From e40fb21c0dfaefc5865a3097491268f873a48f51 Mon Sep 17 00:00:00 2001 From: "Jorge E. Moreira" Date: Wed, 27 Oct 2021 10:50:22 -0700 Subject: [PATCH] Allow sched_yield in all devices' seccomp policy The sched_yield system call is somehow called by the code the rust compiler generates and not directly by the author's implementation. That along with the fact that it won't get called on every run makes it very easy to miss when adding a new device (that happened with virtio-snd). Since that call is quite harmless (it could be argued minijail shouldn't even block it in the first place) it makes sense to allow it for all devices. BUG=b/201306350 Change-Id: I9895da6c8060ae83053474ed9e4472ea2cd8d3e3 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3248126 Auto-Submit: Jorge Moreira Broche Tested-by: kokoro Commit-Queue: Jorge Moreira Broche Reviewed-by: Daniel Verkamp --- seccomp/aarch64/common_device.policy | 1 + seccomp/arm/common_device.policy | 1 + seccomp/arm/gpu_device.policy | 4 +--- seccomp/arm/video_device.policy | 1 - seccomp/x86_64/common_device.policy | 1 + seccomp/x86_64/gpu_device.policy | 4 +--- seccomp/x86_64/video_device.policy | 1 - 7 files changed, 5 insertions(+), 8 deletions(-) diff --git a/seccomp/aarch64/common_device.policy b/seccomp/aarch64/common_device.policy index 8899c316a3..771a9880b1 100644 --- a/seccomp/aarch64/common_device.policy +++ b/seccomp/aarch64/common_device.policy @@ -37,6 +37,7 @@ rt_sigaction: 1 rt_sigprocmask: 1 rt_sigreturn: 1 sched_getaffinity: 1 +sched_yield: 1 sendmsg: 1 sendto: 1 set_robust_list: 1 diff --git a/seccomp/arm/common_device.policy b/seccomp/arm/common_device.policy index 859d7e1847..f0adee9592 100644 --- a/seccomp/arm/common_device.policy +++ b/seccomp/arm/common_device.policy @@ -46,6 +46,7 @@ rt_sigaction: 1 rt_sigprocmask: 1 rt_sigreturn: 1 sched_getaffinity: 1 +sched_yield: 1 sendmsg: 1 sendto: 1 set_robust_list: 1 diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy index 6d0902dc95..49c1b84e69 100644 --- a/seccomp/arm/gpu_device.policy +++ b/seccomp/arm/gpu_device.policy @@ -42,6 +42,7 @@ rt_sigaction: 1 rt_sigprocmask: 1 rt_sigreturn: 1 sched_getaffinity: 1 +sched_yield: 1 sendmsg: 1 sendto: 1 set_robust_list: 1 @@ -103,6 +104,3 @@ access: 1 getgid32: 1 getegid32: 1 getcwd: 1 - -# Rules for virglrenderer -sched_yield: 1 diff --git a/seccomp/arm/video_device.policy b/seccomp/arm/video_device.policy index 68e5ad03b0..81699572e5 100644 --- a/seccomp/arm/video_device.policy +++ b/seccomp/arm/video_device.policy @@ -22,7 +22,6 @@ getuid32: 1 ioctl: arg1 & 0x6400 memfd_create: 1 openat: 1 -sched_yield: 1 send: 1 setpriority: 1 socket: arg0 == AF_UNIX diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy index f74b9c9a69..8c72d0d53d 100644 --- a/seccomp/x86_64/common_device.policy +++ b/seccomp/x86_64/common_device.policy @@ -40,6 +40,7 @@ rt_sigaction: 1 rt_sigprocmask: 1 rt_sigreturn: 1 sched_getaffinity: 1 +sched_yield: 1 sendmsg: 1 sendto: 1 set_robust_list: 1 diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy index 3210c8e79a..d28f828a12 100644 --- a/seccomp/x86_64/gpu_device.policy +++ b/seccomp/x86_64/gpu_device.policy @@ -39,6 +39,7 @@ rt_sigaction: 1 rt_sigprocmask: 1 rt_sigreturn: 1 sched_getaffinity: 1 +sched_yield: 1 sendmsg: 1 sendto: 1 set_robust_list: 1 @@ -101,6 +102,3 @@ access: 1 getgid: 1 getegid: 1 getcwd: 1 - -# Rules for virglrenderer -sched_yield: 1 diff --git a/seccomp/x86_64/video_device.policy b/seccomp/x86_64/video_device.policy index 659b152f3f..36d3ac4935 100644 --- a/seccomp/x86_64/video_device.policy +++ b/seccomp/x86_64/video_device.policy @@ -21,7 +21,6 @@ ioctl: arg1 & 0x6400 memfd_create: 1 newfstatat: 1 openat: 1 -sched_yield: 1 setpriority: 1 socket: arg0 == AF_UNIX stat: 1