6 +112,8 @@ class SANDBOX_POLICY_EXPORT SandboxLinux { + // useful for the chroot jail (from the semantic layer of the sandbox), and + // can safely be disabled if we are only enabling the seccomp-BPF layer. + bool check_for_open_directories = true; + - // Stop |thread| in a way that can be trusted by the sandbox. - void StopThread(base::Thread* thread); - -@@ -199,7 +204,8 @@ class SANDBOX_POLICY_EXPORT SandboxLinux { - // multiple threads as a fatal error. - bool StartSeccompBPF(sandbox::mojom::Sandbox sandbox_type, - PreSandboxHook hook, -- const Options& options); -+ const Options& options, -+ const std::string gpu_driver_version); - - // Limit the address space of the current process (and its children) to make - // some vulnerabilities harder to exploit. Writes the errno due to setrlimit ++ std::string gpu_driver_version; + }; + + // Callers can provide this hook to run code right before the policy diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc index 4de13fe88b..aaebda0773 100644 --- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc From 87b45c4458da2406ff8f1bd504bdf8523e7b10f0 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sat, 29 Nov 2025 09:18:42 -0500 Subject: [PATCH 16/64] fix --- patches/linux-gpu-sandbox.patch | 48 ++++++++++++++++----------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 35f5e97a..6d929867 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -161,19 +161,20 @@ index 2e53794fa3..e38a8a24b3 100644 if (!LoadAmdGpuLibraries()) return false; diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc -index 30cc1d4a17..23c42cf0d4 100644 +index 30cc1d4a17..f39df8f142 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -533,6 +533,9 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, - sandbox_options.accelerated_video_encode_enabled = - !gpu_prefs.disable_accelerated_video_encode; - -+ sandbox_options.gpu_driver_version = -+ gpu_info->gpu.driver_version; -+ - #if BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_LINUX) - // Video decoding of many video streams can use thousands of FDs as well as - // Exo clients. +@@ -527,6 +527,10 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, + else if (angle::IsNVIDIA(gpu.vendor_id)) + sandbox_options.use_nvidia_specific_policies = true; + } ++ if (sandbox_options.use_amd_specific_policies || ++ sandbox_options.use_intel_specific_policies) ++ sandbox_options.gpu_driver_version = ++ gpu_info->gpu.driver_version; + } + sandbox_options.accelerated_video_decode_enabled = + !gpu_prefs.disable_accelerated_video_decode; diff --git a/content/public/browser/gpu_utils.cc b/content/public/browser/gpu_utils.cc index 65dea86a65..3222da15ed 100644 --- a/content/public/browser/gpu_utils.cc @@ -286,19 +287,6 @@ index 6ea960c6f8..a55023a3c6 100644 gpu_info_.sandboxed = sandbox_helper_->EnsureSandboxInitialized( watchdog_thread_.get(), &gpu_info_, gpu_preferences_); attempted_startsandbox = true; -diff --git a/sandbox/policy/linux/sandbox_linux.h b/sandbox/policy/linux/sandbox_linux.h -index 76e20d21b7..8fc32294bb 100644 ---- a/sandbox/policy/linux/sandbox_linux.h -+++ b/sandbox/policy/linux/sandbox_linux.h -@@ -112,6 +112,8 @@ class SANDBOX_POLICY_EXPORT SandboxLinux { - // useful for the chroot jail (from the semantic layer of the sandbox), and - // can safely be disabled if we are only enabling the seccomp-BPF layer. - bool check_for_open_directories = true; -+ -+ std::string gpu_driver_version; - }; - - // Callers can provide this hook to run code right before the policy diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc index 4de13fe88b..aaebda0773 100644 --- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc @@ -323,3 +311,15 @@ index 4de13fe88b..aaebda0773 100644 if (IsArchitectureArm()) { return std::make_unique( mremap_policy, base::CommandLine::ForCurrentProcess()->HasSwitch( +diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h +index 165ca85462..00e0c34024 100644 +--- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h ++++ b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h +@@ -33,6 +33,7 @@ class SANDBOX_POLICY_EXPORT SandboxSeccompBPF { + // Options for GPU's PreSandboxHook. + bool accelerated_video_decode_enabled = false; + bool accelerated_video_encode_enabled = false; ++ std::string gpu_driver_version; + }; + + SandboxSeccompBPF() = delete; From 92e570ede12afa793627bb192c9d2a72d6673593 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sat, 29 Nov 2025 23:41:09 -0500 Subject: [PATCH 17/64] feat(flags): expose autoconfig flag --- patches/expose-flags.patch | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/patches/expose-flags.patch b/patches/expose-flags.patch index 616ee836..65bf6281 100644 --- a/patches/expose-flags.patch +++ b/patches/expose-flags.patch @@ -14,7 +14,7 @@ diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc index 7613006656aaa..ee707f847ccba 100644 --- a/chrome/browser/about_flags.cc +++ b/chrome/browser/about_flags.cc -@@ -4343,6 +4343,64 @@ const FeatureEntry kFeatureEntries[] = { +@@ -4343,6 +4343,68 @@ const FeatureEntry kFeatureEntries[] = { // //tools/flags/generate_unexpire_flags.py. #include "build/chromeos_buildflags.h" #include "chrome/browser/unexpire_flags_gen.inc" @@ -58,6 +58,10 @@ index 7613006656aaa..ee707f847ccba 100644 + "network service sandbox to become persistently disabled, enable only " + "if absolutely necessary. This switch is provided by Trivalent.", + kOsLinux, SINGLE_VALUE_TYPE("enable-gssapi")}, ++ {"linux-gpu-sandbox", "Enable GPU Sandbox Auto-Configuration", ++ "Enables the GPU sandbox if your system supports it, this depends on " ++ "your graphics card, whether Vulkan is in use, or if X11 is used for " ++ "windowing.", kOsLinux, SINGLE_VALUE_TYPE("enable-gpu-sandbox-linux")}, + {"gpu-sandbox-test", "Force GPU Sandbox For Testing", + "Enables the GPU sandbox. WARNING: This is HIGHLY experimental and " + "can disable hardware acceleration or cause crashes. It is for " From b7a1e2c317738d3abdcaf11b4d3c485994e584b0 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 30 Nov 2025 09:10:18 -0500 Subject: [PATCH 18/64] Update expose-flags.patch --- patches/expose-flags.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/expose-flags.patch b/patches/expose-flags.patch index 65bf6281..90cb3d67 100644 --- a/patches/expose-flags.patch +++ b/patches/expose-flags.patch @@ -58,7 +58,7 @@ index 7613006656aaa..ee707f847ccba 100644 + "network service sandbox to become persistently disabled, enable only " + "if absolutely necessary. This switch is provided by Trivalent.", + kOsLinux, SINGLE_VALUE_TYPE("enable-gssapi")}, -+ {"linux-gpu-sandbox", "Enable GPU Sandbox Auto-Configuration", ++ {"gpu-sandbox-autoconfig", "Enable GPU Sandbox Auto-Configuration", + "Enables the GPU sandbox if your system supports it, this depends on " + "your graphics card, whether Vulkan is in use, or if X11 is used for " + "windowing.", kOsLinux, SINGLE_VALUE_TYPE("enable-gpu-sandbox-linux")}, From 28f26443afb5cead354cef7b8b7405a728f3251d Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 30 Nov 2025 09:11:44 -0500 Subject: [PATCH 19/64] Update expose-flags.patch --- patches/expose-flags.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/patches/expose-flags.patch b/patches/expose-flags.patch index 90cb3d67..4a35ea49 100644 --- a/patches/expose-flags.patch +++ b/patches/expose-flags.patch @@ -61,7 +61,8 @@ index 7613006656aaa..ee707f847ccba 100644 + {"gpu-sandbox-autoconfig", "Enable GPU Sandbox Auto-Configuration", + "Enables the GPU sandbox if your system supports it, this depends on " + "your graphics card, whether Vulkan is in use, or if X11 is used for " -+ "windowing.", kOsLinux, SINGLE_VALUE_TYPE("enable-gpu-sandbox-linux")}, ++ "windowing. This flag is provided by Trivalent.", ++ kOsLinux, SINGLE_VALUE_TYPE("enable-gpu-sandbox-linux")}, + {"gpu-sandbox-test", "Force GPU Sandbox For Testing", + "Enables the GPU sandbox. WARNING: This is HIGHLY experimental and " + "can disable hardware acceleration or cause crashes. It is for " From 00bfa784e5f7417102248c936a186c947e04ba94 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 30 Nov 2025 09:12:16 -0500 Subject: [PATCH 20/64] Update expose-flags.patch --- patches/expose-flags.