seccomp: allow clone3 to video_device on x86

mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2024-11-25 05:03:05 +00:00

Recently, common_device.policy added clone3. It is included by most
devices through include, but the video device missed it since it doesn't
include common_device.policy due to some policy override.

This commit adds clone3 to the policy of the video device to fix that
problem. With this fix, the video device successfully runs in the
sandbox on newer kernels.

BUG=None
TEST=a vm with a video device launches with the sandbox enabled

Change-Id: Idc2dee824e863f3ee43cfd6ce76656e36d6200c0
Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4053447
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
Commit-Queue: Takaya Saeki <takayas@chromium.org>

This commit is contained in:

Takaya Saeki

2022-11-24 03:51:07 +00:00

committed by

crosvm LUCI

parent cd34ddcff7

commit e299f02d3f

1 changed files with 1 additions and 0 deletions

1

seccomp/x86_64/video_device.policy

View file

 @ -7,6 +7,7 @@
 brk: 1
 clock_gettime: 1
 clone: arg0 & CLONE_THREAD
 clone3: 1
 close: 1
 dup2: 1
 dup: 1

seccomp: allow clone3 to video_device on x86

1 seccomp/x86_64/video_device.policy Unescape Escape View file

1

seccomp/x86_64/video_device.policy

View file