From ac62778ab294ad8db0338b32344222d2c45d2ff2 Mon Sep 17 00:00:00 2001
From: Chuanxiao Dong <chuanxiao.dong@intel.corp-partner.google.com>
Date: Fri, 9 Apr 2021 15:39:58 +0800
Subject: [PATCH] seccomp: vfio: add one policy to allow fcntl

VFIO is updated to use try_clone() to duplicate a File recently.
The try_clone() implementation will use fcntl with the argument
F_DUPFD_CLOEXEC to duplicate the File, so need to add one more
rule in vfio_device.policy to allow it otherwise VFIO will be
failed when sandbox is enabled.

BUG=None
TEST=boot VM with VFIO passthrough + sandbox enabled

Change-Id: I55cce937f1c12a32537aaff8d3ddafa135a674d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2816822
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
---
 seccomp/x86_64/vfio_device.policy | 1 +
 1 file changed, 1 insertion(+)

diff --git a/seccomp/x86_64/vfio_device.policy b/seccomp/x86_64/vfio_device.policy
index aa28d1ad40..ee3253d4a8 100644
--- a/seccomp/x86_64/vfio_device.policy
+++ b/seccomp/x86_64/vfio_device.policy
@@ -10,3 +10,4 @@ openat: return ENOENT
 readlink: 1
 pread64: 1
 pwrite64: 1
+fcntl: arg1 == F_DUPFD_CLOEXEC