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/expose-flags.patch b/patches/expose-flags.patch index 4a35ea49..ca0bbd9f 100644 --- a/patches/expose-flags.patch +++ b/patches/expose-flags.patch @@ -14,7 +14,7 @@ diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc index 7613006656aaa..ee707f847ccba 100644 --- a/chrome/browser/about_flags.cc +++ b/chrome/browser/about_flags.cc -@@ -4343,6 +4343,68 @@ const FeatureEntry kFeatureEntries[] = { +@@ -4343,6 +4343,69 @@ const FeatureEntry kFeatureEntries[] = { // //tools/flags/generate_unexpire_flags.py. #include "build/chromeos_buildflags.h" #include "chrome/browser/unexpire_flags_gen.inc" From 1dfdaa597e6d85ff57ac00e856eafa81cc1818ae Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 30 Nov 2025 10:58:11 -0500 Subject: [PATCH 21/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 80 ++++++++++++++++++++------------- 1 file changed, 49 insertions(+), 31 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 6d929867..a73f3609 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -11,13 +11,13 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e See the License for the specific language governing permissions and limitations under the License. --- diff --git a/content/common/gpu_pre_sandbox_hook_linux.cc b/content/common/gpu_pre_sandbox_hook_linux.cc -index 2e53794fa3..e38a8a24b3 100644 +index 2e53794fa3..138228ec8b 100644 --- a/content/common/gpu_pre_sandbox_hook_linux.cc +++ b/content/common/gpu_pre_sandbox_hook_linux.cc @@ -48,8 +48,8 @@ using sandbox::syscall_broker::BrokerProcess; namespace content { namespace { - + -inline bool IsChromeOS() { -#if BUILDFLAG(IS_CHROMEOS) +inline bool IsLinux() { @@ -28,16 +28,16 @@ index 2e53794fa3..e38a8a24b3 100644 @@ -86,7 +86,7 @@ inline bool UseV4L2Codec( static const char kMaliConfPath[] = "/etc/mali_platform.conf"; #endif - + -#if BUILDFLAG(IS_CHROMEOS) && defined(__aarch64__) +#if defined(__aarch64__) static const char kLibGlesPath[] = "/usr/lib64/libGLESv2.so.2"; static const char kLibEglPath[] = "/usr/lib64/libEGL.so.1"; static const char kLibMaliPath[] = "/usr/lib64/libmali.so"; @@ -100,7 +100,7 @@ static const char kLibTegraPath[] = "/usr/lib/libtegrav4l2.so"; - + constexpr int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; - + -void AddStandardChromeOsPermissions( +void AddStandardLinuxPermissions( std::vector* permissions) { @@ -46,7 +46,7 @@ index 2e53794fa3..e38a8a24b3 100644 @@ -115,6 +115,15 @@ void AddStandardChromeOsPermissions( } } - + +void AddLibGalliumLinuxPermissions( + std::vector* permissions, + const std::string driver_version) { @@ -63,7 +63,7 @@ index 2e53794fa3..e38a8a24b3 100644 // that requires the following libs and files to be accessible. "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", -+#if !BUILDFLAG(IS_CHROMEOS) ++#if !BUILDFLAG(IS_CHROMEOS) // Linux AMD + "/usr/lib64/libwayland-server.so.0", + "/usr/lib64/gbm/dri_gbm.so", + "/usr/lib64/dri/iHD_drv_video.so", @@ -75,7 +75,7 @@ index 2e53794fa3..e38a8a24b3 100644 // that requires the following libs and files to be accessible. "/etc/ld.so.cache", "/usr/lib64/libgallium_dri.so", -+#if !BUILDFLAG(IS_CHROMEOS) ++#if !BUILDFLAG(IS_CHROMEOS) // Linux Nvidia + "/usr/lib64/gbm/dri_gbm.so", +#endif "/usr/lib64/dri/nouveau_dri.so", @@ -85,7 +85,7 @@ index 2e53794fa3..e38a8a24b3 100644 // To support threads in mesa we use --gpu-sandbox-start-early and // that requires the following libs and files to be accessible. "/usr/lib64/libgallium_dri.so", -+#if !BUILDFLAG(IS_CHROMEOS) ++#if !BUILDFLAG(IS_CHROMEOS) // Linux Intel + "/usr/lib64/gbm/dri_gbm.so", + "/usr/lib64/dri/iHD_drv_video.so", +#endif @@ -96,7 +96,7 @@ index 2e53794fa3..e38a8a24b3 100644 "/usr/lib64/libglapi.so.0", "/usr/lib64/libc++.so.1", "/usr/lib64/libgallium_dri.so", -+#if !BUILDFLAG(IS_CHROMEOS) ++#if !BUILDFLAG(IS_CHROMEOS) // Linux VirtIO + "/usr/lib64/dri/virtio_gpu_drv_video.so", + "/usr/lib64/libwayland-server.so.0", + "/usr/lib64/gbm/dri_gbm.so", @@ -106,7 +106,7 @@ index 2e53794fa3..e38a8a24b3 100644 "/usr/lib64/dri/kms_swrast_dri.so", @@ -548,11 +574,13 @@ void LoadArmGpuLibraries() { } - + bool LoadAmdGpuLibraries() { +#if BUILDFLAG(IS_CHROMEOS) // Preload the amdgpu-dependent libraries. @@ -115,7 +115,7 @@ index 2e53794fa3..e38a8a24b3 100644 return false; } +#endif // IS_CHROMEOS - + const char* radeonsi_lib = "/usr/lib64/dri/radeonsi_dri.so"; #if defined(DRI_DRIVER_DIR) @@ -609,7 +637,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( @@ -128,9 +128,9 @@ index 2e53794fa3..e38a8a24b3 100644 options.use_intel_specific_policies || options.use_nvidia_specific_policies || @@ -628,9 +656,9 @@ std::vector FilePermissionsForGpu( - + AddVulkanICDPermissions(&permissions); - + - if (IsChromeOS()) { + if (IsLinux()) { // Permissions are additive, there can be multiple GPUs in the system. @@ -182,7 +182,7 @@ index 65dea86a65..3222da15ed 100644 @@ -82,6 +82,15 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { gpu_preferences.gpu_sandbox_start_early = command_line->HasSwitch(switches::kGpuSandboxStartEarly); - + + gpu_preferences.gpu_sandbox_linux = +#if BUILDFLAG(IS_LINUX) + command_line->HasSwitch("enable-gpu-sandbox-linux") && @@ -202,13 +202,13 @@ index 7da57a4b42..02be997c1d 100644 @@ -134,6 +134,9 @@ struct GPU_CONFIG_EXPORT GpuPreferences { // Starts the GPU sandbox before creating a GL context. bool gpu_sandbox_start_early = false; - + + // Enable the GPU sandbox on Linux, implies gpu_sandbox_start_early + bool gpu_sandbox_linux = false; + // Enables using CODECAPI_AVLowLatencyMode. Windows only. bool enable_low_latency_dxva = true; - + diff --git a/gpu/ipc/common/gpu_preferences.mojom b/gpu/ipc/common/gpu_preferences.mojom index 9cc16eaa45..39fc10f9f8 100644 --- a/gpu/ipc/common/gpu_preferences.mojom @@ -218,7 +218,7 @@ index 9cc16eaa45..39fc10f9f8 100644 bool disable_gpu_watchdog; bool gpu_sandbox_start_early; + bool gpu_sandbox_linux; - + // TODO(http://crbug.com/676224) Support preprocessing of mojoms. Following // variables should be used on Windows only. diff --git a/gpu/ipc/common/gpu_preferences_mojom_traits.h b/gpu/ipc/common/gpu_preferences_mojom_traits.h @@ -244,13 +244,13 @@ index 28d9ac5174..84cf63972b 100644 return prefs.enable_low_latency_dxva; } diff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc -index 6ea960c6f8..a55023a3c6 100644 +index 6ea960c6f8..cbce31ca4f 100644 --- a/gpu/ipc/service/gpu_init.cc +++ b/gpu/ipc/service/gpu_init.cc @@ -54,6 +54,10 @@ #include #endif - + +#if BUILDFLAG(IS_LINUX) +#include "third_party/angle/src/gpu_info_util/SystemInfo.h" +#endif @@ -258,27 +258,45 @@ index 6ea960c6f8..a55023a3c6 100644 #if BUILDFLAG(IS_OZONE) #include "gpu/command_buffer/service/drm_modifiers_filter_vulkan.h" #include "ui/ozone/public/drm_modifiers_filter.h" -@@ -418,8 +422,18 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -352,6 +356,14 @@ GpuInit::~GpuInit() { + StopForceDiscreteGPU(); + } + ++// TODO: Add the following ++//angle::IsNVIDIA(vendor_id) ++//angle::IsVirtIO(vendor_id) ++//andle::IsARM(vendor_id) ++bool IsGpuSandboxSupportedPlatform(const uint_32& vendor_id) { ++ return angle::IsAMD(vendor_id) || angle::IsIntel(vendor_id); ++} ++ + bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, + const GpuPreferences& gpu_preferences) { + TRACE_EVENT("gpu,startup", "gpu::GpuInit::InitializeAndStartSandbox"); +@@ -418,8 +430,21 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, enable_watchdog = false; #endif - + + bool gpu_sandbox_linux = gpu_preferences_.gpu_sandbox_linux; #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; -+ if (gpu_sandbox_linux) -+ // Only enable on platforms where the sandbox works -+ gpu_sandbox_linux = angle::IsAMD(gpu_info_.active_gpu().vendor_id) -+ || angle::IsIntel(gpu_info_.active_gpu().vendor_id); -+ //|| angle::IsNVIDIA(gpu_info_.active_gpu().vendor_id) -+ //|| angle::IsVirtIO(gpu_info_.active_gpu().vendor_id) -+ //|| andle::IsARM(gpu_info_.active_gpu().vendor_id) ++ // Only enable on platforms where the sandbox works ++ if (gpu_sandbox_linux && ++ IsGpuSandboxSupportedPlatform(gpu_info_.active_gpu().vendor_id) { ++ for (const auto& gpu : gpu_info_.secondary_gpus) { ++ if (!IsGpuSandboxSupportedPlatform(gpu.vendor_id) { ++ gpu_sandbox_linux = false; ++ break; ++ } ++ } ++ } + bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early || + // The sandbox does not work with Vulkan currently + (gpu_sandbox_linux && !features::IsUsingVulkan()); #else // !(BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)) // For some reasons MacOSX's VideoToolbox might crash when called after // initializing GL, see crbug.com/1047643 and crbug.com/871280. On other -@@ -460,7 +474,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, +@@ -460,7 +485,7 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, // On Chrome OS ARM Mali, GPU driver userspace creates threads when // initializing a GL context, so start the sandbox early. // TODO(zmo): Need to collect OS version before this. @@ -321,5 +339,5 @@ index 165ca85462..00e0c34024 100644 bool accelerated_video_encode_enabled = false; + std::string gpu_driver_version; }; - + SandboxSeccompBPF() = delete; From 4c5ffc23c76bd0d8d1a15911cc9a8596f483c116 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 30 Nov 2025 12:52:34 -0500 Subject: [PATCH 22/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index a73f3609..980420a5 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -266,7 +266,7 @@ index 6ea960c6f8..cbce31ca4f 100644 +//angle::IsNVIDIA(vendor_id) +//angle::IsVirtIO(vendor_id) +//andle::IsARM(vendor_id) -+bool IsGpuSandboxSupportedPlatform(const uint_32& vendor_id) { ++bool IsGpuSandboxSupportedPlatform(uint32_t vendor_id) { + return angle::IsAMD(vendor_id) || angle::IsIntel(vendor_id); +} + From d3147ab7d803d0a87569226374a18e238013b7c4 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 30 Nov 2025 16:52:02 -0500 Subject: [PATCH 23/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 980420a5..32f848b0 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -282,9 +282,9 @@ index 6ea960c6f8..cbce31ca4f 100644 - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; + // Only enable on platforms where the sandbox works + if (gpu_sandbox_linux && -+ IsGpuSandboxSupportedPlatform(gpu_info_.active_gpu().vendor_id) { ++ IsGpuSandboxSupportedPlatform(gpu_info_.active_gpu().vendor_id)) { + for (const auto& gpu : gpu_info_.secondary_gpus) { -+ if (!IsGpuSandboxSupportedPlatform(gpu.vendor_id) { ++ if (!IsGpuSandboxSupportedPlatform(gpu.vendor_id)) { + gpu_sandbox_linux = false; + break; + } From 2696fc091ccdefb56655bf741d41782ae14c9f90 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 1 Dec 2025 21:21:13 -0500 Subject: [PATCH 24/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 32f848b0..33a754ec 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -164,14 +164,11 @@ diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc index 30cc1d4a17..f39df8f142 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -527,6 +527,10 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +527,7 