Allow sched_yield in all devices' seccomp policy

The sched_yield system call is somehow called by the code the rust compiler generates and not directly by the author's implementation. That along with the fact that it won't get called on every run makes it very easy to miss when adding a new device (that happened with virtio-snd). Since that call is quite harmless (it could be argued minijail shouldn't even block it in the first place) it makes sense to allow it for all devices. BUG=b/201306350 Change-Id: I9895da6c8060ae83053474ed9e4472ea2cd8d3e3 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3248126 Auto-Submit: Jorge Moreira Broche <jemoreira@google.com> Tested-by: kokoro <noreply+kokoro@google.com> Commit-Queue: Jorge Moreira Broche <jemoreira@google.com> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
2024-11-28 01:16:50 +00:00 · 2021-10-27 10:50:22 -07:00 · 2021-10-27 10:50:22 -07:00 · e40fb21c0d
commit e40fb21c0d
parent 31ef2d0b76
7 changed files with 5 additions and 8 deletions
--- a/seccomp/aarch64/common_device.policy
+++ b/seccomp/aarch64/common_device.policy
@ -37,6 +37,7 @@ rt_sigaction: 1
 rt_sigprocmask: 1
 rt_sigreturn: 1
 sched_getaffinity: 1
+sched_yield: 1
 sendmsg: 1
 sendto: 1
 set_robust_list: 1
--- a/seccomp/arm/common_device.policy
+++ b/seccomp/arm/common_device.policy
@ -46,6 +46,7 @@ rt_sigaction: 1
 rt_sigprocmask: 1
 rt_sigreturn: 1
 sched_getaffinity: 1
+sched_yield: 1
 sendmsg: 1
 sendto: 1
 set_robust_list: 1
--- a/seccomp/arm/gpu_device.policy
+++ b/seccomp/arm/gpu_device.policy
@ -42,6 +42,7 @@ rt_sigaction: 1
 rt_sigprocmask: 1
 rt_sigreturn: 1
 sched_getaffinity: 1
+sched_yield: 1
 sendmsg: 1
 sendto: 1
 set_robust_list: 1
@ -103,6 +104,3 @@ access: 1
 getgid32: 1
 getegid32: 1
 getcwd: 1
-
-# Rules for virglrenderer
-sched_yield: 1
--- a/seccomp/arm/video_device.policy
+++ b/seccomp/arm/video_device.policy
@ -22,7 +22,6 @@ getuid32: 1
 ioctl: arg1 & 0x6400
 memfd_create: 1
 openat: 1
-sched_yield: 1
 send: 1
 setpriority: 1
 socket: arg0 == AF_UNIX
--- a/seccomp/x86_64/common_device.policy
+++ b/seccomp/x86_64/common_device.policy
@ -40,6 +40,7 @@ rt_sigaction: 1
 rt_sigprocmask: 1
 rt_sigreturn: 1
 sched_getaffinity: 1
+sched_yield: 1
 sendmsg: 1
 sendto: 1
 set_robust_list: 1
--- a/seccomp/x86_64/gpu_device.policy
+++ b/seccomp/x86_64/gpu_device.policy
@ -39,6 +39,7 @@ rt_sigaction: 1
 rt_sigprocmask: 1
 rt_sigreturn: 1
 sched_getaffinity: 1
+sched_yield: 1
 sendmsg: 1
 sendto: 1
 set_robust_list: 1
@ -101,6 +102,3 @@ access: 1
 getgid: 1
 getegid: 1
 getcwd: 1
-
-# Rules for virglrenderer
-sched_yield: 1
--- a/seccomp/x86_64/video_device.policy
+++ b/seccomp/x86_64/video_device.policy
@ -21,7 +21,6 @@ ioctl: arg1 & 0x6400
 memfd_create: 1
 newfstatat: 1
 openat: 1
-sched_yield: 1
 setpriority: 1
 socket: arg0 == AF_UNIX
 stat: 1