When "--gpu-render-server path=<path>" is specified, start the render
server shipped with virglrenderer and initialize virglrenderer with
VIRGLRENDERER_MULTI_PROCESS flag.
The flag makes virgl_renderer_context_create_with_flags create proxy
contexts instead of venus contexts. Each proxy context requests the
render server to fork a subprocess and executes GPU commands in the
subprocess.
BUG=b:177267762
TEST=run vk and gl apps on volteer
Change-Id: If5e2dc3353572cadb60b0c25a3e0ad14f633db91
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3283508
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chia-I Wu <olv@google.com>
Missed a couple that do not inherit from common_device.policy.
BUG=b:209021536
TEST=Cq
Change-Id: I672af4e7746bbf971193a10031f0ac27302ef3b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3314284
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Dennis Kempin <denniskempin@google.com>
Tested-by: Dennis Kempin <denniskempin@google.com>
aarch64 only has the readlinkat syscall.
BUG=b:209021536
TEST=Cq
Change-Id: I0a6a76bbc388f598f639a97832269256f6e9a61e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3314710
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
The panic handler uses getcwd and readlink to print out the executable
name in the backtrace. Allow these for all devices so that panics
actually work instead of crashing the process.
BUG=None
TEST=intentionally panic crosvm on kevin and check /var/log/messages
Change-Id: If64a752a6f0b1f2f6bdd6663ce77078305f38171
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3309201
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
The syscall is used for the file backed memory region used
by the audio device since https://crrev.com/c/3159883
BUG=b:208264646
TEST=CQ
Change-Id: I02c24da6389d60847996a62ee0eab658f9c4f7cf
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3307240
Commit-Queue: Dennis Kempin <denniskempin@google.com>
Tested-by: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Fixes https://crrev.com/c/3199298, which only added the new ioctl
argument to the seccomp syscall filters on x86.
BUG=b:169908659
TEST=tast.crostini.SecureCopyPaste.* on scarlet
Change-Id: Ifd44c7b403f862d5528d8cc3655f0cd2c71c6e13
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3276675
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Tested-by: Dennis Kempin <denniskempin@google.com>
The sched_yield system call is somehow called by the code the rust
compiler generates and not directly by the author's implementation. That
along with the fact that it won't get called on every run makes it very
easy to miss when adding a new device (that happened with virtio-snd).
Since that call is quite harmless (it could be argued minijail shouldn't
even block it in the first place) it makes sense to allow it for all
devices.
BUG=b/201306350
Change-Id: I9895da6c8060ae83053474ed9e4472ea2cd8d3e3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3248126
Auto-Submit: Jorge Moreira Broche <jemoreira@google.com>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Jorge Moreira Broche <jemoreira@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
newfstatat has been added to a few policies for the
two 64bit architectures, but some more require it to
avoid crashes, so add it to all which contain fstat
or statx.
BUG=b:187795909
TEST=CQ
Change-Id: I3cd0f5379b87102caa256503a888c5a1aa4103b6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3198571
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Enable with `--cras-snd`.
Verified:
Basic playback and capture
Missing features:
* Getting chmap/jack/stream info from CRAS. They are hardcoded for now.
* Jack connect/disconnect notifications from CRAS
* Reporting latency bytes to the driver. It is currently hardcoded to 0.
BUG=b:179757101
TEST=`aplay` and `arecord` inside a debian img with a 5.10 kernel built
with virtio snd support. Launched with crosvm on rammus/kukui/hatch
Change-Id: I240000a92418b75b3eb8dcd241ff320214b68739
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2777991
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Woody Chow <woodychow@google.com>
Reviewed-by: Chih-Yang Hsia <paulhsia@chromium.org>
Starting with glibc 2.33 the faccessat2 syscall is used and
only if it doesn't exist (eg kernel older than 5.8) glibc will
default to the older faccessat syscall, so we need to allow it.
