diff options
author | Daniel Verkamp <dverkamp@chromium.org> | 2019-02-07 09:51:01 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-02-08 06:03:49 -0800 |
commit | d39dd9af7172a4d7fdafaa37fa8569e02e0de556 (patch) | |
tree | 2b2e72c80c4f17d5ebb7a23b650aa4095dc1de09 /seccomp | |
parent | f257263bed62cc81dafb0dffdcdbba4336ce3543 (diff) | |
download | crosvm-d39dd9af7172a4d7fdafaa37fa8569e02e0de556.tar crosvm-d39dd9af7172a4d7fdafaa37fa8569e02e0de556.tar.gz crosvm-d39dd9af7172a4d7fdafaa37fa8569e02e0de556.tar.bz2 crosvm-d39dd9af7172a4d7fdafaa37fa8569e02e0de556.tar.lz crosvm-d39dd9af7172a4d7fdafaa37fa8569e02e0de556.tar.xz crosvm-d39dd9af7172a4d7fdafaa37fa8569e02e0de556.tar.zst crosvm-d39dd9af7172a4d7fdafaa37fa8569e02e0de556.zip |
seccomp: add mremap to arm common_device.policy
The glibc realloc() implementation may call the mremap syscall in some cases; we currently allow mremap in x86_64/common_device.policy but not the arm equivalent, but this path appears to be reachable on any Linux platform[1]. Add mremap to the arm policy as well for consistency. mremap is no more powerful than the existing mmap and munmap syscalls, so I believe this is safe to allow for all device processes. Also reorder the mmap2 line in the arm policy so it is in alphabetical order and can be more easily compared to the x86_64 policy. BUG=chromium:927919 TEST=Boot crosvm on kevin [1]: https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=6e766d11bc85b6480fa5c9f2a76559f8acf9deb5;hb=HEAD#l2854 Change-Id: Ie51a21baf30d3e37ce3adacf8e255f981613543d Signed-off-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1459020 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'seccomp')
-rw-r--r-- | seccomp/arm/common_device.policy | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/seccomp/arm/common_device.policy b/seccomp/arm/common_device.policy index 25db5af..9ccf48b 100644 --- a/seccomp/arm/common_device.policy +++ b/seccomp/arm/common_device.policy @@ -17,9 +17,10 @@ futex: 1 getpid: 1 gettimeofday: 1 kill: 1 -mmap2: arg2 in ~PROT_EXEC madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mmap2: arg2 in ~PROT_EXEC mprotect: arg2 in ~PROT_EXEC +mremap: 1 munmap: 1 nanosleep: 1 open: return ENOENT |