mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2024-11-25 05:03:05 +00:00
seccomp: unrefactor gpu_device.policy
Due to repeated syscall rules in gpu_device and common_device policies, minijail fails to compile the gpu_device.policy. This change unrefactors that policy so that it may compile properly. BUG=chromium:936633,chromium:837073 TEST=vmc start --enable-gpu termina Change-Id: I09ab9296247279c3a9ba6e3a6852e2a7ae2612ed Reviewed-on: https://chromium-review.googlesource.com/1493424 Commit-Ready: Dylan Reid <dgreid@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Tested-by: Zach Reizner <zachr@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org>
This commit is contained in:
Zach Reizner
chrome-bot
parent
41a6f84d85
commit
a632f4b170
1 changed files with 39 additions and 3 deletions
|
|
@ -2,8 +2,45 @@
|
|||
# Use of this source code is governed by a BSD-style license that can be
|
||||
# found in the LICENSE file.
|
||||
|
||||
@include /usr/share/policy/crosvm/common_device.policy
|
||||
# Rules from common_device.policy with some rules removed because they block certain flags needed
|
||||
# for gpu.
|
||||
brk: 1
|
||||
clone: arg0 & CLONE_THREAD
|
||||
close: 1
|
||||
dup2: 1
|
||||
dup: 1
|
||||
epoll_create1: 1
|
||||
epoll_ctl: 1
|
||||
epoll_wait: 1
|
||||
eventfd2: 1
|
||||
exit: 1
|
||||
exit_group: 1
|
||||
futex: 1
|
||||
getpid: 1
|
||||
gettimeofday: 1
|
||||
kill: 1
|
||||
madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
|
||||
mremap: 1
|
||||
munmap: 1
|
||||
nanosleep: 1
|
||||
pipe2: 1
|
||||
poll: 1
|
||||
ppoll: 1
|
||||
prctl: arg0 == PR_SET_NAME
|
||||
read: 1
|
||||
recvfrom: 1
|
||||
recvmsg: 1
|
||||
restart_syscall: 1
|
||||
rt_sigaction: 1
|
||||
rt_sigprocmask: 1
|
||||
rt_sigreturn: 1
|
||||
sched_getaffinity: 1
|
||||
sendmsg: 1
|
||||
set_robust_list: 1
|
||||
sigaltstack: 1
|
||||
write: 1
|
||||
|
||||
# Rules specific to gpu
|
||||
connect: 1
|
||||
fcntl: arg1 == F_DUPFD_CLOEXEC
|
||||
fstat: 1
|
||||
|
|
@ -18,12 +55,11 @@ lseek: 1
|
|||
lstat: 1
|
||||
# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
|
||||
memfd_create: arg1 == 3
|
||||
# mmap/mprotect/open/openat differ from the common_device.policy
|
||||
mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC
|
||||
mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
|
||||
open: 1
|
||||
openat: 1
|
||||
readlink: 1
|
||||
recvmsg: 1
|
||||
sendmsg: 1
|
||||
socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
|
||||
stat: 1
|
||||
|
|
|
|||
Loading…
Reference in a new issue