seccomp: Add memfd_create: arg1 == 3 for arm64

With testing, we're seeing secomp violations on aarch64. We need to give access to "memfd_create" just like we did for arm32. Copy the snippet from there. BUG=b:223410173, b:230609113 TEST=Start arcvm; start android-sh; run tast arc.VMConfig Change-Id: I4922e6decd67c3bc23fb090987b0318c384e0d68 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3626017 Auto-Submit: Douglas Anderson <dianders@chromium.org> Reviewed-by: Rob Clark <robdclark@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Commit-Queue: Daniel Verkamp <dverkamp@chromium.org> Reviewed-by: Dennis Kempin <denniskempin@google.com>
2025-02-06 02:25:23 +00:00 · 2022-05-03 16:28:31 -07:00 · 2022-05-03 16:28:31 -07:00 · 3df2a8db60
commit 3df2a8db60
parent 60b6ed0e77
1 changed files with 3 additions and 0 deletions
--- a/seccomp/aarch64/gpu_common.policy
+++ b/seccomp/aarch64/gpu_common.policy
@ -66,6 +66,9 @@ fstatfs: 1
 # 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST
 ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543

+# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
+memfd_create: arg1 == 3
+
 ## mmap/mprotect differ from the common_device.policy
 mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