Previously this syscall has been enabled on a per-component
basis after testing, but this one does a bulk enable when
faccessat is used on all architectures.
See glibc commit 3d3ab573a5 ("Linux: Use faccessat2 to implement
faccessat (bug 18683")
BUG=b:187795855
TEST=Local builds; CQ.
Change-Id: I1f17e82e8c416b0fa2c43342731e9ea8394c47fa
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3097212
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Since CL:2999451, libcras is using timerfd features from `cros_async`,
we need to add timerfd operations to the accepted list of
`cras_audio_device`'s seccomp policy files.
BUG=b:179757101
BUG=b:194452080
TEST=tast run ${DUT_IP} arc.Notification.vm
Change-Id: I74b33fa1e304fccc95b7326e04bedc32feff85f1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3047951
Auto-Submit: Chih-Yang Hsia <paulhsia@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
At present, libraries which use glibc to dynamically load
shared libraries do not have fstafs in their seccomp policies.
A change in glibc will force all systems which load shared
libraries to call the fstatfs or fstatfs64 syscall.
Without the call, crosvm will not start when running
crostini/android tests.
BUG=chromium:1182687
TEST=CQ of https://crrev.com/c/2910526
Change-Id: I10abb8866474c2fe0398a17a80069cf2b0629493
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3011355
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Kernels before 5.10 had known bugs in the io_uring implementation.
Don't use io_uring when we detect this. Also skip all the io_uring
tests in this case.
BUG=none
TEST=cargo test
Change-Id: I5fd6203ad25a6fb85ff28f1a6ddb0181f836ad89
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3006309
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
Reviewed-by: Woody Chow <woodychow@google.com>
The libminijail version in AOSP complains when there are multiple entries for
the same system call, which was the case for virtio-fs's policy.
BUG=b/185811304
Change-Id: I389c07c86e7d79f16e4f47a893abad598033352a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2837307
Commit-Queue: Jorge Moreira Broche <jemoreira@google.com>
Tested-by: Jorge Moreira Broche <jemoreira@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Fds created via dup don't share file descriptor flags with the original
fd, which means that they don't have the FD_CLOEXEC flag set. Use
fcntl(F_DUPFD_CLOEXEC) so that this flag gets set for the duplicated fds
as well.
BUG=none
TEST=unit tests
Change-Id: Ib471cf40acac1eacf72969ba45247f50b349ed58
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2809687
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
validate_raw_fd assumes that the fd passed in was not created by crosvm
and returns EBADF if it sees that the fd has the FD_CLOEXEC flag set.
We can't use it for fds created by the fs device since those do have
that flag set.
We're already taking a `&dyn AsRawFd` as the parameter so just assume
it's valid and clone it directly since there's no safe way to create an
invalid one.
BUG=none
TEST=vm.Fio.virtiofs_dax* tests are no longer failing
Change-Id: I10d9752e0960143fb58a63d2b76f64d34ec464d0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2809686
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Allow:
- UDMABUF_CREATE_LIST -- needed to create udmabuf
- DMA_BUF_IOCTL_SYNC -- to flush the udmabuf.
virtio-wl already allows this everywhere so
this should be fine.
Also add the path to minijail.
BUG=chromium:892806, b:173630595
TEST=no sandbox violations
Change-Id: I70ace6ef0349c4b133615eb41f9f56ccd7121e4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2786287
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Gurchetan Singh <gurchetansingh@chromium.org>
Commit-Queue: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Set the SECBIT_NO_SETUID_FIXUP securebit so that we don't lose
capabilities when changing the thread uid/gid. This allows us to
simplify the create and mkdir functions so that all the checks we
currently carry out are only done once by the host kernel.
To ensure that the setuid and setgid bits still get dropped when a file
is modified by a process that doesn't hold CAP_FSETID, check for
WRITE_KILL_PRIV in the write flags and temporarily drop CAP_FSETID when
it is set.
BUG=none
TEST=Check that default posix acls, setgid bits, and file/directory
creation via membership of a supplementary group all work as
expected.
