From bbc866e7deea7193c3ed1becbe9c5e617ca79df4 Mon Sep 17 00:00:00 2001
From: Stephen Barber <smbarber@chromium.org>
Date: Thu, 5 Dec 2019 17:31:30 -0800
Subject: seccomp: add memfd_create to arm gpu_device.policy

BUG=chromium:1031360
TEST=graphics.CrostiniTraceGlxgears

Change-Id: I9b416a4a50b7747a0914b33d719f2459c499f71d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1954219
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
Commit-Queue: Stephen Barber <smbarber@chromium.org>
---
 seccomp/arm/gpu_device.policy | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy
index fd1e4d7..f177775 100644
--- a/seccomp/arm/gpu_device.policy
+++ b/seccomp/arm/gpu_device.policy
@@ -59,6 +59,9 @@ getdents64: 1
 # 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali)
 ioctl: arg1 & 0x6400 || arg1 & 0x8000
 
+# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
+memfd_create: arg1 == 3
+
 ## mmap/mprotect/openat differ from the common_device.policy
 mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
-- 
cgit 1.4.1