mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2024-10-25 05:35:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
1026 commits 607 branches 2 tags 228 MiB
Commit graph

12 commits

Author SHA1 Message Date
Zach Reizner
2ea297ac76 seccomp: add sendto, writev, and readv to common seccomp policies 
Using syslog from glibc will use some syscalls we haven't seen before,
leading to the process getting killed. This change fixes that.

TEST=use syslog from C
BUG=chromium:988082

Change-Id: I4cfb317a8faf70188995487f4fa844229683d6d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1721616
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
 2019-07-27 03:50:22 +00:00
Gurchetan Singh
ad656a9d3a seccomp: whitelist read-only/write-only GPU mappings 
minigbm sometimes maps buffer with only PROT_READ or only
PROT_WRITE, so allow this.

BUG=b:132939420
TEST=glxgears in container

Change-Id: Ie5ccd827dd14ee78b999d70287b7165d81c5c85e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1673533
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Gurchetan Singh <gurchetansingh@chromium.org>
Commit-Queue: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
 2019-07-03 15:41:58 +00:00
Drew Davenport
1f9ae42c73 seccomp: Whitelist syscalls for grunt gpu 
BUG=b:127868532
TEST=`vmc start --enable-gpu termina` succeeds

Change-Id: Ibf18cce93ab98f5008bdada3387ee27eb6f79e61
Reviewed-on: https://chromium-review.googlesource.com/1534959
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Drew Davenport <ddavenport@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: David Riley <davidriley@chromium.org>
 2019-04-09 06:19:59 -07:00
David Riley
33e8ef061d devices: gpu: allow sysinfo syscall 
BUG=chromium:940826
TEST=run unigine valley benchmark 1920x1080

Change-Id: If7b5d97a4284de88e52b3fd3e8f162dd484934e1
Reviewed-on: https://chromium-review.googlesource.com/1517102
Commit-Ready: David Riley <davidriley@chromium.org>
Tested-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
 2019-03-21 08:07:41 -07:00
Zach Reizner
a632f4b170 seccomp: unrefactor gpu_device.policy 
Due to repeated syscall rules in gpu_device and common_device policies,
minijail fails to compile the gpu_device.policy. This change unrefactors
that policy so that it may compile properly.

BUG=chromium:936633,chromium:837073
TEST=vmc start --enable-gpu termina

Change-Id: I09ab9296247279c3a9ba6e3a6852e2a7ae2612ed
Reviewed-on: https://chromium-review.googlesource.com/1493424
Commit-Ready: Dylan Reid <dgreid@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
 2019-03-02 17:41:27 -08:00
Zach Reizner
bae43dd4c9 seccomp: refactor policy into common_device.policy 
CQ-DEPEND=CL:1449895
BUG=None
TEST=vmc start termina

Change-Id: Ia3edaafc1d2958bd40e6b1adc89dd5e29b679b06
Reviewed-on: https://chromium-review.googlesource.com/1448292
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
 2019-02-07 03:02:12 -08:00
David Riley
825ba5298f devices: gpu: allow brk syscall 
BUG=chromium:926415
TEST=start Tomb Raider

Change-Id: I55352a84a4edd03337f262e1474e0888abfc8c81
Reviewed-on: https://chromium-review.googlesource.com/1446939
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: David Riley <davidriley@chromium.org>
 2019-02-05 14:11:29 -08:00
David Riley
fccfc05f67 devices: gpu: dup stdout to stderr to allow virglrenderer logging 
By default virglrenderer logs to stderr with VREND_DEBUG.  dup stdout
which is logged via logger to stderr so that virglrenderer logs can be
seen.

BUG=chromium:925590
TEST=cat /var/log/messages

Change-Id: I3e1a5056dab9cfd895867b1835b421b144ee536b
Reviewed-on: https://chromium-review.googlesource.com/1441352
Commit-Ready: David Riley <davidriley@chromium.org>
Tested-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
 2019-01-31 18:18:44 -08:00
David Riley
d48445eae0 devices: gpu: name gpu thread 
BUG=chromium:925590
TEST=pstree

Change-Id: I2f591894db2a40a812f1720e1fc8422049d85902
Reviewed-on: https://chromium-review.googlesource.com/1440031
Commit-Ready: David Riley <davidriley@chromium.org>
Tested-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: David Riley <davidriley@chromium.org>
 2019-01-30 01:25:56 -08:00
David Riley
84c13ec890 devices: gpu: add lstat to gpu device seccomp 
BUG=chromium:837073
TEST=vmc start --enable-gpu tatl; lxc start stretch-x; xterm && glxgears

Change-Id: I42a096384cb536ec835de69b34db9b9a941bfeaf
Reviewed-on: https://chromium-review.googlesource.com/1401110
Commit-Ready: David Riley <davidriley@chromium.org>
Tested-by: David Riley <davidriley@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
 2019-01-09 19:52:08 -08:00
Yunlian Jiang
a70445aa3b crosvm: add openat to seccomp 
This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG=chromium:894614
TEST=None

Change-Id: Ie5b45d858e8d9ea081fd7bfda81709bda048d965
Reviewed-on: https://chromium-review.googlesource.com/1292129
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
 2018-10-21 05:25:01 -07:00
David Riley
b22b6137aa gpu: add sandboxing via minijail for virtio gpu device. 
Sandboxing only works when started as chronos via concierge client.  If
started directly via crosvm as root, the jail will not have proper group
permissions to access the Wayland socket.

BUG=chromium:837073
TEST=build with --features=gpu; null_platform_test without --disable-sandbox
CQ-DEPEND=CL:1213779

Change-Id: I6331f7ae1f5b99d31ad44cf158f72337294771f0
Reviewed-on: https://chromium-review.googlesource.com/1181168
Commit-Ready: David Riley <davidriley@chromium.org>
Tested-by: David Riley <davidriley@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
 2018-09-17 13:18:06 -07:00