Change-Id: I420484e357a970e997cb3e968a433278e82d8ad4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2684067
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Starting with 2.32 glibc nanosleep() was refactored to use the
clock_nanosleep syscall so various software will fail unless
the new syscall is allowed. We can't just drop the old nanosleep
syscall because it will break glibc 2.27 which is still used.
See glibc commits:
807edded25 nptl: Refactor thrd_sleep in terms of clock_nanosleep
3537ecb49c Refactor nanosleep in terms of clock_nanosleep
79a547b162 nptl: Move nanosleep implementation to libc
This is a bulk edit done with the following command:
git grep -rl 'nanosleep: 1' | xargs sed -i \
'/^nanosleep: 1/a clock_nanosleep: 1'
BUG=chromium:1171287
TEST=Local builds and booting on kevin/64/eve/minnie.
Change-Id: I975535078d88200f52319c7eea3a4c7ebf299933
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2735575
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
The newly added async primitives allow for increasing the separation of
the various tasks performed by balloon. Breaking each task in to an
asynchronous function.
BUG=chromium:901139
TEST=Boot crosvm, run 'crosvm balloon' to set the balloon size, check
'vmstat' inside the VM to verify the free memory is affected by the
balloon growing and shrinking.
run crosvm balloon_stats command and ensure that stats are reported
correctly.
Change-Id: I0ae2be5eb8e4be65b2eb74de90888357af6ecfd4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1993163
Tested-by: Keiichi Watanabe <keiichiw@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Keiichi Watanabe <keiichiw@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
An upcoming mesa-freedreno uprev will require a couple crosvm policy
updates. In particular setscheduler/setaffinity, for the same reasons
that AMD requires them.
BUG=b:179519741
TEST=Start crostini with upstream mesa MR that starts requiring
setscheduler/setaffinity
Change-Id: I4f41a638f413b35f2afebdbe39dde02a02f8322a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2683032
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Rob Clark <robdclark@chromium.org>
Commit-Queue: Rob Clark <robdclark@chromium.org>
Auto-Submit: Rob Clark <robdclark@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
This USB ioctl is used in usb_util::Device::clear_halt(), but it was not
allowed in the seccomp policy.
BUG=chromium:1167286
TEST=Attach Keyspan USA-19H USB serial adapter to Crostini
Change-Id: I625cde121a0a248046e476eecd732a98530811dc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2633824
Reviewed-by: Matthew Blecker <matthewb@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Matthew Blecker <matthewb@chromium.org>
Commit-Queue: Matthew Blecker <matthewb@chromium.org>
New syscalls and /run/perfetto bind mount are required.
BUG=b:174162684
TEST=Run crosvm with perfetto instrumentation and confirm that
events can be traced through traced. Tested on both hatch
and ARM kukui device.
Cq-Depend: chromium:2570487
Change-Id: I809400ec393c2971ba9a1134ddbef7f48d818786
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2571659
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: John Bates <jbates@chromium.org>
Commit-Queue: John Bates <jbates@chromium.org>
Needed by arcvm. Also fix some style issues with the previous ioctl
definitions.
BUG=b:136127632
TEST=Call this ioctl from inside a VM and see that it is passed through
to the host.
Change-Id: Icdeff9e2c5b15237ed49e6814b8147258a50ccab
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2560286
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
These don't work without a kernel change that we never merged. Arcvm
doesn't need these anymore so just drop them.
BUG=b:136127632
TEST=vm.Virtiofs
Change-Id: I427dee41720b0db1d14f4d03c95ff678ec3fd347
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2573709
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
The goldfish battery irq will be used to notify the guest driver that
battery/ac status changed. And the status changing will be done through
external crosvm commands. So the irq injection needs to be done in a
seperate thread which can receive these commands.