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ if (sandbox_options.use_amd_specific_policies || -+ sandbox_options.use_intel_specific_policies) -+ sandbox_options.gpu_driver_version = -+ gpu_info->gpu.driver_version; ++ sandbox_options.gpu_driver_version = gpu_info->gpu.driver_version; } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; From f911f766a0263d2309fc4b8af805386b7ad6d8f9 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 2 Dec 2025 21:10:08 -0500 Subject: [PATCH 25/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 64 +++++++++++++++++---------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 33a754ec..5b3c0dbd 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -11,13 +11,13 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e See the License for the specific language governing permissions and limitations under the License. --- diff --git a/content/common/gpu_pre_sandbox_hook_linux.cc b/content/common/gpu_pre_sandbox_hook_linux.cc -index 2e53794fa3..138228ec8b 100644 +index 2e53794fa3..e081374b49 100644 --- a/content/common/gpu_pre_sandbox_hook_linux.cc +++ b/content/common/gpu_pre_sandbox_hook_linux.cc @@ -48,8 +48,8 @@ using sandbox::syscall_broker::BrokerProcess; namespace content { namespace { - + -inline bool IsChromeOS() { -#if BUILDFLAG(IS_CHROMEOS) +inline bool IsLinux() { @@ -28,38 +28,41 @@ index 2e53794fa3..138228ec8b 100644 @@ -86,7 +86,7 @@ inline bool UseV4L2Codec( static const char kMaliConfPath[] = "/etc/mali_platform.conf"; #endif - + -#if BUILDFLAG(IS_CHROMEOS) && defined(__aarch64__) +#if defined(__aarch64__) static const char kLibGlesPath[] = "/usr/lib64/libGLESv2.so.2"; static const char kLibEglPath[] = "/usr/lib64/libEGL.so.1"; static const char kLibMaliPath[] = "/usr/lib64/libmali.so"; @@ -100,7 +100,7 @@ static const char kLibTegraPath[] = "/usr/lib/libtegrav4l2.so"; - + constexpr int dlopen_flag = RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE; - + -void AddStandardChromeOsPermissions( +void AddStandardLinuxPermissions( std::vector* permissions) { // For the ANGLE passthrough command decoder. static const char* const kReadOnlyList[] = {"libEGL.so", "libGLESv2.so"}; -@@ -115,6 +115,15 @@ void AddStandardChromeOsPermissions( +@@ -115,6 +115,18 @@ void AddStandardChromeOsPermissions( } } - + +void AddLibGalliumLinuxPermissions( + std::vector* permissions, + const std::string driver_version) { -+ if (driver_version.empty()) ++ if (driver_version.empty()) { ++ LOG(ERROR) << "Detected driver version is empty, gpu sandbox may fail"; + return; ++ } + const std::string libgallium_path = + "/usr/lib64/libgallium-" + driver_version + ".so"; ++ LOG(ERROR) << "Detected gallium path : " << libgallium_path; + permissions->push_back(BrokerFilePermission::ReadOnly(libgallium_path)); +} void AddV4L2GpuPermissions( std::vector* permissions, const sandbox::policy::SandboxSeccompBPF::Options& options) { -@@ -257,6 +266,11 @@ void AddAmdGpuPermissions(std::vector* permissions) { +@@ -257,6 +269,11 @@ void AddAmdGpuPermissions(std::vector* permissions) { // that requires the following libs and files to be accessible. "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", @@ -71,7 +74,7 @@ index 2e53794fa3..138228ec8b 100644 "/usr/lib64/libglapi.so.0", "/usr/lib64/libgallium_dri.so", "/usr/lib64/dri/r300_dri.so", -@@ -298,6 +312,9 @@ void AddNvidiaGpuPermissions(std::vector* permissions) { +@@ -298,6 +315,9 @@ void AddNvidiaGpuPermissions(std::vector* permissions) { // that requires the following libs and files to be accessible. "/etc/ld.so.cache", "/usr/lib64/libgallium_dri.so", @@ -81,7 +84,7 @@ index 2e53794fa3..138228ec8b 100644 "/usr/lib64/dri/nouveau_dri.so", "/usr/lib64/dri/radeonsi_dri.so", "/usr/lib64/dri/swrast_dri.so", -@@ -324,6 +341,10 @@ void AddIntelGpuPermissions(std::vector* permissions) { +@@ -324,6 +344,10 @@ void AddIntelGpuPermissions(std::vector* permissions) { // To support threads in mesa we use --gpu-sandbox-start-early and // that requires the following libs and files to be accessible. "/usr/lib64/libgallium_dri.so", @@ -92,7 +95,7 @@ index 2e53794fa3..138228ec8b 100644 "/usr/lib64/libEGL.so.1", "/usr/lib64/libGLESv2.so.2", "/usr/lib64/libelf.so.1", "/usr/lib64/libglapi.so.0", "/usr/lib64/libdrm_amdgpu.so.1", "/usr/lib64/libdrm_radeon.so.1", -@@ -363,6 +384,11 @@ void AddVirtIOGpuPermissions(std::vector* permissions) { +@@ -363,6 +387,11 @@ void AddVirtIOGpuPermissions(std::vector* permissions) { "/usr/lib64/libglapi.so.0", "/usr/lib64/libc++.so.1", "/usr/lib64/libgallium_dri.so", @@ -104,9 +107,9 @@ index 2e53794fa3..138228ec8b 100644 // If kms_swrast_dri is not usable, swrast_dri is used instead. "/usr/lib64/dri/swrast_dri.so", "/usr/lib64/dri/kms_swrast_dri.so", -@@ -548,11 +574,13 @@ void LoadArmGpuLibraries() { +@@ -548,11 +577,13 @@ void LoadArmGpuLibraries() { } - + bool LoadAmdGpuLibraries() { +#if BUILDFLAG(IS_CHROMEOS) // Preload the amdgpu-dependent libraries. @@ -115,10 +118,10 @@ index 2e53794fa3..138228ec8b 100644 return false; } +#endif // IS_CHROMEOS - + const char* radeonsi_lib = "/usr/lib64/dri/radeonsi_dri.so"; #if defined(DRI_DRIVER_DIR) -@@ -609,7 +637,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( +@@ -609,7 +640,7 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU( command_set.set(sandbox::syscall_broker::COMMAND_ACCESS); command_set.set(sandbox::syscall_broker::COMMAND_OPEN); command_set.set(sandbox::syscall_broker::COMMAND_STAT); @@ -127,10 +130,10 @@ index 2e53794fa3..138228ec8b 100644 (options.use_amd_specific_policies || options.use_intel_specific_policies || options.use_nvidia_specific_policies || -@@ -628,9 +656,9 @@ std::vector FilePermissionsForGpu( - +@@ -628,9 +659,9 @@ std::vector FilePermissionsForGpu( + AddVulkanICDPermissions(&permissions); - + - if (IsChromeOS()) { + if (IsLinux()) { // Permissions are additive, there can be multiple GPUs in the system. @@ -139,7 +142,7 @@ index 2e53794fa3..138228ec8b 100644 if (UseV4L2Codec(options)) { AddV4L2GpuPermissions(&permissions, options); } -@@ -643,9 +671,11 @@ std::vector FilePermissionsForGpu( +@@ -643,9 +674,11 @@ std::vector FilePermissionsForGpu( } if (options.use_amd_specific_policies) { AddAmdGpuPermissions(&permissions); @@ -151,7 +154,7 @@ index 2e53794fa3..138228ec8b 100644 } if (options.use_nvidia_specific_policies) { AddStandardGpuPermissions(&permissions); -@@ -678,7 +708,7 @@ bool LoadLibrariesForGpu( +@@ -678,7 +711,7 @@ bool LoadLibrariesForGpu( if (IsArchitectureArm()) { LoadArmGpuLibraries(); } @@ -169,6 +172,7 @@ index 30cc1d4a17..f39df8f142 100644 sandbox_options.use_nvidia_specific_policies = true; } + sandbox_options.gpu_driver_version = gpu_info->gpu.driver_version; ++ LOG(ERROR) << "Detected GPU driver version : " << sandbox_options.gpu_driver_version; } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; @@ -179,7 +183,7 @@ index 65dea86a65..3222da15ed 100644 @@ -82,6 +82,15 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { gpu_preferences.gpu_sandbox_start_early = command_line->HasSwitch(switches::kGpuSandboxStartEarly); - + + gpu_preferences.gpu_sandbox_linux = +#if BUILDFLAG(IS_LINUX) + command_line->HasSwitch("enable-gpu-sandbox-linux") && @@ -199,13 +203,13 @@ index 7da57a4b42..02be997c1d 100644 @@ -134,6 +134,9 @@ struct GPU_CONFIG_EXPORT GpuPreferences { // Starts the GPU sandbox before creating a GL context. bool gpu_sandbox_start_early = false; - + + // Enable the GPU sandbox on Linux, implies gpu_sandbox_start_early + bool gpu_sandbox_linux = false; + // Enables using CODECAPI_AVLowLatencyMode. Windows only. bool enable_low_latency_dxva = true; - + diff --git a/gpu/ipc/common/gpu_preferences.mojom b/gpu/ipc/common/gpu_preferences.mojom index 9cc16eaa45..39fc10f9f8 100644 --- a/gpu/ipc/common/gpu_preferences.mojom @@ -215,7 +219,7 @@ index 9cc16eaa45..39fc10f9f8 100644 bool disable_gpu_watchdog; bool gpu_sandbox_start_early; + bool gpu_sandbox_linux; - + // TODO(http://crbug.com/676224) Support preprocessing of mojoms. Following // variables should be used on Windows only. diff --git a/gpu/ipc/common/gpu_preferences_mojom_traits.h b/gpu/ipc/common/gpu_preferences_mojom_traits.h @@ -241,13 +245,13 @@ index 28d9ac5174..84cf63972b 100644 return prefs.enable_low_latency_dxva; } diff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc -index 6ea960c6f8..cbce31ca4f 100644 +index 6ea960c6f8..a22bc31453 100644 --- a/gpu/ipc/service/gpu_init.cc +++ b/gpu/ipc/service/gpu_init.cc @@ -54,6 +54,10 @@ #include #endif - + +#if BUILDFLAG(IS_LINUX) +#include "third_party/angle/src/gpu_info_util/SystemInfo.h" +#endif @@ -258,7 +262,7 @@ index 6ea960c6f8..cbce31ca4f 100644 @@ -352,6 +356,14 @@ GpuInit::~GpuInit() { StopForceDiscreteGPU(); } - + +// TODO: Add the following +//angle::IsNVIDIA(vendor_id) +//angle::IsVirtIO(vendor_id) @@ -273,7 +277,7 @@ index 6ea960c6f8..cbce31ca4f 100644 @@ -418,8 +430,21 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line, enable_watchdog = false; #endif - + + bool gpu_sandbox_linux = gpu_preferences_.gpu_sandbox_linux; #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) - bool gpu_sandbox_start_early = gpu_preferences_.gpu_sandbox_start_early; @@ -336,5 +340,5 @@ index 165ca85462..00e0c34024 100644 bool accelerated_video_encode_enabled = false; + std::string gpu_driver_version; }; - + SandboxSeccompBPF() = delete; From 06a8db8c2d27b4b0bccd6c52355ad95cc40a1fd8 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 2 Dec 2025 22:12:38 -0500 Subject: [PATCH 26/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 5b3c0dbd..1de63038 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -167,7 +167,7 @@ diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc index 30cc1d4a17..f39df8f142 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -527,6 +527,7 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +527,8 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } From 2cab0b645f3da9a2772feb5adef20188cb05ac6f Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Wed, 3 Dec 2025 20:13:03 -0500 Subject: [PATCH 27/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 1de63038..41038425 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -164,15 +164,20 @@ index 2e53794fa3..e081374b49 100644 if (!LoadAmdGpuLibraries()) return false; diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc -index 30cc1d4a17..f39df8f142 100644 +index 30cc1d4a17..1ab638e6e9 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -527,6 +527,8 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +527,13 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ sandbox_options.gpu_driver_version = gpu_info->gpu.driver_version; -+ LOG(ERROR) << "Detected GPU driver version : " << sandbox_options.gpu_driver_version; ++ ++ { ++ GPUInfo temp_gpu_info; ++ if (CollectContextGraphicsInfo(&temp_gpu_info) ++ sandbox_options.gpu_driver_version = ++ temp_gpu_info->gpu.driver_version; ++ } } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; From a09b7bb938c8adf61408b33030a1c56e68c96265 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Thu, 4 Dec 2025 08:12:12 -0500 Subject: [PATCH 28/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 41038425..f2cf56e5 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -167,17 +167,15 @@ diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc index 30cc1d4a17..1ab638e6e9 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -527,6 +527,13 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +527,11 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } + -+ { -+ GPUInfo temp_gpu_info; -+ if (CollectContextGraphicsInfo(&temp_gpu_info) -+ sandbox_options.gpu_driver_version = -+ temp_gpu_info->gpu.driver_version; -+ } ++ gpu::GPUInfo temp_gpu_info; ++ if (CollectContextGraphicsInfo(&temp_gpu_info)) ++ sandbox_options.gpu_driver_version = ++ temp_gpu_info->gpu.driver_version; } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; From 73ea5f0044b13e1dcdf2abec4845fc1af6022635 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Thu, 4 Dec 2025 18:39:36 -0500 Subject: [PATCH 29/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index f2cf56e5..e3bcedbb 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -175,7 +175,7 @@ index 30cc1d4a17..1ab638e6e9 100644 + gpu::GPUInfo temp_gpu_info; + if (CollectContextGraphicsInfo(&temp_gpu_info)) + sandbox_options.gpu_driver_version = -+ temp_gpu_info->gpu.driver_version; ++ temp_gpu_info.gpu.driver_version; } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; From 7c6481885ecb5c9110797a6bd58d4268fc2ed0ad Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Thu, 4 Dec 2025 23:46:54 -0500 Subject: [PATCH 30/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 38 +++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index e3bcedbb..f36c8b70 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -167,15 +167,11 @@ diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc index 30cc1d4a17..1ab638e6e9 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -527,6 +527,11 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +527,7 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ -+ gpu::GPUInfo temp_gpu_info; -+ if (CollectContextGraphicsInfo(&temp_gpu_info)) -+ sandbox_options.gpu_driver_version = -+ temp_gpu_info.gpu.driver_version; ++ sandbox_options.gpu_driver_version = GetGraphicsGLDriverVersion(); } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; @@ -345,3 +341,33 @@ index 165ca85462..00e0c34024 100644 }; SandboxSeccompBPF() = delete; +diff --git a/gpu/config/gpu_info_collector.cc b/gpu/config/gpu_info_collector.cc +index e057ed59c6..6a14b75f11 100644 +--- a/gpu/config/gpu_info_collector.cc ++++ b/gpu/config/gpu_info_collector.cc +@@ -582,6 +582,12 @@ bool CollectBasicGraphicsInfo(const base::CommandLine* command_line, + return CollectBasicGraphicsInfo(gpu_info); + } + ++std::string GetGraphicsGLDriverVersion() { ++ gl::GLVersionInfo gl_info(GetGLString(GL_VERSION), GetGLString(GL_RENDERER), ++ gfx::MakeExtensionSet(gl::GetGLExtensionsFromCurrentContext())); ++ return gl_info.driver_version; ++} ++ + bool CollectGraphicsInfoGL(GPUInfo* gpu_info, gl::GLDisplay* display) { + TRACE_EVENT("gpu,startup", "gpu_info_collector::CollectGraphicsInfoGL"); + DCHECK_NE(gl::GetGLImplementationParts(), gl::kGLImplementationNone); +diff --git a/gpu/config/gpu_info_collector.h b/gpu/config/gpu_info_collector.h +index 1c8fd10296..fde4b147f6 100644 +--- a/gpu/config/gpu_info_collector.h ++++ b/gpu/config/gpu_info_collector.h +@@ -75,6 +75,8 @@ GPU_CONFIG_EXPORT void CollectHardwareOverlayInfo(OverlayInfo* overlay_info); + bool IdentifyActiveGPUWithLuid(GPUInfo* gpu_info); + #endif // BUILDFLAG(IS_WIN) + ++GPU_CONFIG_EXPORT std::string GetGraphicsGLDriverVersion(); ++ + // Create a GL context and collect GL strings and versions. + GPU_CONFIG_EXPORT bool CollectGraphicsInfoGL(GPUInfo* gpu_info, + gl::GLDisplay* display); From 2b58aad356c7f40953a2dd30f0dae0a5214f2f7f Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Fri, 5 Dec 2025 08:31:00 -0500 Subject: [PATCH 31/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index f36c8b70..352a41a9 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -345,13 +345,15 @@ diff --git a/gpu/config/gpu_info_collector.cc b/gpu/config/gpu_info_collector.cc index e057ed59c6..6a14b75f11 100644 --- a/gpu/config/gpu_info_collector.cc +++ b/gpu/config/gpu_info_collector.cc -@@ -582,6 +582,12 @@ bool CollectBasicGraphicsInfo(const base::CommandLine* command_line, +@@ -582,6 +582,14 @@ bool CollectBasicGraphicsInfo(const base::CommandLine* command_line, return CollectBasicGraphicsInfo(gpu_info); } +std::string GetGraphicsGLDriverVersion() { -+ gl::GLVersionInfo gl_info(GetGLString(GL_VERSION), GetGLString(GL_RENDERER), -+ gfx::MakeExtensionSet(gl::GetGLExtensionsFromCurrentContext())); ++ gl::GLVersionInfo gl_info(GetGLString(GL_VERSION).c_str(), ++ GetGLString(GL_RENDERER).c_str(), ++ gfx::MakeExtensionSet( ++ gl::GetGLExtensionsFromCurrentContext())); + return gl_info.driver_version; +} + From 4ca4c58d7bf576b5bb0798128872399052f35331 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Fri, 5 Dec 2025 18:48:43 -0500 Subject: [PATCH 32/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 352a41a9..e6f13d13 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -171,7 +171,7 @@ index 30cc1d4a17..1ab638e6e9 100644 else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ sandbox_options.gpu_driver_version = GetGraphicsGLDriverVersion(); ++ sandbox_options.gpu_driver_version = gpu::GetGraphicsGLDriverVersion(); } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; From 3874ac2e6fe9c785fc9408cd9ee6238300b5371e Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sat, 6 Dec 2025 17:50:21 -0500 Subject: [PATCH 33/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index e6f13d13..777fa419 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -345,15 +345,13 @@ diff --git a/gpu/config/gpu_info_collector.cc b/gpu/config/gpu_info_collector.cc index e057ed59c6..6a14b75f11 100644 --- a/gpu/config/gpu_info_collector.cc +++ b/gpu/config/gpu_info_collector.cc -@@ -582,6 +582,14 @@ bool CollectBasicGraphicsInfo(const base::CommandLine* command_line, +@@ -582,6 +582,12 @@ bool CollectBasicGraphicsInfo(const base::CommandLine* command_line, return CollectBasicGraphicsInfo(gpu_info); } +std::string GetGraphicsGLDriverVersion() { -+ gl::GLVersionInfo gl_info(GetGLString(GL_VERSION).c_str(), -+ GetGLString(GL_RENDERER).c_str(), -+ gfx::MakeExtensionSet( -+ gl::GetGLExtensionsFromCurrentContext())); ++ gl::GLVersionInfo gl_info("", GetGLString(GL_RENDERER).c_str(), ++ gfx::MakeExtensionSet("")); + return gl_info.driver_version; +} + From 770d51af39cc6d1d95ba7df37a0c1ca0daae206d Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 7 Dec 2025 01:26:40 -0500 Subject: [PATCH 34/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 63 ++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 29 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 777fa419..3253a4a0 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -171,7 +171,7 @@ index 30cc1d4a17..1ab638e6e9 100644 else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ sandbox_options.gpu_driver_version = gpu::GetGraphicsGLDriverVersion(); ++ sandbox_options.gpu_driver_version = gpu_info->gpu.driver_version; } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; @@ -341,33 +341,38 @@ index 165ca85462..00e0c34024 100644 }; SandboxSeccompBPF() = delete; -diff --git a/gpu/config/gpu_info_collector.cc b/gpu/config/gpu_info_collector.cc -index e057ed59c6..6a14b75f11 100644 ---- a/gpu/config/gpu_info_collector.cc -+++ b/gpu/config/gpu_info_collector.cc -@@ -582,6 +582,12 @@ bool CollectBasicGraphicsInfo(const base::CommandLine* command_line, - return CollectBasicGraphicsInfo(gpu_info); - } - -+std::string GetGraphicsGLDriverVersion() { -+ gl::GLVersionInfo gl_info("", GetGLString(GL_RENDERER).c_str(), -+ gfx::MakeExtensionSet("")); -+ return gl_info.driver_version; -+} -+ - bool CollectGraphicsInfoGL(GPUInfo* gpu_info, gl::GLDisplay* display) { - TRACE_EVENT("gpu,startup", "gpu_info_collector::CollectGraphicsInfoGL"); - DCHECK_NE(gl::GetGLImplementationParts(), gl::kGLImplementationNone); -diff --git a/gpu/config/gpu_info_collector.h b/gpu/config/gpu_info_collector.h -index 