crosvm/seccomp/arm/gpu_device.policy

# Copyright 2019 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# Rules from common_device.policy with some rules removed because they block certain flags needed
# for gpu.
brk: 1
clone: arg0 & CLONE_THREAD
close: 1
dup2: 1
dup: 1
epoll_create1: 1
epoll_ctl: 1
epoll_wait: 1
eventfd2: 1
exit: 1
exit_group: 1
futex: 1
futex_time64: 1
getpid: 1
gettimeofday: 1
kill: 1
madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
mremap: 1
munmap: 1
nanosleep: 1
clock_nanosleep: 1
clock_nanosleep_time64: 1
pipe2: 1
poll: 1
ppoll: 1
ppoll_time64: 1
prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME
read: 1
readv: 1
recv: 1
recvfrom: 1
recvmsg: 1
recvmmsg_time64: 1
restart_syscall: 1
rt_sigaction: 1
rt_sigprocmask: 1
rt_sigreturn: 1
sched_getaffinity: 1
sched_yield: 1
sendmsg: 1
sendto: 1
set_robust_list: 1
sigaltstack: 1
write: 1
writev: 1
uname: 1

# Required for perfetto tracing
getsockopt: 1
shutdown: 1

## Rules specific to gpu
connect: 1
getrandom: 1
socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
_llseek: 1
ftruncate64: 1
stat64: 1
statx: 1
fstat64: 1
fstatat64: 1
getdents: 1
getdents64: 1
sysinfo: 1
fstatfs: 1
fstatfs64: 1

# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST
ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543

# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
memfd_create: arg1 == 3

## mmap/mprotect differ from the common_device.policy
mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
open: return ENOENT
openat: 1

## Rules specific to pvr
geteuid32: 1
getuid32: 1
lstat64: 1
readlink: 1
gettid: 1
fcntl64: 1
tgkill: 1
clock_gettime: 1
clock_gettime64: 1

# Rules specific to Mesa.
sched_setscheduler: 1
sched_setaffinity: 1
kcmp: 1

# Rules for Vulkan loader / layers
access: 1
getgid32: 1
getegid32: 1
getcwd: 1