From 5cf5af601edffbc6707b20f5f3dc13a7d520fcd3 Mon Sep 17 00:00:00 2001
From: Zach Reizner <zachr@google.com>
Date: Wed, 15 Apr 2020 11:28:35 -0700
Subject: seccomp: allow kcmp on x86_64 gpu device

A mesa change to the amdgpu driver "winsys/amdgpu: Re-use
amdgpu_screen_winsys when possible" causes kcmp to be called with the
following simplified stacktrace.

SYS_kcmp
os_same_file_description
amdgpu_winsys_create
radeonsi_screen_create
<snip>
eglInitialize
virgl_egl_init
virgl_renderer_init

The use of this syscall caused the gpu device process to be killed with
SIGSYS. This change fixes that by allowing kcmp in that process, which
should be secure given the sandboxing in place and the level of
permissions required by kernel to succesfully use the kcmp syscall.

BUG=chromium:1070805
TEST=crostini.GPUEnabled.artifact_gpu_unstable

Change-Id: Ica0e5c6ebc01cbc33ac62fea001949798ca4446e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2151145
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Drew Davenport <ddavenport@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Lepton Wu <lepton@chromium.org>
Reviewed-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Tested-by: Dylan Reid <dgreid@chromium.org>
Commit-Queue: Dylan Reid <dgreid@chromium.org>
---
 seccomp/x86_64/gpu_device.policy | 1 +
 1 file changed, 1 insertion(+)

(limited to 'seccomp')

diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy
index 23b6b6c..331fc49 100644
--- a/seccomp/x86_64/gpu_device.policy
+++ b/seccomp/x86_64/gpu_device.policy
@@ -75,3 +75,4 @@ sysinfo: 1
 uname: 1
 sched_setscheduler: 1
 sched_setaffinity: 1
+kcmp: 1
-- 
cgit 1.4.1