seccomp: vfio: add one policy to allow fcntl

mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2025-02-06 02:25:23 +00:00

VFIO is updated to use try_clone() to duplicate a File recently.
The try_clone() implementation will use fcntl with the argument
F_DUPFD_CLOEXEC to duplicate the File, so need to add one more
rule in vfio_device.policy to allow it otherwise VFIO will be
failed when sandbox is enabled.

BUG=None
TEST=boot VM with VFIO passthrough + sandbox enabled

Change-Id: I55cce937f1c12a32537aaff8d3ddafa135a674d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2816822
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>

This commit is contained in:

Chuanxiao Dong

2021-04-09 15:39:58 +08:00

committed by

Commit Bot

parent a90649ab7c

commit ac62778ab2

1 changed files with 1 additions and 0 deletions

1

seccomp/x86_64/vfio_device.policy

View file

 @ -10,3 +10,4 @@ openat: return ENOENT
 readlink: 1
 pread64: 1
 pwrite64: 1
 fcntl: arg1 == F_DUPFD_CLOEXEC

seccomp: vfio: add one policy to allow fcntl

1 seccomp/x86_64/vfio_device.policy Unescape Escape View file

1

seccomp/x86_64/vfio_device.policy

View file