I guess this was caused by libc uprev so the actual used
system call changed.
BUG=b:206348631
TEST=manual - Run arc.Boot.vm on kukui-arc-r with updated policy
Change-Id: Ibb8702d9ec6844624c9779088aefcdad34322d80
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3290581
Auto-Submit: Lepton Wu <lepton@chromium.org>
Commit-Queue: Keiichi Watanabe <keiichiw@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
The sched_yield system call is somehow called by the code the rust
compiler generates and not directly by the author's implementation. That
along with the fact that it won't get called on every run makes it very
easy to miss when adding a new device (that happened with virtio-snd).
Since that call is quite harmless (it could be argued minijail shouldn't
even block it in the first place) it makes sense to allow it for all
devices.
BUG=b/201306350
Change-Id: I9895da6c8060ae83053474ed9e4472ea2cd8d3e3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3248126
Auto-Submit: Jorge Moreira Broche <jemoreira@google.com>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Jorge Moreira Broche <jemoreira@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
On trogdor devices, fstatfs64 is not used. Instead, 32bit
fstatfs is used. We need to add both to all 32bit Arm
policy files which were originally determined to be
problematic.
This adds fstsatfs to all 32bit Arm policy files which
were modified for the original glibc security change.
Additionally, this commit sorts the syscalls lexicographically
if the policy file was already sorted.
BUG=chromium:1182687
TEST=CQ of http://crrev.com/c/2910526
Change-Id: I42eb12456625d400ee3422af08d56d648e3f9075
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3066144
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
At present, libraries which use glibc to dynamically load
shared libraries do not have fstafs in their seccomp policies.
A change in glibc will force all systems which load shared
libraries to call the fstatfs or fstatfs64 syscall.
Without the call, crosvm will not start when running
crostini/android tests.
BUG=chromium:1182687
TEST=CQ of https://crrev.com/c/2910526
Change-Id: I10abb8866474c2fe0398a17a80069cf2b0629493
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3011355
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
The libminijail version in AOSP complains when there are multiple entries for
the same system call, which was the case for virtio-fs's policy.
BUG=b/185811304
Change-Id: I389c07c86e7d79f16e4f47a893abad598033352a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2837307
Commit-Queue: Jorge Moreira Broche <jemoreira@google.com>
Tested-by: Jorge Moreira Broche <jemoreira@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Fds created via dup don't share file descriptor flags with the original
fd, which means that they don't have the FD_CLOEXEC flag set. Use
fcntl(F_DUPFD_CLOEXEC) so that this flag gets set for the duplicated fds
as well.
BUG=none
TEST=unit tests
Change-Id: Ib471cf40acac1eacf72969ba45247f50b349ed58
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2809687
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
glibc 2.32 is using clock_gettime/64 on some arm boards
when gettimeofday is used. In addition, support 64-bit
variants of the time syscalls for use with glibc 2.32.
BUG=chromium:1190305
TEST=crostini tests pass
Change-Id: I070eee92817d3f959ea385ff2c3adca610e0a574
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2776211
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
