gpu: Add sandboxing support for pvr.

BUG=chromium:892280
TEST=glxgears with virtio-gpu on hana

Change-Id: Ib92b21c124e30eacb3fc28558e2eb5d8d4a92567
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1717739
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: David Riley <davidriley@chromium.org>
Commit-Queue: David Riley <davidriley@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Auto-Submit: David Riley <davidriley@chromium.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy
index 2e3e1ba..bcd29b6 100644
--- a/seccomp/arm/gpu_device.policy
+++ b/seccomp/arm/gpu_device.policy
@@ -44,6 +44,7 @@ sendto: 1
 set_robust_list: 1
 sigaltstack: 1
 write: 1
+writev: 1
 
 ## Rules specific to gpu
 connect: 1
@@ -62,3 +63,13 @@ ioctl: arg1 & 0x6400 || arg1 & 0x8000
 ## mmap/mprotect/open/openat differ from the common_device.policy
 mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
+
+## Rules specific to pvr
+geteuid32: 1
+getuid32: 1
+lstat64: 1
+readlink: 1
+gettid: 1
+fcntl64: 1
+tgkill: 1
+clock_gettime: 1