1c8fd10296..fde4b147f6 100644 ---- a/gpu/config/gpu_info_collector.h -+++ b/gpu/config/gpu_info_collector.h -@@ -75,6 +75,8 @@ GPU_CONFIG_EXPORT void CollectHardwareOverlayInfo(OverlayInfo* overlay_info); - bool IdentifyActiveGPUWithLuid(GPUInfo* gpu_info); +diff --git a/content/browser/gpu/gpu_process_host.cc b/content/browser/gpu/gpu_process_host.cc +index cd6b6be5cb..3e66a9860e 100644 +--- a/content/browser/gpu/gpu_process_host.cc ++++ b/content/browser/gpu/gpu_process_host.cc +@@ -1313,6 +1313,11 @@ bool GpuProcessHost::LaunchGpuProcess() { + } #endif // BUILDFLAG(IS_WIN) -+GPU_CONFIG_EXPORT std::string GetGraphicsGLDriverVersion(); -+ - // Create a GL context and collect GL strings and versions. - GPU_CONFIG_EXPORT bool CollectGraphicsInfoGL(GPUInfo* gpu_info, - gl::GLDisplay* display); ++ const gpu::GPUInfo::GPUDevice device_info = GetGPUInfo().active_gpu(); ++ if (device_info.driver_version.length()) { ++ cmd_line->AppendSwitchASCII(switches::kGpuDriverVersion, ++ device_info.driver_version); ++ } + if (kind_ == GPU_PROCESS_KIND_INFO_COLLECTION) { + cmd_line->AppendSwitch(sandbox::policy::switches::kDisableGpuSandbox); + cmd_line->AppendSwitchASCII(switches::kUseGL, +@@ -1320,7 +1325,6 @@ bool GpuProcessHost::LaunchGpuProcess() { + + // Pass the current device info to the info-collection GPU process for + // crash key logging. +- const gpu::GPUInfo::GPUDevice device_info = GetGPUInfo().active_gpu(); + cmd_line->AppendSwitchASCII( + switches::kGpuVendorId, + base::StringPrintf("%u", device_info.vendor_id)); +@@ -1334,10 +1338,6 @@ bool GpuProcessHost::LaunchGpuProcess() { + cmd_line->AppendSwitchASCII(switches::kGpuRevision, + base::StringPrintf("%u", device_info.revision)); + #endif +- if (device_info.driver_version.length()) { +- cmd_line->AppendSwitchASCII(switches::kGpuDriverVersion, +- device_info.driver_version); +- } + } + + // TODO(penghuang): Replace all GPU related switches with GpuPreferences. From 2088c31e902a238e6827c4a8da3bcec1fc56a9e3 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 7 Dec 2025 12:17:20 -0500 Subject: [PATCH 35/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 3253a4a0..6a423b70 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -345,7 +345,7 @@ diff --git a/content/browser/gpu/gpu_process_host.cc b/content/browser/gpu/gpu_p index cd6b6be5cb..3e66a9860e 100644 --- a/content/browser/gpu/gpu_process_host.cc +++ b/content/browser/gpu/gpu_process_host.cc -@@ -1313,6 +1313,11 @@ bool GpuProcessHost::LaunchGpuProcess() { +@@ -1313,6 +1313,12 @@ bool GpuProcessHost::LaunchGpuProcess() { } #endif // BUILDFLAG(IS_WIN) @@ -354,6 +354,7 @@ index cd6b6be5cb..3e66a9860e 100644 + cmd_line->AppendSwitchASCII(switches::kGpuDriverVersion, + device_info.driver_version); + } ++ LOG(ERROR) << "Detected gallium version : " << device_info.driver_version; if (kind_ == GPU_PROCESS_KIND_INFO_COLLECTION) { cmd_line->AppendSwitch(sandbox::policy::switches::kDisableGpuSandbox); cmd_line->AppendSwitchASCII(switches::kUseGL, From db06b74b1c1a55ecab52280bdb1c0758a959bc4f Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 7 Dec 2025 19:04:39 -0500 Subject: [PATCH 36/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 6a423b70..18a28156 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -370,7 +370,7 @@ index cd6b6be5cb..3e66a9860e 100644 cmd_line->AppendSwitchASCII(switches::kGpuRevision, base::StringPrintf("%u", device_info.revision)); #endif -- if (device_info.driver_version.length()) { +- if (!device_info.driver_version.empty()) { - cmd_line->AppendSwitchASCII(switches::kGpuDriverVersion, - device_info.driver_version); - } From 3bb9b2f37f695021d8f20e22ad7567b5a9b58400 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 14 Dec 2025 23:33:48 -0500 Subject: [PATCH 37/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 43 ++++----------------------------- 1 file changed, 5 insertions(+), 38 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 18a28156..f7b0cc11 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -167,11 +167,14 @@ diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc index 30cc1d4a17..1ab638e6e9 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -527,6 +527,7 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +527,10 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ sandbox_options.gpu_driver_version = gpu_info->gpu.driver_version; ++ if (command_line->HasSwitch("libgallium-library-version")) { ++ sandbox_options.gpu_driver_version = ++ command_line->GetSwitchValueASCII("libgallium-library-version"); ++ } } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; @@ -341,39 +344,3 @@ index 165ca85462..00e0c34024 100644 }; SandboxSeccompBPF() = delete; -diff --git a/content/browser/gpu/gpu_process_host.cc b/content/browser/gpu/gpu_process_host.cc -index cd6b6be5cb..3e66a9860e 100644 ---- a/content/browser/gpu/gpu_process_host.cc -+++ b/content/browser/gpu/gpu_process_host.cc -@@ -1313,6 +1313,12 @@ bool GpuProcessHost::LaunchGpuProcess() { - } - #endif // BUILDFLAG(IS_WIN) - -+ const gpu::GPUInfo::GPUDevice device_info = GetGPUInfo().active_gpu(); -+ if (device_info.driver_version.length()) { -+ cmd_line->AppendSwitchASCII(switches::kGpuDriverVersion, -+ device_info.driver_version); -+ } -+ LOG(ERROR) << "Detected gallium version : " << device_info.driver_version; - if (kind_ == GPU_PROCESS_KIND_INFO_COLLECTION) { - cmd_line->AppendSwitch(sandbox::policy::switches::kDisableGpuSandbox); - cmd_line->AppendSwitchASCII(switches::kUseGL, -@@ -1320,7 +1325,6 @@ bool GpuProcessHost::LaunchGpuProcess() { - - // Pass the current device info to the info-collection GPU process for - // crash key logging. -- const gpu::GPUInfo::GPUDevice device_info = GetGPUInfo().active_gpu(); - cmd_line->AppendSwitchASCII( - switches::kGpuVendorId, - base::StringPrintf("%u", device_info.vendor_id)); -@@ -1334,10 +1338,6 @@ bool GpuProcessHost::LaunchGpuProcess() { - cmd_line->AppendSwitchASCII(switches::kGpuRevision, - base::StringPrintf("%u", device_info.revision)); - #endif -- if (!device_info.driver_version.empty()) { -- cmd_line->AppendSwitchASCII(switches::kGpuDriverVersion, -- device_info.driver_version); -- } - } - - // TODO(penghuang): Replace all GPU related switches with GpuPreferences. From 49ced137b60eb8615ec8de1759f73109040ac461 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:09:25 -0500 Subject: [PATCH 38/64] Update trivalent.conf --- build/trivalent.conf | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index 351b67a1..829f7be1 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -41,7 +41,9 @@ elif [ -z "$USE_WAYLAND" ]; then ;; esac fi -[ "$USE_WAYLAND" == "false" ] && CHROMIUM_SYSTEM_FLAGS+=" --ozone-platform=x11" +if [ "$USE_WAYLAND" == "false" ]; then + CHROMIUM_SYSTEM_FLAGS+=" --ozone-platform=x11" +fi # Other architectures are not tested for and should not be included yet # ENABLE_VULKAN=[true|false] @@ -61,8 +63,17 @@ if [ "$ARCH" == "x86_64" ] ; then CHROMIUM_SYSTEM_FLAGS+=" --use-angle=vulkan --use-vulkan" FEATURES+=",Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,VaapiIgnoreDriverChecks" fi + + declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9][0-9]\.[0-9]\.[0-9]")" + if [[ -n "$GALLIUMVER" && "$GALLIUMVER" =~ [0-9][0-9].[0-9].[0-9] ]]; then + CHROMIUM_SYSTEM_FLAGS+=" --libgallium-library-version=\"$GALLIUMVER\"" + fi fi -[ "$BROWSER_LOG_LEVEL" -ge 2 ] && CHROMIUM_SYSTEM_FLAGS+=" --enable-logging=stderr --v=1" +if [ "$BROWSER_LOG_LEVEL" -ge 2 ]; then + CHROMIUM_SYSTEM_FLAGS+=" --enable-logging=stderr --v=1" +fi -[ -n "$FEATURES" ] && CHROMIUM_SYSTEM_FLAGS+=" --enable-features=$FEATURES" +if [ -n "$FEATURES" ]; then + CHROMIUM_SYSTEM_FLAGS+=" --enable-features=$FEATURES" +fi From 56221b1cd8547d73a0e3eec4336272837097e3e2 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:09:53 -0500 Subject: [PATCH 39/64] Update trivalent.conf --- build/trivalent.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index 829f7be1..416eabf1 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -64,8 +64,8 @@ if [ "$ARCH" == "x86_64" ] ; then FEATURES+=",Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,VaapiIgnoreDriverChecks" fi - declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9][0-9]\.[0-9]\.[0-9]")" - if [[ -n "$GALLIUMVER" && "$GALLIUMVER" =~ [0-9][0-9].[0-9].[0-9] ]]; then + declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9]+.[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" + if [[ -n "$GALLIUMVER" && "$GALLIUMVER" =~ [0-9]+.[0-9].[0-9] ]]; then CHROMIUM_SYSTEM_FLAGS+=" --libgallium-library-version=\"$GALLIUMVER\"" fi fi From a44084720498a64fadeb4c117c7d08beab359a32 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:36:26 -0500 Subject: [PATCH 40/64] Update trivalent.conf --- build/trivalent.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index 416eabf1..1a89e9e3 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -64,9 +64,9 @@ if [ "$ARCH" == "x86_64" ] ; then FEATURES+=",Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,VaapiIgnoreDriverChecks" fi - declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9]+.[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" + declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" if [[ -n "$GALLIUMVER" && "$GALLIUMVER" =~ [0-9]+.[0-9].