diff options
author | Zach Reizner <zachr@google.com> | 2020-04-15 11:28:35 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-04-16 19:05:15 +0000 |
commit | 5cf5af601edffbc6707b20f5f3dc13a7d520fcd3 (patch) | |
tree | 7d96510f2024ee839647cfaa5299a8605783b4d1 /seccomp/x86_64 | |
parent | a89621315140045268ffcf636616bc2858be760d (diff) | |
download | crosvm-5cf5af601edffbc6707b20f5f3dc13a7d520fcd3.tar crosvm-5cf5af601edffbc6707b20f5f3dc13a7d520fcd3.tar.gz crosvm-5cf5af601edffbc6707b20f5f3dc13a7d520fcd3.tar.bz2 crosvm-5cf5af601edffbc6707b20f5f3dc13a7d520fcd3.tar.lz crosvm-5cf5af601edffbc6707b20f5f3dc13a7d520fcd3.tar.xz crosvm-5cf5af601edffbc6707b20f5f3dc13a7d520fcd3.tar.zst crosvm-5cf5af601edffbc6707b20f5f3dc13a7d520fcd3.zip |
seccomp: allow kcmp on x86_64 gpu device
A mesa change to the amdgpu driver "winsys/amdgpu: Re-use amdgpu_screen_winsys when possible" causes kcmp to be called with the following simplified stacktrace. SYS_kcmp os_same_file_description amdgpu_winsys_create radeonsi_screen_create <snip> eglInitialize virgl_egl_init virgl_renderer_init The use of this syscall caused the gpu device process to be killed with SIGSYS. This change fixes that by allowing kcmp in that process, which should be secure given the sandboxing in place and the level of permissions required by kernel to succesfully use the kcmp syscall. BUG=chromium:1070805 TEST=crostini.GPUEnabled.artifact_gpu_unstable Change-Id: Ica0e5c6ebc01cbc33ac62fea001949798ca4446e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2151145 Reviewed-by: Dylan Reid <dgreid@chromium.org> Reviewed-by: Drew Davenport <ddavenport@chromium.org> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-by: Lepton Wu <lepton@chromium.org> Reviewed-by: Victor Hsieh <victorhsieh@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Zach Reizner <zachr@chromium.org> Tested-by: Dylan Reid <dgreid@chromium.org> Commit-Queue: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'seccomp/x86_64')
-rw-r--r-- | seccomp/x86_64/gpu_device.policy | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy index 23b6b6c..331fc49 100644 --- a/seccomp/x86_64/gpu_device.policy +++ b/seccomp/x86_64/gpu_device.policy @@ -75,3 +75,4 @@ sysinfo: 1 uname: 1 sched_setscheduler: 1 sched_setaffinity: 1 +kcmp: 1 |