diff options
author | Zach Reizner <zachr@google.com> | 2019-03-01 18:04:22 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-03-02 17:41:27 -0800 |
commit | a632f4b170ea357e8c6c1ec4c3b8f877e8459af1 (patch) | |
tree | b2ef00e37209af4bdf53fdebfc4a8cab963bf2cd /seccomp | |
parent | 41a6f84d857c5b5f6ee612f9654c87dca10f3b54 (diff) | |
download | crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.gz crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.bz2 crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.lz crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.xz crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.tar.zst crosvm-a632f4b170ea357e8c6c1ec4c3b8f877e8459af1.zip |
seccomp: unrefactor gpu_device.policy
Due to repeated syscall rules in gpu_device and common_device policies, minijail fails to compile the gpu_device.policy. This change unrefactors that policy so that it may compile properly. BUG=chromium:936633,chromium:837073 TEST=vmc start --enable-gpu termina Change-Id: I09ab9296247279c3a9ba6e3a6852e2a7ae2612ed Reviewed-on: https://chromium-review.googlesource.com/1493424 Commit-Ready: Dylan Reid <dgreid@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Tested-by: Zach Reizner <zachr@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'seccomp')
-rw-r--r-- | seccomp/x86_64/gpu_device.policy | 42 |
1 files changed, 39 insertions, 3 deletions
diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy index c3d7fbf..4a75777 100644 --- a/seccomp/x86_64/gpu_device.policy +++ b/seccomp/x86_64/gpu_device.policy @@ -2,8 +2,45 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -@include /usr/share/policy/crosvm/common_device.policy +# Rules from common_device.policy with some rules removed because they block certain flags needed +# for gpu. +brk: 1 +clone: arg0 & CLONE_THREAD +close: 1 +dup2: 1 +dup: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 +eventfd2: 1 +exit: 1 +exit_group: 1 +futex: 1 +getpid: 1 +gettimeofday: 1 +kill: 1 +madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mremap: 1 +munmap: 1 +nanosleep: 1 +pipe2: 1 +poll: 1 +ppoll: 1 +prctl: arg0 == PR_SET_NAME +read: 1 +recvfrom: 1 +recvmsg: 1 +restart_syscall: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +sendmsg: 1 +set_robust_list: 1 +sigaltstack: 1 +write: 1 +# Rules specific to gpu connect: 1 fcntl: arg1 == F_DUPFD_CLOEXEC fstat: 1 @@ -18,12 +55,11 @@ lseek: 1 lstat: 1 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING memfd_create: arg1 == 3 +# mmap/mprotect/open/openat differ from the common_device.policy mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ open: 1 openat: 1 readlink: 1 -recvmsg: 1 -sendmsg: 1 socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 stat: 1 |