[0-9] ]]; then - CHROMIUM_SYSTEM_FLAGS+=" --libgallium-library-version=\"$GALLIUMVER\"" + CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=\"$GALLIUMVER\"" fi fi From 6ff909ea8ba49d84c1b5e6a8183e41ea54ebd058 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:47:07 -0500 Subject: [PATCH 41/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index f7b0cc11..85128c87 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -164,16 +164,32 @@ index 2e53794fa3..e081374b49 100644 if (!LoadAmdGpuLibraries()) return false; diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc -index 30cc1d4a17..1ab638e6e9 100644 +index 30cc1d4a17..eff1aaf28c 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -527,6 +527,10 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -82,6 +82,10 @@ + #include "ui/gl/gpu_switching_manager.h" + #include "ui/gl/init/gl_factory.h" + ++#if BUILDFLAG(IS_LINUX) ++#include "third_party/re2/src/re2/re2.h" ++#endif ++ + #if BUILDFLAG(IS_WIN) + #include + +@@ -527,6 +531,15 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ if (command_line->HasSwitch("libgallium-library-version")) { -+ sandbox_options.gpu_driver_version = -+ command_line->GetSwitchValueASCII("libgallium-library-version"); ++ if (command_line->HasSwitch("libgallium-version")) { ++ const std::string libgalliumVersion = ++ command_line->GetSwitchValueASCII("libgallium-version"); ++ // Make sure our input is correct ++ const RE2 pattern(R"(^[0-9]+\.[0-9]\.[0-9]$)"); ++ if (RE2::FullMatch(libgalliumVersion, pattern)) { ++ sandbox_options.gpu_driver_version = libgalliumVersion; ++ } + } } sandbox_options.accelerated_video_decode_enabled = From ebb6a30aa30648d1b6bc7dd7185ee6d2da5a1d56 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:47:38 -0500 Subject: [PATCH 42/64] Update trivalent.conf --- build/trivalent.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index 1a89e9e3..a6969e70 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -65,7 +65,7 @@ if [ "$ARCH" == "x86_64" ] ; then fi declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" - if [[ -n "$GALLIUMVER" && "$GALLIUMVER" =~ [0-9]+.[0-9].[0-9] ]]; then + if [[ -n "$GALLIUMVER" ]]; then CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=\"$GALLIUMVER\"" fi fi From 9ec6123468e1ef24cec8dcaf9ed82b8a510d178e Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:49:45 -0500 Subject: [PATCH 43/64] Update trivalent.conf --- build/trivalent.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index a6969e70..01992733 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -65,9 +65,9 @@ if [ "$ARCH" == "x86_64" ] ; then fi declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" - if [[ -n "$GALLIUMVER" ]]; then + if [[ -n "$GALLIUMVER" ]]; then CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=\"$GALLIUMVER\"" - fi + fi fi if [ "$BROWSER_LOG_LEVEL" -ge 2 ]; then From 19abef88c4c58ba7dc800ab1d168e7c7cbb8916a Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:49:55 -0500 Subject: [PATCH 44/64] Update trivalent.conf --- build/trivalent.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index 01992733..7b0991e6 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -66,7 +66,7 @@ if [ "$ARCH" == "x86_64" ] ; then declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" if [[ -n "$GALLIUMVER" ]]; then - CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=\"$GALLIUMVER\"" + CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=\"$GALLIUMVER\"" fi fi From 017c8d460965934006b3ad99148334d84814130b Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:52:35 -0500 Subject: [PATCH 45/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 85128c87..7ed599bd 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -178,16 +178,15 @@ index 30cc1d4a17..eff1aaf28c 100644 #if BUILDFLAG(IS_WIN) #include -@@ -527,6 +531,15 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +531,14 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } + if (command_line->HasSwitch("libgallium-version")) { + const std::string libgalliumVersion = + command_line->GetSwitchValueASCII("libgallium-version"); -+ // Make sure our input is correct -+ const RE2 pattern(R"(^[0-9]+\.[0-9]\.[0-9]$)"); -+ if (RE2::FullMatch(libgalliumVersion, pattern)) { ++ // Make sure our input is safe ++ if (RE2::FullMatch(libgalliumVersion, "(^[0-9]+\.[0-9]\.[0-9]$)")) { + sandbox_options.gpu_driver_version = libgalliumVersion; + } + } From e4b513767be3c6f7975fe9148b792b63b7cd2203 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 00:59:09 -0500 Subject: [PATCH 46/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 7ed599bd..496796f2 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -186,7 +186,7 @@ index 30cc1d4a17..eff1aaf28c 100644 + const std::string libgalliumVersion = + command_line->GetSwitchValueASCII("libgallium-version"); + // Make sure our input is safe -+ if (RE2::FullMatch(libgalliumVersion, "(^[0-9]+\.[0-9]\.[0-9]$)")) { ++ if (RE2::FullMatch(libgalliumVersion, "^[0-9]+\.[0-9]\.[0-9]$")) { + sandbox_options.gpu_driver_version = libgalliumVersion; + } + } From e6b2c857c9d44bb48afce6bc7a749374007c8c28 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 09:33:18 -0500 Subject: [PATCH 47/64] Update trivalent.conf --- build/trivalent.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index 7b0991e6..870910b3 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -64,7 +64,7 @@ if [ "$ARCH" == "x86_64" ] ; then FEATURES+=",Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,VaapiIgnoreDriverChecks" fi - declare -r GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" + GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" if [[ -n "$GALLIUMVER" ]]; then CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=\"$GALLIUMVER\"" fi From 0b8d685ffc45f9846f44642f825ea766a3539c14 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 09:36:28 -0500 Subject: [PATCH 48/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 496796f2..bf027405 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -178,13 +178,14 @@ index 30cc1d4a17..eff1aaf28c 100644 #if BUILDFLAG(IS_WIN) #include -@@ -527,6 +531,14 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +531,15 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ if (command_line->HasSwitch("libgallium-version")) { ++ const base::CommandLine* cmdline = base::CommandLine::ForCurrentProcess(); ++ if (cmdline->HasSwitch("libgallium-version")) { + const std::string libgalliumVersion = -+ command_line->GetSwitchValueASCII("libgallium-version"); ++ cmdline->GetSwitchValueASCII("libgallium-version"); + // Make sure our input is safe + if (RE2::FullMatch(libgalliumVersion, "^[0-9]+\.[0-9]\.[0-9]$")) { + sandbox_options.gpu_driver_version = libgalliumVersion; From 3e1e5785f816bbdfa7b1a8dce1f7fa67e4dfd439 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 15 Dec 2025 23:53:00 -0500 Subject: [PATCH 49/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 86 ++++++++++++++++++--------------- 1 file changed, 48 insertions(+), 38 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index bf027405..1bd4dfca 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -11,7 +11,7 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e See the License for the specific language governing permissions and limitations under the License. --- diff --git a/content/common/gpu_pre_sandbox_hook_linux.cc b/content/common/gpu_pre_sandbox_hook_linux.cc -index 2e53794fa3..e081374b49 100644 +index 2e53794fa3..986d44ab5d 100644 --- a/content/common/gpu_pre_sandbox_hook_linux.cc +++ b/content/common/gpu_pre_sandbox_hook_linux.cc @@ -48,8 +48,8 @@ using sandbox::syscall_broker::BrokerProcess; @@ -49,13 +49,13 @@ index 2e53794fa3..e081374b49 100644 +void AddLibGalliumLinuxPermissions( + std::vector* permissions, -+ const std::string driver_version) { ++ const std::string gallium_version) { + if (driver_version.empty()) { + LOG(ERROR) << "Detected driver version is empty, gpu sandbox may fail"; + return; + } + const std::string libgallium_path = -+ "/usr/lib64/libgallium-" + driver_version + ".so"; ++ "/usr/lib64/libgallium-" + gallium_version + ".so"; + LOG(ERROR) << "Detected gallium path : " << libgallium_path; + permissions->push_back(BrokerFilePermission::ReadOnly(libgallium_path)); +} @@ -146,11 +146,11 @@ index 2e53794fa3..e081374b49 100644 } if (options.use_amd_specific_policies) { AddAmdGpuPermissions(&permissions); -+ AddLibGalliumLinuxPermissions(&permissions, options.gpu_driver_version); ++ AddLibGalliumLinuxPermissions(&permissions, options.gallium_version); } if (options.use_intel_specific_policies) { AddIntelGpuPermissions(&permissions); -+ AddLibGalliumLinuxPermissions(&permissions, options.gpu_driver_version); ++ AddLibGalliumLinuxPermissions(&permissions, options.gallium_version); } if (options.use_nvidia_specific_policies) { AddStandardGpuPermissions(&permissions); @@ -164,41 +164,33 @@ index 2e53794fa3..e081374b49 100644 if (!LoadAmdGpuLibraries()) return false; diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc -index 30cc1d4a17..eff1aaf28c 100644 +index 30cc1d4a17..a565ea4b5c 100644 --- a/content/gpu/gpu_main.cc +++ b/content/gpu/gpu_main.cc -@@ -82,6 +82,10 @@ - #include "ui/gl/gpu_switching_manager.h" - #include "ui/gl/init/gl_factory.h" - -+#if BUILDFLAG(IS_LINUX) -+#include "third_party/re2/src/re2/re2.h" -+#endif -+ - #if BUILDFLAG(IS_WIN) - #include - -@@ -527,6 +531,15 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, +@@ -527,6 +527,7 @@ bool StartSandboxLinux(gpu::GpuWatchdogThread* watchdog_thread, else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ const base::CommandLine* cmdline = base::CommandLine::ForCurrentProcess(); -+ if (cmdline->HasSwitch("libgallium-version")) { -+ const std::string libgalliumVersion = -+ cmdline->GetSwitchValueASCII("libgallium-version"); -+ // Make sure our input is safe -+ if (RE2::FullMatch(libgalliumVersion, "^[0-9]+\.[0-9]\.