mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2025-02-09 20:04:20 +00:00
c11683b07f
The panic hook calls read_to_string, which relies on lseek internally. Most devices already allow lseek, but add it to the common policy files to ensure that devices can properly panic. BUG=None TEST=compiles Change-Id: I99d6d1d258706874cc04ce550108991631d71706 Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/3960213 Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org> Commit-Queue: David Stevens <stevensd@chromium.org> Reviewed-by: Alexandre Courbot <acourbot@chromium.org>
57 lines
1.1 KiB
Text
57 lines
1.1 KiB
Text
# Copyright 2019 The ChromiumOS Authors
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
@include /usr/share/policy/crosvm/common_device.policy
|
|
|
|
copy_file_range: 1
|
|
fallocate: 1
|
|
fchdir: 1
|
|
fchmod: 1
|
|
fchmodat: 1
|
|
fchown: 1
|
|
fchownat: 1
|
|
fdatasync: 1
|
|
fgetxattr: 1
|
|
getxattr: 1
|
|
fsetxattr: 1
|
|
setxattr: 1
|
|
flistxattr: 1
|
|
listxattr: 1
|
|
fremovexattr: 1
|
|
removexattr: 1
|
|
fsync: 1
|
|
newfstatat: 1
|
|
fstatfs: 1
|
|
ftruncate: 1
|
|
getdents64: 1
|
|
getegid: 1
|
|
geteuid: 1
|
|
getrandom: 1
|
|
# Use constants for verity ioctls since minijail doesn't understand them yet.
|
|
# 0x40806685 = FS_IOC_ENABLE_VERITY
|
|
# 0xc0046686 = FS_IOC_MEASURE_VERITY
|
|
ioctl: arg1 == FS_IOC_FSGETXATTR || \
|
|
arg1 == FS_IOC_FSSETXATTR || \
|
|
arg1 == FS_IOC_GETFLAGS || \
|
|
arg1 == FS_IOC_SETFLAGS || \
|
|
arg1 == FS_IOC_GET_ENCRYPTION_POLICY_EX || \
|
|
arg1 == 0x40806685 || \
|
|
arg1 == 0xc0046686
|
|
linkat: 1
|
|
mkdirat: 1
|
|
mknodat: 1
|
|
openat: 1
|
|
preadv: 1
|
|
pwritev: 1
|
|
renameat2: 1
|
|
setresgid: 1
|
|
setresuid: 1
|
|
symlinkat: 1
|
|
umask: 1
|
|
unlinkat: 1
|
|
utimensat: 1
|
|
prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECUREBITS
|
|
capget: 1
|
|
capset: 1
|
|
unshare: 1
|