gpu: Fix sandboxing support for ARM.

Two compounded issues broke GPU support on ARM:
1) A mistake when applying code review comments to the initial checkin
of this file and not correctly copying the updated policy when testing
to the DUT.
2) Iteration of the /dev/dri directory from libvirglrender.so uses
getdents instead of getdents64, likely due to some differences in the C
vs Rust runtime.

BUG=chromium:1002667
TEST=glxgears with virtio-gpu on kevin

Change-Id: I225b85998a6a611ebe2a25a75cd88aab9939feb7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1799287
Tested-by: David Riley <davidriley@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy
index bcd29b6..fd1e4d7 100644
--- a/seccomp/arm/gpu_device.policy
+++ b/seccomp/arm/gpu_device.policy
@@ -24,7 +24,6 @@ mremap: 1
 munmap: 1
 nanosleep: 1
 open: return ENOENT
-openat: return ENOENT
 pipe2: 1
 poll: 1
 ppoll: 1
@@ -49,20 +48,21 @@ writev: 1
 ## Rules specific to gpu
 connect: 1
 getrandom: 1
-openat: 1
 socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
 _llseek: 1
 ftruncate64: 1
 stat64: 1
 fstat64: 1
+getdents: 1
 getdents64: 1
 
 # 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali)
 ioctl: arg1 & 0x6400 || arg1 & 0x8000
 
-## mmap/mprotect/open/openat differ from the common_device.policy
+## mmap/mprotect/openat differ from the common_device.policy
 mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
+openat: 1
 
 ## Rules specific to pvr
 geteuid32: 1