From a0ce5322f7ad0c5d2edfa60764383351c15fa7b5 Mon Sep 17 00:00:00 2001
From: Zach Reizner <zachr@google.com>
Date: Fri, 5 Jan 2018 19:59:54 -0800
Subject: [PATCH] wl: fix seccomp filter for memfd_create

The memfd_create flags changed with "add memfd seal support", which
breaks the seccomp filter for the wayland device.

TEST=run a wayland app in crosvm
BUG=chromium:799523

Change-Id: I266e305bc3179a7b9fd105a684de92e944fe1fc6
Reviewed-on: https://chromium-review.googlesource.com/852937
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
---
 seccomp/x86_64/wl_device.policy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy
index c8043572d3..bc1ebb6939 100644
--- a/seccomp/x86_64/wl_device.policy
+++ b/seccomp/x86_64/wl_device.policy
@@ -28,8 +28,8 @@ connect: arg2 == 13
 # Used to communicate with wayland
 recvmsg: 1
 sendmsg: 1
-# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC
-memfd_create: arg1 == 1
+# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
+memfd_create: arg1 == 3
 # Used to set of size new memfd
 ftruncate: 1
 # Used to determine shm size after recvmsg with fd