From ad656a9d3adad4c5cf682290f7fcc146df7d6b9d Mon Sep 17 00:00:00 2001
From: Gurchetan Singh <gurchetansingh@chromium.org>
Date: Fri, 21 Jun 2019 10:19:29 -0700
Subject: seccomp: whitelist read-only/write-only GPU mappings

minigbm sometimes maps buffer with only PROT_READ or only
PROT_WRITE, so allow this.

BUG=b:132939420
TEST=glxgears in container

Change-Id: Ie5ccd827dd14ee78b999d70287b7165d81c5c85e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1673533
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Gurchetan Singh <gurchetansingh@chromium.org>
Commit-Queue: Gurchetan Singh <gurchetansingh@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
---
 seccomp/x86_64/gpu_device.policy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'seccomp')

diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy
index 233f00f..b6caa82 100644
--- a/seccomp/x86_64/gpu_device.policy
+++ b/seccomp/x86_64/gpu_device.policy
@@ -56,7 +56,7 @@ lstat: 1
 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
 memfd_create: arg1 == 3
 # mmap/mprotect/open/openat differ from the common_device.policy
-mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC
+mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
 mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
 open: 1
 openat: 1
-- 
cgit 1.4.1