seccomp: allow kcmp on x86_64 gpu device

A mesa change to the amdgpu driver "winsys/amdgpu: Re-use
amdgpu_screen_winsys when possible" causes kcmp to be called with the
following simplified stacktrace.

SYS_kcmp
os_same_file_description
amdgpu_winsys_create
radeonsi_screen_create
<snip>
eglInitialize
virgl_egl_init
virgl_renderer_init

The use of this syscall caused the gpu device process to be killed with
SIGSYS. This change fixes that by allowing kcmp in that process, which
should be secure given the sandboxing in place and the level of
permissions required by kernel to succesfully use the kcmp syscall.

BUG=chromium:1070805
TEST=crostini.GPUEnabled.artifact_gpu_unstable

Change-Id: Ica0e5c6ebc01cbc33ac62fea001949798ca4446e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2151145
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Drew Davenport <ddavenport@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Lepton Wu <lepton@chromium.org>
Reviewed-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Tested-by: Dylan Reid <dgreid@chromium.org>
Commit-Queue: Dylan Reid <dgreid@chromium.org>

1 files changed, 1 insertions, 0 deletions

diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy
index 23b6b6c..331fc49 100644
--- a/seccomp/x86_64/gpu_device.policy
+++ b/seccomp/x86_64/gpu_device.policy
@@ -75,3 +75,4 @@ sysinfo: 1
 uname: 1
 sched_setscheduler: 1
 sched_setaffinity: 1
+kcmp: 1