[0-9]$")) { -+ sandbox_options.gpu_driver_version = libgalliumVersion; -+ } -+ } ++ sandbox_options.gallium_version = gpu_prefs.gallium_version; } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; diff --git a/content/public/browser/gpu_utils.cc b/content/public/browser/gpu_utils.cc -index 65dea86a65..3222da15ed 100644 +index 65dea86a65..ab9d387a01 100644 --- a/content/public/browser/gpu_utils.cc +++ b/content/public/browser/gpu_utils.cc -@@ -82,6 +82,15 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { +@@ -29,6 +29,10 @@ + #include "ui/gfx/switches.h" + #include "ui/gl/gl_features.h" + ++#if BUILDFLAG(IS_LINUX) ++#include "third_party/re2/src/re2/re2.h" ++#endif ++ + namespace { + + void KillGpuProcessImpl(content::GpuProcessHost* host) { +@@ -82,6 +86,25 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { gpu_preferences.gpu_sandbox_start_early = command_line->HasSwitch(switches::kGpuSandboxStartEarly); @@ -210,18 +202,31 @@ index 65dea86a65..3222da15ed 100644 +#else + false; +#endif ++ ++#if BUILDFLAG(IS_LINUX) ++ if (command_line->HasSwitch("libgallium-version")) { ++ const std::string libgalliumVersion = ++ cmdline->GetSwitchValueASCII("libgallium-version"); ++ // Make sure our input is safe ++ if (RE2::FullMatch(libgalliumVersion, "^[0-9]+\.[0-9]\.[0-9]$")) ++ gpu_preferences.gallium_version = libgalliumVersion; ++ } ++#endif + gpu_preferences.enable_vulkan_protected_memory = command_line->HasSwitch(switches::kEnableVulkanProtectedMemory); gpu_preferences.disable_vulkan_fallback_to_gl_for_testing = diff --git a/gpu/config/gpu_preferences.h b/gpu/config/gpu_preferences.h -index 7da57a4b42..02be997c1d 100644 +index 7da57a4b42..e9e7fa3df2 100644 --- a/gpu/config/gpu_preferences.h +++ b/gpu/config/gpu_preferences.h -@@ -134,6 +134,9 @@ struct GPU_CONFIG_EXPORT GpuPreferences { +@@ -134,6 +134,12 @@ struct GPU_CONFIG_EXPORT GpuPreferences { // Starts the GPU sandbox before creating a GL context. bool gpu_sandbox_start_early = false; ++ // LibGallium library version for sandbox whitelist. ++ std::string gallium_version; ++ + // Enable the GPU sandbox on Linux, implies gpu_sandbox_start_early + bool gpu_sandbox_linux = false; + @@ -229,35 +234,40 @@ index 7da57a4b42..02be997c1d 100644 bool enable_low_latency_dxva = true; diff --git a/gpu/ipc/common/gpu_preferences.mojom b/gpu/ipc/common/gpu_preferences.mojom -index 9cc16eaa45..39fc10f9f8 100644 +index 9cc16eaa45..3e221581bf 100644 --- a/gpu/ipc/common/gpu_preferences.mojom +++ b/gpu/ipc/common/gpu_preferences.mojom -@@ -59,6 +59,7 @@ struct GpuPreferences { +@@ -59,6 +59,8 @@ struct GpuPreferences { bool gpu_startup_dialog; bool disable_gpu_watchdog; bool gpu_sandbox_start_early; + bool gpu_sandbox_linux; ++ string gallium_version; // TODO(http://crbug.com/676224) Support preprocessing of mojoms. Following // variables should be used on Windows only. diff --git a/gpu/ipc/common/gpu_preferences_mojom_traits.h b/gpu/ipc/common/gpu_preferences_mojom_traits.h -index 28d9ac5174..84cf63972b 100644 +index 28d9ac5174..f621437301 100644 --- a/gpu/ipc/common/gpu_preferences_mojom_traits.h +++ b/gpu/ipc/common/gpu_preferences_mojom_traits.h -@@ -221,6 +221,7 @@ struct GPU_IPC_COMMON_EXPORT StructTraitsgpu_startup_dialog = prefs.gpu_startup_dialog(); out->disable_gpu_watchdog = prefs.disable_gpu_watchdog(); out->gpu_sandbox_start_early = prefs.gpu_sandbox_start_early(); + out->gpu_sandbox_linux = prefs.gpu_sandbox_linux(); ++ out->gallium_version = prefs.gallium_version(); out->enable_low_latency_dxva = prefs.enable_low_latency_dxva(); out->enable_zero_copy_dxgi_video = prefs.enable_zero_copy_dxgi_video(); out->enable_nv12_dxgi_video = prefs.enable_nv12_dxgi_video(); -@@ -325,6 +326,9 @@ struct GPU_IPC_COMMON_EXPORT StructTraits( mremap_policy, base::CommandLine::ForCurrentProcess()->HasSwitch( diff --git a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h -index 165ca85462..00e0c34024 100644 +index 165ca85462..1c6fdeaa88 100644 --- a/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h +++ b/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h @@ -33,6 +33,7 @@ class SANDBOX_POLICY_EXPORT SandboxSeccompBPF { // Options for GPU's PreSandboxHook. bool accelerated_video_decode_enabled = false; bool accelerated_video_encode_enabled = false; -+ std::string gpu_driver_version; ++ std::string gallium_version; }; SandboxSeccompBPF() = delete; From 537d717a63982dd5272a586736bb12247c8e2bf2 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sat, 20 Dec 2025 12:06:33 -0500 Subject: [PATCH 50/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 1bd4dfca..207b8e28 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -49,13 +49,13 @@ index 2e53794fa3..986d44ab5d 100644 +void AddLibGalliumLinuxPermissions( + std::vector* permissions, -+ const std::string gallium_version) { ++ const std::string driver_version) { + if (driver_version.empty()) { + LOG(ERROR) << "Detected driver version is empty, gpu sandbox may fail"; + return; + } + const std::string libgallium_path = -+ "/usr/lib64/libgallium-" + gallium_version + ".so"; ++ "/usr/lib64/libgallium-" + driver_version + ".so"; + LOG(ERROR) << "Detected gallium path : " << libgallium_path; + permissions->push_back(BrokerFilePermission::ReadOnly(libgallium_path)); +} @@ -146,11 +146,11 @@ index 2e53794fa3..986d44ab5d 100644 } if (options.use_amd_specific_policies) { AddAmdGpuPermissions(&permissions); -+ AddLibGalliumLinuxPermissions(&permissions, options.gallium_version); ++ AddLibGalliumLinuxPermissions(&permissions, options.driver_version); } if (options.use_intel_specific_policies) { AddIntelGpuPermissions(&permissions); -+ AddLibGalliumLinuxPermissions(&permissions, options.gallium_version); ++ AddLibGalliumLinuxPermissions(&permissions, options.driver_version); } if (options.use_nvidia_specific_policies) { AddStandardGpuPermissions(&permissions); @@ -171,7 +171,7 @@ index 30cc1d4a17..a565ea4b5c 100644 else if (angle::IsNVIDIA(gpu.vendor_id)) sandbox_options.use_nvidia_specific_policies = true; } -+ sandbox_options.gallium_version = gpu_prefs.gallium_version; ++ sandbox_options.driver_version = gpu_prefs.gallium_version; } sandbox_options.accelerated_video_decode_enabled = !gpu_prefs.disable_accelerated_video_decode; @@ -366,7 +366,7 @@ index 165ca85462..1c6fdeaa88 100644 // Options for GPU's PreSandboxHook. bool accelerated_video_decode_enabled = false; bool accelerated_video_encode_enabled = false; -+ std::string gallium_version; ++ std::string driver_version; }; SandboxSeccompBPF() = delete; From 1cf2a774ca2bd23e0a40a58d19a601c9cb970ef8 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sat, 20 Dec 2025 15:42:16 -0500 Subject: [PATCH 51/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 207b8e28..76bf08e3 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -266,7 +266,7 @@ index 28d9ac5174..f621437301 100644 + static bool gpu_sandbox_linux(const gpu::GpuPreferences& prefs) { + return prefs.gpu_sandbox_linux; + } -+ static std::string gallium_version(const gpu::GpuPreferences& prefs) { ++ static const std::string& gallium_version(const gpu::GpuPreferences& prefs) { + return prefs.gallium_version; + } static bool enable_low_latency_dxva(const gpu::GpuPreferences& prefs) { From 6bf0a359561b6aa533faa58739e38b0d8b72b9be Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sat, 20 Dec 2025 17:03:35 -0500 Subject: [PATCH 52/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 76bf08e3..b83ac563 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -207,7 +207,7 @@ index 65dea86a65..ab9d387a01 100644 + if (command_line->HasSwitch("libgallium-version")) { + const std::string libgalliumVersion = + cmdline->GetSwitchValueASCII("libgallium-version"); -+ // Make sure our input is safe ++ LOG(ERROR) << "Provided gallium version : " << libgalliumVersion; + if (RE2::FullMatch(libgalliumVersion, "^[0-9]+\.[0-9]\.[0-9]$")) + gpu_preferences.gallium_version = libgalliumVersion; + } @@ -255,7 +255,7 @@ index 28d9ac5174..f621437301 100644 out->disable_gpu_watchdog = prefs.disable_gpu_watchdog(); out->gpu_sandbox_start_early = prefs.gpu_sandbox_start_early(); + out->gpu_sandbox_linux = prefs.gpu_sandbox_linux(); -+ out->gallium_version = prefs.gallium_version(); ++ //out->gallium_version = prefs.gallium_version(); out->enable_low_latency_dxva = prefs.enable_low_latency_dxva(); out->enable_zero_copy_dxgi_video = prefs.enable_zero_copy_dxgi_video(); out->enable_nv12_dxgi_video = prefs.enable_nv12_dxgi_video(); From 348d17689797611e0c78fe0e3c2e6f513825e50b Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sat, 20 Dec 2025 20:46:23 -0500 Subject: [PATCH 53/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index b83ac563..5ebf2150 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -206,9 +206,9 @@ index 65dea86a65..ab9d387a01 100644 +#if BUILDFLAG(IS_LINUX) + if (command_line->HasSwitch("libgallium-version")) { + const std::string libgalliumVersion = -+ cmdline->GetSwitchValueASCII("libgallium-version"); ++ command_line->GetSwitchValueASCII("libgallium-version"); + LOG(ERROR) << "Provided gallium version : " << libgalliumVersion; -+ if (RE2::FullMatch(libgalliumVersion, "^[0-9]+\.[0-9]\.[0-9]$")) ++ if (RE2::FullMatch(libgalliumVersion, "[0-9]+\.[0-9]\.[0-9]")) + gpu_preferences.gallium_version = libgalliumVersion; + } +#endif From 20638258a56895b801c4c9622abe092336b05d5b Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Sun, 21 Dec 2025 23:12:31 -0500 Subject: [PATCH 54/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 5ebf2150..d8288dea 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -190,7 +190,7 @@ index 65dea86a65..ab9d387a01 100644 namespace { void KillGpuProcessImpl(content::GpuProcessHost* host) { -@@ -82,6 +86,25 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { +@@ -82,6 +86,27 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { gpu_preferences.gpu_sandbox_start_early = command_line->HasSwitch(switches::kGpuSandboxStartEarly); @@ -208,8 +208,10 @@ index 65dea86a65..ab9d387a01 100644 + const std::string libgalliumVersion = + command_line->GetSwitchValueASCII("libgallium-version"); + LOG(ERROR) << "Provided gallium version : " << libgalliumVersion; -+ if (RE2::FullMatch(libgalliumVersion, "[0-9]+\.