diff options
author | David Riley <davidriley@chromium.org> | 2019-09-11 16:21:20 -0700 |
---|---|---|
committer | David Riley <davidriley@chromium.org> | 2019-09-17 23:24:55 +0000 |
commit | 36cc5092fc6237ddbd1e63b8d2bc7c1460ea3041 (patch) | |
tree | 221a2af7da47f05ee10fdde0b199efaa0424bb61 | |
parent | bca67ae7e3f543566144b57b5f816cb95c4d674e (diff) | |
download | crosvm-36cc5092fc6237ddbd1e63b8d2bc7c1460ea3041.tar crosvm-36cc5092fc6237ddbd1e63b8d2bc7c1460ea3041.tar.gz crosvm-36cc5092fc6237ddbd1e63b8d2bc7c1460ea3041.tar.bz2 crosvm-36cc5092fc6237ddbd1e63b8d2bc7c1460ea3041.tar.lz crosvm-36cc5092fc6237ddbd1e63b8d2bc7c1460ea3041.tar.xz crosvm-36cc5092fc6237ddbd1e63b8d2bc7c1460ea3041.tar.zst crosvm-36cc5092fc6237ddbd1e63b8d2bc7c1460ea3041.zip |
gpu: Fix sandboxing support for ARM.
Two compounded issues broke GPU support on ARM: 1) A mistake when applying code review comments to the initial checkin of this file and not correctly copying the updated policy when testing to the DUT. 2) Iteration of the /dev/dri directory from libvirglrender.so uses getdents instead of getdents64, likely due to some differences in the C vs Rust runtime. BUG=chromium:1002667 TEST=glxgears with virtio-gpu on kevin Change-Id: I225b85998a6a611ebe2a25a75cd88aab9939feb7 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1799287 Tested-by: David Riley <davidriley@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
-rw-r--r-- | seccomp/arm/gpu_device.policy | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy index bcd29b6..fd1e4d7 100644 --- a/seccomp/arm/gpu_device.policy +++ b/seccomp/arm/gpu_device.policy @@ -24,7 +24,6 @@ mremap: 1 munmap: 1 nanosleep: 1 open: return ENOENT -openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 @@ -49,20 +48,21 @@ writev: 1 ## Rules specific to gpu connect: 1 getrandom: 1 -openat: 1 socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 _llseek: 1 ftruncate64: 1 stat64: 1 fstat64: 1 +getdents: 1 getdents64: 1 # 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali) ioctl: arg1 & 0x6400 || arg1 & 0x8000 -## mmap/mprotect/open/openat differ from the common_device.policy +## mmap/mprotect/openat differ from the common_device.policy mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ +openat: 1 ## Rules specific to pvr geteuid32: 1 |