BUG=chromium:1050432
BUG=b:137890633
TEST=create VM with parameter "--battery" or "--battery=type=goldfish"
and boot linux guest with goldfish_battery driver enabled. The sysfs
created by the goldfish_battery driver have no issue observed.
TEST=goldfish_battery driver is loaded on ARCVM and interrupts are enabled
Change-Id: Icc902dd8c00bdcf6cb271b20d928a4081533dde6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2119573
Commit-Queue: Alex Lau <alexlau@chromium.org>
Tested-by: Alex Lau <alexlau@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
The p9 crate API changed so that the new() function now returns a
result. Update the caller to match.
Additionally, the implementation also changed to use different syscalls
so update the seccomp filters to match.
BUG=b:162388795
TEST=Start a vm with a 9p mount and test the changed operations to make
sure they still work.
Cq-Depend: chromium:2494169
Change-Id: I7c4e1fd2fb192206402e895b09e519c3e769ae3c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2494328
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
There are no *at variants for the xattr syscalls so we were using the
path-based variants by reading the /proc/self/fd symlink. While this
symlink can track renames it cannot track if the user hard links the
file to some other location and then unlinks the original location. In
this case the symlink simply shows that the path was deleted even though
the fd is still valid.
To deal with this, stop using the path-based method. For regular files
and directories, we can simply open them and then make the appropriate
f{get,set,list,remove}xattr syscall. For non-regular files and
directories we can emulate an *at syscall by changing the CWD to /proc
and then making the path-based syscall via the self/fd path. Even
though the symlink is no longer valid, manipulating the fd via this path
still works.
BUG=b:168689429
TEST=Create a file, set an xattr, hard link it to a new location,
unlink the original, and then verify that {get,set}fattr still
works on the new link
Change-Id: Ic291f432b96f18e3e7ccbcf27737d5f8fd240a65
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2437684
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
The git submodule needs to be updated to work with newer chroot libssl.
In addition, the new OpenSSL version uses the getrandom syscall, so it
needs to be added to the seccomp policies.
TEST=build_test works again, vm's boot with a --software-tpm
Change-Id: Ie3242e9fa4dba42bf6266e674f987d8c9dbc1dbe
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2316380
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Dylan Reid <dgreid@chromium.org>
BUG=chromium:1053847
TEST=Listen to the socket from VmLogForwarder, observer messages
forwarded into separate output file.
Change-Id: Ia472e34b78db599e91f63e72a13bf8539d0d6312
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2287077
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Nicholas Verne <nverne@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Nicholas Verne <nverne@chromium.org>
Auto-Submit: Nicholas Verne <nverne@chromium.org>
Posix acls are a truly incredible example of API design. The presence
of a default posix acl in a directory completely changes the meaning of
the `mode` parameter for all system call that create inodes. However,
this new behavior only applies when the inode is first created and not
for any subsequent operations that use the mode, like fchmod.
When a directory has a default posix acl, all inodes created in that
directory get the permissions specified in the default acl. The mode
parameter is treated like a umask where any permissions allowed by the
default acl that are not allowed by the mode parameter are blocked. The
actual umask is ignored in this case.
So to handle this properly we need to set FUSE_DONT_MASK to prevent the
kernel driver from preemptively applying the umask. Then we have to
check if the parent directory has a default posix acl and only apply the
umask to the mode if it does not. This also means that we cannot use
`mkdtemp` because that always creates directories with a mode of 0o700
and since the default posix acl calculation only applies on creation and
not on later operations, we need to apply the proper mode in the very
beginning.
BUG=b:159285544,b:152806644
TEST=vm.Virtiofs. Use a test program to create files/directories in
directories that have a default acl and ones that don't, and verify
that the mode is correctly set after creation
Change-Id: Ieca8ac9db391feebe5719630c5f3b57b04b71533
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2260253
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Needed by arcvm.
BUG=b:159297591
TEST=run a test program that calls the ioctl
Change-Id: I1f8c17fa2b2457f5a9e73045c3dbee3440eb943d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2265932
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
MALI GPU driver calls this for printing debug information. Just
enable it since it could help debug.
