From 3df2a8db60ad8a8d79677617921216c6cbe6efd0 Mon Sep 17 00:00:00 2001
From: Douglas Anderson <dianders@chromium.org>
Date: Tue, 3 May 2022 16:28:31 -0700
Subject: [PATCH] seccomp: Add memfd_create: arg1 == 3 for arm64

With testing, we're seeing secomp violations on aarch64. We need to
give access to "memfd_create" just like we did for arm32. Copy the
snippet from there.

BUG=b:223410173, b:230609113
TEST=Start arcvm; start android-sh; run tast arc.VMConfig

Change-Id: I4922e6decd67c3bc23fb090987b0318c384e0d68
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3626017
Auto-Submit: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Rob Clark <robdclark@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Dennis Kempin <denniskempin@google.com>
---
 seccomp/aarch64/gpu_common.policy | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/seccomp/aarch64/gpu_common.policy b/seccomp/aarch64/gpu_common.policy
index 4a9afde0a6..0b3536320e 100644
--- a/seccomp/aarch64/gpu_common.policy
+++ b/seccomp/aarch64/gpu_common.policy
@@ -66,6 +66,9 @@ fstatfs: 1
 # 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST
 ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543
 
+# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
+memfd_create: arg1 == 3
+
 ## mmap/mprotect differ from the common_device.policy
 mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