Missed a couple that do not inherit from common_device.policy.
BUG=b:209021536
TEST=Cq
Change-Id: I672af4e7746bbf971193a10031f0ac27302ef3b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3314284
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Dennis Kempin <denniskempin@google.com>
Tested-by: Dennis Kempin <denniskempin@google.com>
The panic handler uses getcwd and readlink to print out the executable
name in the backtrace. Allow these for all devices so that panics
actually work instead of crashing the process.
BUG=None
TEST=intentionally panic crosvm on kevin and check /var/log/messages
Change-Id: If64a752a6f0b1f2f6bdd6663ce77078305f38171
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3309201
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
At present, libraries which use glibc to dynamically load
shared libraries do not have fstafs in their seccomp policies.
A change in glibc will force all systems which load shared
libraries to call the fstatfs or fstatfs64 syscall.
Without the call, crosvm will not start when running
crostini/android tests.
BUG=chromium:1182687
TEST=CQ of https://crrev.com/c/2910526
Change-Id: I10abb8866474c2fe0398a17a80069cf2b0629493
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3011355
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Kernels before 5.10 had known bugs in the io_uring implementation.
Don't use io_uring when we detect this. Also skip all the io_uring
tests in this case.
BUG=none
TEST=cargo test
Change-Id: I5fd6203ad25a6fb85ff28f1a6ddb0181f836ad89
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3006309
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
Reviewed-by: Woody Chow <woodychow@google.com>
Allow:
- UDMABUF_CREATE_LIST -- needed to create udmabuf
- DMA_BUF_IOCTL_SYNC -- to flush the udmabuf.
virtio-wl already allows this everywhere so
this should be fine.
Also add the path to minijail.
BUG=chromium:892806, b:173630595
TEST=no sandbox violations
Change-Id: I70ace6ef0349c4b133615eb41f9f56ccd7121e4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2786287
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Gurchetan Singh <gurchetansingh@chromium.org>
Commit-Queue: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Starting with 2.32 glibc nanosleep() was refactored to use the
clock_nanosleep syscall so various software will fail unless
the new syscall is allowed. We can't just drop the old nanosleep
syscall because it will break glibc 2.27 which is still used.
See glibc commits:
807edded25 nptl: Refactor thrd_sleep in terms of clock_nanosleep
3537ecb49c Refactor nanosleep in terms of clock_nanosleep
79a547b162 nptl: Move nanosleep implementation to libc
This is a bulk edit done with the following command:
git grep -rl 'nanosleep: 1' | xargs sed -i \
'/^nanosleep: 1/a clock_nanosleep: 1'
BUG=chromium:1171287
TEST=Local builds and booting on kevin/64/eve/minnie.
Change-Id: I975535078d88200f52319c7eea3a4c7ebf299933
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2735575
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
An upcoming mesa-freedreno uprev will require a couple crosvm policy
updates. In particular setscheduler/setaffinity, for the same reasons
that AMD requires them.
BUG=b:179519741
TEST=Start crostini with upstream mesa MR that starts requiring
setscheduler/setaffinity
Change-Id: I4f41a638f413b35f2afebdbe39dde02a02f8322a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2683032
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Rob Clark <robdclark@chromium.org>
Commit-Queue: Rob Clark <robdclark@chromium.org>
Auto-Submit: Rob Clark <robdclark@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
New syscalls and /run/perfetto bind mount are required.
BUG=b:174162684
TEST=Run crosvm with perfetto instrumentation and confirm that
events can be traced through traced. Tested on both hatch
and ARM kukui device.
Cq-Depend: chromium:2570487
Change-Id: I809400ec393c2971ba9a1134ddbef7f48d818786
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2571659
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: John Bates <jbates@chromium.org>
Commit-Queue: John Bates <jbates@chromium.org>
MALI GPU driver calls this for printing debug information. Just
enable it since it could help debug.
BUG=None
TEST=manual - Run ARCVM on kukui with debug build of mali driver
Change-Id: If65121520071a1df9b8ba932272428cbac844984
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2262176
Tested-by: Lepton Wu <lepton@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Lepton Wu <lepton@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Commit-Queue: Lepton Wu <lepton@chromium.org>
The build-time seccomp compiler for aarch64 complains that it doesn't
recognize open, epoll_wait, recv, mmap2, dup2, poll, mkdir, or stat.
I tried to propose a change to upstream minijail to make it aware of
these syscalls, but the calls are in various forms of deprecation
so upstream is doubting the sanity of the policy files.
I applied the following mapping: open->openat, epoll_wait->epoll_pwait,
recv->recvfrom, mmap2->mmap, dup2->dup3, poll->ppoll, mkdir->mkdirat,
and stat->statx. In many cases the new syscall was already present so I
just deleted the old one.
BUG=None
TEST=Ran compile_seccomp_policy.py with an unmodified minijail until
it stopped complaining. I don't have an arm device for runtime testing.
Wrote an app to emulate the execution of the first 400 syscall #s though
the bpf filter and verified that the list that matches the filter is the
same as the policy file.
Change-Id: I599aa549a1712b898eb6b73492872a9676e7215d
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2036218
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Minijail's policy compiler complains when there's multiple
unconditional rules for a syscall. In most cases the rules
are redundant to common_device.policy.
BUG=None
TEST=Ran compile_seccomp_policy.py until it stopped
complaining.
Change-Id: Ic43d1fd13f9c012641d71e526942229eb8b08ed4
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2034024
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
