From f19933bfb0220c3e03900241f3042ac79d30a2c5 Mon Sep 17 00:00:00 2001 From: Adrian Ratiu Date: Thu, 4 Mar 2021 15:29:55 +0200 Subject: [PATCH] tree-wide: seccomp: allow clock_nanosleep syscalls Starting with 2.32 glibc nanosleep() was refactored to use the clock_nanosleep syscall so various software will fail unless the new syscall is allowed. We can't just drop the old nanosleep syscall because it will break glibc 2.27 which is still used. See glibc commits: 807edded25 nptl: Refactor thrd_sleep in terms of clock_nanosleep 3537ecb49c Refactor nanosleep in terms of clock_nanosleep 79a547b162 nptl: Move nanosleep implementation to libc This is a bulk edit done with the following command: git grep -rl 'nanosleep: 1' | xargs sed -i \ '/^nanosleep: 1/a clock_nanosleep: 1' BUG=chromium:1171287 TEST=Local builds and booting on kevin/64/eve/minnie. Change-Id: I975535078d88200f52319c7eea3a4c7ebf299933 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2735575 Tested-by: kokoro Tested-by: Manoj Gupta Commit-Queue: Manoj Gupta Reviewed-by: Dylan Reid Reviewed-by: Stephen Barber --- seccomp/aarch64/common_device.policy | 1 + seccomp/aarch64/gpu_device.policy | 1 + seccomp/aarch64/tpm_device.policy | 1 + seccomp/aarch64/vios_audio_device.policy | 1 - seccomp/arm/common_device.policy | 1 + seccomp/arm/gpu_device.policy | 1 + seccomp/arm/tpm_device.policy | 1 + seccomp/arm/vios_audio_device.policy | 1 - seccomp/x86_64/common_device.policy | 1 + seccomp/x86_64/gpu_device.policy | 1 + seccomp/x86_64/tpm_device.policy | 1 + seccomp/x86_64/vios_audio_device.policy | 1 - 12 files changed, 9 insertions(+), 3 deletions(-) diff --git a/seccomp/aarch64/common_device.policy b/seccomp/aarch64/common_device.policy index 841e52d095..4c3f9f1d36 100644 --- a/seccomp/aarch64/common_device.policy +++ b/seccomp/aarch64/common_device.policy @@ -25,6 +25,7 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 ppoll: 1 prctl: arg0 == PR_SET_NAME diff --git a/seccomp/aarch64/gpu_device.policy b/seccomp/aarch64/gpu_device.policy index bd1f6481d5..c8b099e4dc 100644 --- a/seccomp/aarch64/gpu_device.policy +++ b/seccomp/aarch64/gpu_device.policy @@ -23,6 +23,7 @@ madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 ppoll: 1 prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME diff --git a/seccomp/aarch64/tpm_device.policy b/seccomp/aarch64/tpm_device.policy index a39d61c6a9..98d32b6b1d 100644 --- a/seccomp/aarch64/tpm_device.policy +++ b/seccomp/aarch64/tpm_device.policy @@ -25,6 +25,7 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 ppoll: 1 prctl: arg0 == PR_SET_NAME diff --git a/seccomp/aarch64/vios_audio_device.policy b/seccomp/aarch64/vios_audio_device.policy index df54139f51..9f017e2681 100644 --- a/seccomp/aarch64/vios_audio_device.policy +++ b/seccomp/aarch64/vios_audio_device.policy @@ -5,7 +5,6 @@ @include /usr/share/policy/crosvm/common_device.policy clock_gettime: 1 -clock_nanosleep: 1 lseek: 1 openat: return ENOENT prlimit64: 1 diff --git a/seccomp/arm/common_device.policy b/seccomp/arm/common_device.policy index cbbfd7d434..6040bad796 100644 --- a/seccomp/arm/common_device.policy +++ b/seccomp/arm/common_device.policy @@ -26,6 +26,7 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy index 1bdea6d0dc..fa38a2ddfa 100644 --- a/seccomp/arm/gpu_device.policy +++ b/seccomp/arm/gpu_device.policy @@ -23,6 +23,7 @@ madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/arm/tpm_device.policy b/seccomp/arm/tpm_device.policy index d17f67cd12..dad335007e 100644 --- a/seccomp/arm/tpm_device.policy +++ b/seccomp/arm/tpm_device.policy @@ -25,6 +25,7 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/arm/vios_audio_device.policy b/seccomp/arm/vios_audio_device.policy index ad27b0e362..7e8b14c994 100644 --- a/seccomp/arm/vios_audio_device.policy +++ b/seccomp/arm/vios_audio_device.policy @@ -5,7 +5,6 @@ @include /usr/share/policy/crosvm/common_device.policy clock_gettime: 1 -clock_nanosleep: 1 lseek: 1 open: return ENOENT openat: return ENOENT diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy index bf8dd15813..421beac3bb 100644 --- a/seccomp/x86_64/common_device.policy +++ b/seccomp/x86_64/common_device.policy @@ -27,6 +27,7 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy index 7f167d7289..28dcf60da8 100644 --- a/seccomp/x86_64/gpu_device.policy +++ b/seccomp/x86_64/gpu_device.policy @@ -25,6 +25,7 @@ madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy index 50536f8aa4..bfd64a838d 100644 --- a/seccomp/x86_64/tpm_device.policy +++ b/seccomp/x86_64/tpm_device.policy @@ -25,6 +25,7 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 +clock_nanosleep: 1 pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/x86_64/vios_audio_device.policy b/seccomp/x86_64/vios_audio_device.policy index ad27b0e362..7e8b14c994 100644 --- a/seccomp/x86_64/vios_audio_device.policy +++ b/seccomp/x86_64/vios_audio_device.policy @@ -5,7 +5,6 @@ @include /usr/share/policy/crosvm/common_device.policy clock_gettime: 1 -clock_nanosleep: 1 lseek: 1 open: return ENOENT openat: return ENOENT