BUG=None
TEST=manual - Run ARCVM on kukui with debug build of mali driver
Change-Id: If65121520071a1df9b8ba932272428cbac844984
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2262176
Tested-by: Lepton Wu <lepton@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Lepton Wu <lepton@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Commit-Queue: Lepton Wu <lepton@chromium.org>
Arcvm needs this ioctl for looking up the project id of an inode.
BUG=b:157189438
TEST=Call the ioctl inside a vm and verify that it succeeds
Change-Id: Ib178cf32b09056f9b1e9acedb49de068d5525a66
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2214964
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Matthias Springer <springerm@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
When creating a file or directory the virtio-fs server changes its
effective uid and gid to the uid and gid of the process that made the
call. This ensures that the file or directory has the correct owner and
group when it is created and also serves as an access check to ensure
that the process that made the call has permission to modify the parent
directory.
However, this causes an EACCES error when the following conditions are
met:
* The parent directory has g+rw permissions with gid A
* The process has gid B but has A in its list of supplementary groups
In this case the fuse context only contains gid B, which doesn't have
permission to modify the parent directory.
Unfortunately there's no way for us to detect this on the server side so
instead we just have to rely on the permission checks carried out by the
kernel driver. If the server receives a create call, then assume that
the kernel has verified that the process is allowed to create that
file/directory and just create it without changing the server thread's
uid and gid.
Additionally, in order to ensure that a newly created file appears
atomically in the parent directory with the proper owner and group,
change the create implementation to use `O_TMPFILE` and `linkat` as
described in the open(2) manpage. There is no `O_TMPFILE` equivalent
for directories so create a "hidden" directory with a randomly generated
name, modify the uid/gid and mode, and then rename it into place.
BUG=b:156696212
TEST=tast run $DUT vm.Virtiofs
TEST=Create a test directory with group wayland and permissions g+rw.
Then run `su -s /bin/bash -c 'touch ${dir}/foo' - crosvm` and
`su -s /bin/bash -c 'mkdir ${dir}/bar' - crosvm`.
Change-Id: If5fbcb1b011664c7c1ac29542a2f90d129c34962
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2217534
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Using the `open_inode` method on an fd for a symlink results in the
kernel returning -ELOOP. Since there are no `*at` methods for extended
attributes, manually read the path for the file and then use the
l{get,set,list,remove}xattr method on the returned path.
BUG=b:136128512
TEST=boot arcvm with virtio-fs and selinux enabled
Change-Id: I2fde57db8a075838a3a877309f6cf89059f19258
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2120763
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
The build-time seccomp compiler for aarch64 complains that it doesn't
recognize open, epoll_wait, recv, mmap2, dup2, poll, mkdir, or stat.
I tried to propose a change to upstream minijail to make it aware of
these syscalls, but the calls are in various forms of deprecation
so upstream is doubting the sanity of the policy files.
I applied the following mapping: open->openat, epoll_wait->epoll_pwait,
recv->recvfrom, mmap2->mmap, dup2->dup3, poll->ppoll, mkdir->mkdirat,
and stat->statx. In many cases the new syscall was already present so I
just deleted the old one.
BUG=None
TEST=Ran compile_seccomp_policy.py with an unmodified minijail until
it stopped complaining. I don't have an arm device for runtime testing.
Wrote an app to emulate the execution of the first 400 syscall #s though
the bpf filter and verified that the list that matches the filter is the
same as the policy file.
Change-Id: I599aa549a1712b898eb6b73492872a9676e7215d
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2036218
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Minijail's policy compiler complains when there's multiple
unconditional rules for a syscall. In most cases the rules
are redundant to common_device.policy.
BUG=None
TEST=Ran compile_seccomp_policy.py until it stopped
complaining.
Change-Id: Ic43d1fd13f9c012641d71e526942229eb8b08ed4
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2034024
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