[0-9]\.[0-9]")) ++ if (RE2::FullMatch(libgalliumVersion, "[0-9]+\.[0-9]\.[0-9]")) { + gpu_preferences.gallium_version = libgalliumVersion; ++ LOG(ERROR) << "Gallium version match : " << libgalliumVersion; ++ } + } +#endif + @@ -255,7 +257,7 @@ index 28d9ac5174..f621437301 100644 out->disable_gpu_watchdog = prefs.disable_gpu_watchdog(); out->gpu_sandbox_start_early = prefs.gpu_sandbox_start_early(); + out->gpu_sandbox_linux = prefs.gpu_sandbox_linux(); -+ //out->gallium_version = prefs.gallium_version(); ++ out->gallium_version = prefs.gallium_version(); out->enable_low_latency_dxva = prefs.enable_low_latency_dxva(); out->enable_zero_copy_dxgi_video = prefs.enable_zero_copy_dxgi_video(); out->enable_nv12_dxgi_video = prefs.enable_nv12_dxgi_video(); From 7f16183b7766b5fbc85a424aa621ac05f8015a78 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 22 Dec 2025 18:34:38 -0500 Subject: [PATCH 55/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index d8288dea..75a8f793 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -257,7 +257,8 @@ index 28d9ac5174..f621437301 100644 out->disable_gpu_watchdog = prefs.disable_gpu_watchdog(); out->gpu_sandbox_start_early = prefs.gpu_sandbox_start_early(); + out->gpu_sandbox_linux = prefs.gpu_sandbox_linux(); -+ out->gallium_version = prefs.gallium_version(); ++ if (!prefs.ReadGalliumVersion(&out->gallium_version)) ++ return false; out->enable_low_latency_dxva = prefs.enable_low_latency_dxva(); out->enable_zero_copy_dxgi_video = prefs.enable_zero_copy_dxgi_video(); out->enable_nv12_dxgi_video = prefs.enable_nv12_dxgi_video(); From 5d357ca5ee5177b33c193d92e0717a348e815948 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 22 Dec 2025 18:36:07 -0500 Subject: [PATCH 56/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 75a8f793..e388265f 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -252,7 +252,7 @@ diff --git a/gpu/ipc/common/gpu_preferences_mojom_traits.h b/gpu/ipc/common/gpu_ index 28d9ac5174..f621437301 100644 --- a/gpu/ipc/common/gpu_preferences_mojom_traits.h +++ b/gpu/ipc/common/gpu_preferences_mojom_traits.h -@@ -221,6 +221,8 @@ struct GPU_IPC_COMMON_EXPORT StructTraitsgpu_startup_dialog = prefs.gpu_startup_dialog(); out->disable_gpu_watchdog = prefs.disable_gpu_watchdog(); out->gpu_sandbox_start_early = prefs.gpu_sandbox_start_early(); @@ -262,7 +262,7 @@ index 28d9ac5174..f621437301 100644 out->enable_low_latency_dxva = prefs.enable_low_latency_dxva(); out->enable_zero_copy_dxgi_video = prefs.enable_zero_copy_dxgi_video(); out->enable_nv12_dxgi_video = prefs.enable_nv12_dxgi_video(); -@@ -325,6 +327,12 @@ struct GPU_IPC_COMMON_EXPORT StructTraits Date: Mon, 22 Dec 2025 19:58:18 -0500 Subject: [PATCH 57/64] Update trivalent.conf --- build/trivalent.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/build/trivalent.conf b/build/trivalent.conf index 870910b3..dda4c0f4 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -65,6 +65,7 @@ if [ "$ARCH" == "x86_64" ] ; then fi GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" + declare -r GALLIUMVER if [[ -n "$GALLIUMVER" ]]; then CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=\"$GALLIUMVER\"" fi From 7ce42d89cae68f1b03a2ba19a61dc76e18ff90b9 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 22 Dec 2025 19:58:40 -0500 Subject: [PATCH 58/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index e388265f..989bf06c 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -208,7 +208,7 @@ index 65dea86a65..ab9d387a01 100644 + const std::string libgalliumVersion = + command_line->GetSwitchValueASCII("libgallium-version"); + LOG(ERROR) << "Provided gallium version : " << libgalliumVersion; -+ if (RE2::FullMatch(libgalliumVersion, "[0-9]+\.[0-9]\.[0-9]")) { ++ if (RE2::FullMatch(libgalliumVersion, "[0-9]+\\.[0-9]\\.[0-9]")) { + gpu_preferences.gallium_version = libgalliumVersion; + LOG(ERROR) << "Gallium version match : " << libgalliumVersion; + } From 6dbea5bcbe7a032fc60498ca8cb9d4f4adf11af1 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 23 Dec 2025 01:03:40 -0500 Subject: [PATCH 59/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 989bf06c..90f4d186 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -208,7 +208,7 @@ index 65dea86a65..ab9d387a01 100644 + const std::string libgalliumVersion = + command_line->GetSwitchValueASCII("libgallium-version"); + LOG(ERROR) << "Provided gallium version : " << libgalliumVersion; -+ if (RE2::FullMatch(libgalliumVersion, "[0-9]+\\.[0-9]\\.[0-9]")) { ++ if (true/*RE2::FullMatch(libgalliumVersion, "[0-9]+\\.[0-9]\\.[0-9]")*/) { + gpu_preferences.gallium_version = libgalliumVersion; + LOG(ERROR) << "Gallium version match : " << libgalliumVersion; + } From ba9abbb1b1790be8432d8ce420665a24b70cb622 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 23 Dec 2025 09:42:19 -0500 Subject: [PATCH 60/64] Update trivalent.conf --- build/trivalent.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index dda4c0f4..8b4c20f2 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -67,7 +67,7 @@ if [ "$ARCH" == "x86_64" ] ; then GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" declare -r GALLIUMVER if [[ -n "$GALLIUMVER" ]]; then - CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=\"$GALLIUMVER\"" + CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=$GALLIUMVER" fi fi From 3820e5675cf4b9853199d5c0beac621718936c87 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 23 Dec 2025 09:43:10 -0500 Subject: [PATCH 61/64] Update trivalent.conf --- build/trivalent.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/trivalent.conf b/build/trivalent.conf index 8b4c20f2..b1b87e50 100644 --- a/build/trivalent.conf +++ b/build/trivalent.conf @@ -64,7 +64,7 @@ if [ "$ARCH" == "x86_64" ] ; then FEATURES+=",Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,VaapiIgnoreDriverChecks" fi - GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[0-9][0-9].[0-9].[0-9].so" | grep -oE "[0-9]+\.[0-9]\.[0-9]")" + GALLIUMVER="$(compgen -G "/usr/lib64/libgallium-[1-9][0-9].[0-9].[0-9].so" | grep -oE "[1-9][0-9]+\.[0-9]\.[0-9]")" declare -r GALLIUMVER if [[ -n "$GALLIUMVER" ]]; then CHROMIUM_SYSTEM_FLAGS+=" --libgallium-version=$GALLIUMVER" From 396c449936113405e9fcce36396c27bf4782a751 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 23 Dec 2025 09:45:03 -0500 Subject: [PATCH 62/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index 90f4d186..c6715af8 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -208,7 +208,7 @@ index 65dea86a65..ab9d387a01 100644 + const std::string libgalliumVersion = + command_line->GetSwitchValueASCII("libgallium-version"); + LOG(ERROR) << "Provided gallium version : " << libgalliumVersion; -+ if (true/*RE2::FullMatch(libgalliumVersion, "[0-9]+\\.[0-9]\\.[0-9]")*/) { ++ if (RE2::FullMatch(libgalliumVersion, "[1-9][0-9]+\\.[0-9]\\.[0-9]") { + gpu_preferences.gallium_version = libgalliumVersion; + LOG(ERROR) << "Gallium version match : " << libgalliumVersion; + } From 1b41b35623b158345e8527e7a88f3d577c567ce0 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 23 Dec 2025 13:43:32 -0500 Subject: [PATCH 63/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index c6715af8..b0be5575 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -208,7 +208,7 @@ index 65dea86a65..ab9d387a01 100644 + const std::string libgalliumVersion = + command_line->GetSwitchValueASCII("libgallium-version"); + LOG(ERROR) << "Provided gallium version : " << libgalliumVersion; -+ if (RE2::FullMatch(libgalliumVersion, "[1-9][0-9]+\\.[0-9]\\.[0-9]") { ++ if (RE2::FullMatch(libgalliumVersion, "[1-9][0-9]+\\.[0-9]\\.[0-9]")) { + gpu_preferences.gallium_version = libgalliumVersion; + LOG(ERROR) << "Gallium version match : " << libgalliumVersion; + } From 2191d2d13efa35c4e6b0251d26217c49be82b60d Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Tue, 23 Dec 2025 18:35:51 -0500 Subject: [PATCH 64/64] Update linux-gpu-sandbox.patch --- patches/linux-gpu-sandbox.patch | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/patches/linux-gpu-sandbox.patch b/patches/linux-gpu-sandbox.patch index b0be5575..64cf6089 100644 --- a/patches/linux-gpu-sandbox.patch +++ b/patches/linux-gpu-sandbox.patch @@ -190,7 +190,7 @@ index 65dea86a65..ab9d387a01 100644 namespace { void KillGpuProcessImpl(content::GpuProcessHost* host) { -@@ -82,6 +86,27 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { +@@ -82,6 +86,25 @@ const gpu::GpuPreferences GetGpuPreferencesFromCommandLine() { gpu_preferences.gpu_sandbox_start_early = command_line->HasSwitch(switches::kGpuSandboxStartEarly); @@ -207,11 +207,9 @@ index 65dea86a65..ab9d387a01 100644 + if (command_line->HasSwitch("libgallium-version")) { + const std::string libgalliumVersion = + command_line->GetSwitchValueASCII("libgallium-version"); -+ LOG(ERROR) << "Provided gallium version : " << libgalliumVersion; -+ if (RE2::FullMatch(libgalliumVersion, "[1-9][0-9]+\\.[0-9]\\.[0-9]")) { ++ // We may recieve untrusted input, so validate it matches a version format ++ if (RE2::FullMatch(libgalliumVersion, "[1-9][0-9]+\\.[0-9]\\.[0-9]")) + gpu_preferences.gallium_version = libgalliumVersion; -+ LOG(ERROR) << "Gallium version match : " << libgalliumVersion; -+ } + } +#endif +