The sched_yield system call is somehow called by the code the rust
compiler generates and not directly by the author's implementation. That
along with the fact that it won't get called on every run makes it very
easy to miss when adding a new device (that happened with virtio-snd).
Since that call is quite harmless (it could be argued minijail shouldn't
even block it in the first place) it makes sense to allow it for all
devices.
BUG=b/201306350
Change-Id: I9895da6c8060ae83053474ed9e4472ea2cd8d3e3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3248126
Auto-Submit: Jorge Moreira Broche <jemoreira@google.com>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Jorge Moreira Broche <jemoreira@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
On 32bit arm systems, starting with glibc 2.33, the fstatat64
syscall is used to fix a y2038 bug and statx is also called
for 64bit->32bit datastructure conversion.
See this upstream glibc 2.33 commit range for more details:
d892723830..aa03f722f3.
Example failures (only on 32bit arm):
type=SECCOMP comm="mtpd" exe="/usr/sbin/mtpd" sig=0
arch=40000028 syscall=327 code=0x7ffc0000
type=SECCOMP comm="mtpd" exe="/usr/sbin/mtpd" sig=0
arch=40000028 syscall=397 code=0x7ffc0000
BUG=b:187795855
TEST=Local builds; CQ.
Change-Id: I003feeaa75552770920cdf9969a393940c5e997b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3113972
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
On trogdor devices, fstatfs64 is not used. Instead, 32bit
fstatfs is used. We need to add both to all 32bit Arm
policy files which were originally determined to be
problematic.
This adds fstsatfs to all 32bit Arm policy files which
were modified for the original glibc security change.
Additionally, this commit sorts the syscalls lexicographically
if the policy file was already sorted.
BUG=chromium:1182687
TEST=CQ of http://crrev.com/c/2910526
Change-Id: I42eb12456625d400ee3422af08d56d648e3f9075
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3066144
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
At present, libraries which use glibc to dynamically load
shared libraries do not have fstafs in their seccomp policies.
A change in glibc will force all systems which load shared
libraries to call the fstatfs or fstatfs64 syscall.
Without the call, crosvm will not start when running
crostini/android tests.
BUG=chromium:1182687
TEST=CQ of https://crrev.com/c/2910526
Change-Id: I10abb8866474c2fe0398a17a80069cf2b0629493
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3011355
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Kernels before 5.10 had known bugs in the io_uring implementation.
Don't use io_uring when we detect this. Also skip all the io_uring
tests in this case.
BUG=none
TEST=cargo test
Change-Id: I5fd6203ad25a6fb85ff28f1a6ddb0181f836ad89
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3006309
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
Reviewed-by: Woody Chow <woodychow@google.com>
Allow:
- UDMABUF_CREATE_LIST -- needed to create udmabuf
- DMA_BUF_IOCTL_SYNC -- to flush the udmabuf.
virtio-wl already allows this everywhere so
this should be fine.
Also add the path to minijail.
BUG=chromium:892806, b:173630595
TEST=no sandbox violations
Change-Id: I70ace6ef0349c4b133615eb41f9f56ccd7121e4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2786287
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Gurchetan Singh <gurchetansingh@chromium.org>
Commit-Queue: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
glibc 2.32 is using clock_gettime/64 on some arm boards
when gettimeofday is used. In addition, support 64-bit
variants of the time syscalls for use with glibc 2.32.
BUG=chromium:1190305
TEST=crostini tests pass
Change-Id: I070eee92817d3f959ea385ff2c3adca610e0a574
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2776211
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Starting with 2.32 glibc nanosleep() was refactored to use the
clock_nanosleep syscall so various software will fail unless
the new syscall is allowed. We can't just drop the old nanosleep
syscall because it will break glibc 2.27 which is still used.
See glibc commits:
807edded25 nptl: Refactor thrd_sleep in terms of clock_nanosleep
3537ecb49c Refactor nanosleep in terms of clock_nanosleep
79a547b162 nptl: Move nanosleep implementation to libc
This is a bulk edit done with the following command:
git grep -rl 'nanosleep: 1' | xargs sed -i \
'/^nanosleep: 1/a clock_nanosleep: 1'
BUG=chromium:1171287
TEST=Local builds and booting on kevin/64/eve/minnie.
Change-Id: I975535078d88200f52319c7eea3a4c7ebf299933
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2735575
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
An upcoming mesa-freedreno uprev will require a couple crosvm policy
updates. In particular setscheduler/setaffinity, for the same reasons
that AMD requires them.
BUG=b:179519741
TEST=Start crostini with upstream mesa MR that starts requiring
setscheduler/setaffinity
Change-Id: I4f41a638f413b35f2afebdbe39dde02a02f8322a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2683032
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Rob Clark <robdclark@chromium.org>
Commit-Queue: Rob Clark <robdclark@chromium.org>
Auto-Submit: Rob Clark <robdclark@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
New syscalls and /run/perfetto bind mount are required.
BUG=b:174162684
TEST=Run crosvm with perfetto instrumentation and confirm that
events can be traced through traced. Tested on both hatch
and ARM kukui device.
Cq-Depend: chromium:2570487
Change-Id: I809400ec393c2971ba9a1134ddbef7f48d818786
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2571659
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: John Bates <jbates@chromium.org>
Commit-Queue: John Bates <jbates@chromium.org>
MALI GPU driver calls this for printing debug information. Just
enable it since it could help debug.
BUG=None
TEST=manual - Run ARCVM on kukui with debug build of mali driver
Change-Id: If65121520071a1df9b8ba932272428cbac844984
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2262176
Tested-by: Lepton Wu <lepton@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Lepton Wu <lepton@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Commit-Queue: Lepton Wu <lepton@chromium.org>
Minijail's policy compiler complains when there's multiple
unconditional rules for a syscall. In most cases the rules
are redundant to common_device.policy.
BUG=None
TEST=Ran compile_seccomp_policy.py until it stopped
complaining.
Change-Id: Ic43d1fd13f9c012641d71e526942229eb8b08ed4
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2034024
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Two compounded issues broke GPU support on ARM:
1) A mistake when applying code review comments to the initial checkin
of this file and not correctly copying the updated policy when testing
to the DUT.
2) Iteration of the /dev/dri directory from libvirglrender.so uses
getdents instead of getdents64, likely due to some differences in the C
vs Rust runtime.
BUG=chromium:1002667
TEST=glxgears with virtio-gpu on kevin
Change-Id: I225b85998a6a611ebe2a25a75cd88aab9939feb7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1799287
Tested-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
BUG=chromium:892280
TEST=glxgears with virtio-gpu on hana
Change-Id: Ib92b21c124e30eacb3fc28558e2eb5d8d4a92567
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1717739
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: David Riley <davidriley@chromium.org>
Commit-Queue: David Riley <davidriley@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Auto-Submit: David Riley <davidriley@chromium.org>
ARM platforms have different library locations and also required GPU
devices to be availble to the GPU process.
BUG=chromium:892280
TEST=glxgears with virtio-gpu on kevin and nami
Change-Id: If1baeb1edda76d057e88ab5e88ce22f02e5d30a0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1717738
Reviewed-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: David Riley <davidriley@chromium.org>
Commit-Queue: David Riley <davidriley@chromium.org>
Auto-Submit: David Riley <davidriley@chromium.org>
