diff options
| -rw-r--r-- | seccomp/arm/gpu_device.policy | 11 | ||||
| -rw-r--r-- | src/linux.rs | 9 |
2 files changed, 20 insertions, 0 deletions
diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy index 2e3e1ba..bcd29b6 100644 --- a/seccomp/arm/gpu_device.policy +++ b/seccomp/arm/gpu_device.policy @@ -44,6 +44,7 @@ sendto: 1 set_robust_list: 1 sigaltstack: 1 write: 1 +writev: 1 ## Rules specific to gpu connect: 1 @@ -62,3 +63,13 @@ ioctl: arg1 & 0x6400 || arg1 & 0x8000 ## mmap/mprotect/open/openat differ from the common_device.policy mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ + +## Rules specific to pvr +geteuid32: 1 +getuid32: 1 +lstat64: 1 +readlink: 1 +gettid: 1 +fcntl64: 1 +tgkill: 1 +clock_gettime: 1 diff --git a/src/linux.rs b/src/linux.rs index 46dc480..56750ae 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -623,6 +623,15 @@ fn create_gpu_device( add_crosvm_user_to_jail(&mut jail, "gpu")?; + // pvr driver requires read access to /proc/self/task/*/comm. + let proc_path = Path::new("/proc"); + jail.mount( + proc_path, + proc_path, + "proc", + (libc::MS_NOSUID | libc::MS_NODEV | libc::MS_NOEXEC | libc::MS_RDONLY) as usize, + )?; + Some(jail) } None => None, |