mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2025-02-10 20:19:07 +00:00
e299f02d3f
Recently, common_device.policy added clone3. It is included by most devices through include, but the video device missed it since it doesn't include common_device.policy due to some policy override. This commit adds clone3 to the policy of the video device to fix that problem. With this fix, the video device successfully runs in the sandbox on newer kernels. BUG=None TEST=a vm with a video device launches with the sandbox enabled Change-Id: Idc2dee824e863f3ee43cfd6ce76656e36d6200c0 Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4053447 Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org> Commit-Queue: Takaya Saeki <takayas@chromium.org>
95 lines
1.8 KiB
Text
95 lines
1.8 KiB
Text
# Copyright 2020 The ChromiumOS Authors
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
# Rules from common_device.policy with mmap and mprotect removed because the video device needs
|
|
# to allow more arguments for them.
|
|
brk: 1
|
|
clock_gettime: 1
|
|
clone: arg0 & CLONE_THREAD
|
|
clone3: 1
|
|
close: 1
|
|
dup2: 1
|
|
dup: 1
|
|
epoll_create1: 1
|
|
epoll_ctl: 1
|
|
epoll_wait: 1
|
|
eventfd2: 1
|
|
exit: 1
|
|
exit_group: 1
|
|
futex: 1
|
|
getcwd: 1
|
|
getpid: 1
|
|
gettid: 1
|
|
gettimeofday: 1
|
|
io_uring_setup: 1
|
|
io_uring_enter: 1
|
|
kill: 1
|
|
lseek: 1
|
|
madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE
|
|
mremap: 1
|
|
munmap: 1
|
|
nanosleep: 1
|
|
clock_nanosleep: 1
|
|
pipe2: 1
|
|
poll: 1
|
|
ppoll: 1
|
|
read: 1
|
|
readlink: 1
|
|
readlinkat: 1
|
|
readv: 1
|
|
recvfrom: 1
|
|
recvmsg: 1
|
|
restart_syscall: 1
|
|
rseq: 1
|
|
rt_sigaction: 1
|
|
rt_sigprocmask: 1
|
|
rt_sigreturn: 1
|
|
sched_getaffinity: 1
|
|
sched_yield: 1
|
|
sendmsg: 1
|
|
sendto: 1
|
|
set_robust_list: 1
|
|
sigaltstack: 1
|
|
write: 1
|
|
writev: 1
|
|
fcntl: 1
|
|
uname: 1
|
|
|
|
# Syscalls specific to video devices.
|
|
clock_getres: 1
|
|
connect: 1
|
|
getdents: 1
|
|
getdents64: 1
|
|
getegid: 1
|
|
geteuid: 1
|
|
getgid: 1
|
|
getresgid: 1
|
|
getresuid: 1
|
|
getsockname: 1
|
|
getuid: 1
|
|
# ioctl: arg1 == DRM_IOCTL_*
|
|
ioctl: arg1 & 0x6400
|
|
memfd_create: 1
|
|
newfstatat: 1
|
|
openat: 1
|
|
setpriority: 1
|
|
socket: arg0 == AF_UNIX
|
|
stat: 1
|
|
fstat: 1
|
|
fstatfs: 1
|
|
statx: 1
|
|
|
|
# Rules needed for minigbm on AMD devices.
|
|
getrandom: 1
|
|
lstat: 1
|
|
# mmap/mprotect differ from the common_device.policy
|
|
mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
|
|
mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
|
|
sched_setaffinity: 1
|
|
sched_setscheduler: arg1 == SCHED_IDLE || arg1 == SCHED_BATCH
|
|
|
|
# Required by mesa on AMD GPU
|
|
sysinfo: 1
|
|
|
|
prctl: arg0 == PR_SET_NAME
|