summary refs log tree commit diff
path: root/seccomp
diff options
context:
space:
mode:
authorZach Reizner <zachr@google.com>2019-03-01 18:04:22 -0800
committerchrome-bot <chrome-bot@chromium.org>2019-03-02 17:41:27 -0800
commita632f4b170ea357e8c6c1ec4c3b8f877e8459af1 (patch)
treeb2ef00e37209af4bdf53fdebfc4a8cab963bf2cd /seccomp
parent41a6f84d857c5b5f6ee612f9654c87dca10f3b54 (diff)
downloadcrosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar
crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.gz
crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.bz2
crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.lz
crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.xz
crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.zst
crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.zip
seccomp: unrefactor gpu_device.policy
Due to repeated syscall rules in gpu_device and common_device policies,
minijail fails to compile the gpu_device.policy. This change unrefactors
that policy so that it may compile properly.

BUG=chromium:936633,chromium:837073
TEST=vmc start --enable-gpu termina

Change-Id: I09ab9296247279c3a9ba6e3a6852e2a7ae2612ed
Reviewed-on: https://chromium-review.googlesource.com/1493424
Commit-Ready: Dylan Reid <dgreid@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'seccomp')
-rw-r--r--seccomp/x86_64/gpu_device.policy42
1 files changed, 39 insertions, 3 deletions
diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy
index c3d7fbf..4a75777 100644
--- a/seccomp/x86_64/gpu_device.policy
+++ b/seccomp/x86_64/gpu_device.policy
@@ -2,8 +2,45 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-@include /usr/share/policy/crosvm/common_device.policy
+# Rules from common_device.policy with some rules removed because they block certain flags needed
+# for gpu.
+brk: 1
+clone: arg0 & CLONE_THREAD
+close: 1
+dup2: 1
+dup: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
+eventfd2: 1
+exit: 1
+exit_group: 1
+futex: 1
+getpid: 1
+gettimeofday: 1
+kill: 1
+madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
+mremap: 1
+munmap: 1
+nanosleep: 1
+pipe2: 1
+poll: 1
+ppoll: 1
+prctl: arg0 == PR_SET_NAME
+read: 1
+recvfrom: 1
+recvmsg: 1
+restart_syscall: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+rt_sigreturn: 1
+sched_getaffinity: 1
+sendmsg: 1
+set_robust_list: 1
+sigaltstack: 1
+write: 1
 
+# Rules specific to gpu
 connect: 1
 fcntl: arg1 == F_DUPFD_CLOEXEC
 fstat: 1
@@ -18,12 +55,11 @@ lseek: 1
 lstat: 1
 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
 memfd_create: arg1 == 3
+# mmap/mprotect/open/openat differ from the common_device.policy
 mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
 open: 1
 openat: 1
 readlink: 1
-recvmsg: 1
-sendmsg: 1
 socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
 stat: 1
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-04-30 06:17:29 +0000