diff options
| author | Chia-I Wu <olv@google.com> | 2021-12-01 13:25:41 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-12-09 20:16:10 +0000 |
| commit | 64ba89ac84912379d4694a3497e8bc9b436e1630 (patch) | |
| tree | 5f9fb133d78aba90b50307380bfcad0b0874e75b /seccomp | |
| parent | fffb5691370930ff1dccafb890c436e37fc749cb (diff) | |
| download | crosvm-64ba89ac84912379d4694a3497e8bc9b436e1630.tar.gz | |
seccomp: add gpu_common.policy
Let gpu_device.policy include gpu_common.policy. No functional change.
BUG=b:177267762
TEST=run vk and gl apps on volteer
Change-Id: Ic83c29b5713c95374562ee6eba35002142e00357
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3311904
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chia-I Wu <olv@google.com>
Diffstat (limited to 'seccomp')
| -rw-r--r-- | seccomp/aarch64/gpu_common.policy | 84 | ||||
| -rw-r--r-- | seccomp/aarch64/gpu_device.policy | 82 | ||||
| -rw-r--r-- | seccomp/arm/gpu_common.policy | 106 | ||||
| -rw-r--r-- | seccomp/arm/gpu_device.policy | 104 | ||||
| -rw-r--r-- | seccomp/x86_64/gpu_common.policy | 104 | ||||
| -rw-r--r-- | seccomp/x86_64/gpu_device.policy | 102 |
6 files changed, 300 insertions, 282 deletions
diff --git a/seccomp/aarch64/gpu_common.policy b/seccomp/aarch64/gpu_common.policy new file mode 100644 index 000000000..64dcf3f58 --- /dev/null +++ b/seccomp/aarch64/gpu_common.policy @@ -0,0 +1,84 @@ +# Copyright 2021 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Rules from common_device.policy with some rules removed because they block certain flags needed +# for gpu. +brk: 1 +close: 1 +dup3: 1 +dup: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_pwait: 1 +eventfd2: 1 +exit: 1 +exit_group: 1 +futex: 1 +getcwd: 1 +getpid: 1 +gettimeofday: 1 +kill: 1 +madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mremap: 1 +munmap: 1 +nanosleep: 1 +clock_nanosleep: 1 +pipe2: 1 +ppoll: 1 +prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME +read: 1 +readlinkat: 1 +readv: 1 +recvfrom: 1 +recvmsg: 1 +restart_syscall: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +sendmsg: 1 +sendto: 1 +set_robust_list: 1 +sigaltstack: 1 +write: 1 +writev: 1 +uname: 1 + +# Required for perfetto tracing +getsockopt: 1 +shutdown: 1 + +## Rules specific to gpu +connect: 1 +getrandom: 1 +socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 +lseek: 1 +ftruncate: 1 +statx: 1 +fstat: 1 +newfstatat: 1 +getdents64: 1 +sysinfo: 1 +fstatfs: 1 + +# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST +ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543 + +## mmap/mprotect differ from the common_device.policy +mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ +mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ +openat: 1 + +## Rules specific to pvr +geteuid: 1 +getuid: 1 +gettid: 1 +fcntl: 1 +tgkill: 1 +clock_gettime: 1 + +# Rules specific to Mesa. +sched_setscheduler: 1 +sched_setaffinity: 1 +kcmp: 1 diff --git a/seccomp/aarch64/gpu_device.policy b/seccomp/aarch64/gpu_device.policy index e8b3ca410..921b25be5 100644 --- a/seccomp/aarch64/gpu_device.policy +++ b/seccomp/aarch64/gpu_device.policy @@ -2,84 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -# Rules from common_device.policy with some rules removed because they block certain flags needed -# for gpu. -brk: 1 -clone: arg0 & CLONE_THREAD -close: 1 -dup3: 1 -dup: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_pwait: 1 -eventfd2: 1 -exit: 1 -exit_group: 1 -futex: 1 -getcwd: 1 -getpid: 1 -gettimeofday: 1 -kill: 1 -madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE -mremap: 1 -munmap: 1 -nanosleep: 1 -clock_nanosleep: 1 -pipe2: 1 -ppoll: 1 -prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME -read: 1 -readlinkat: 1 -readv: 1 -recvfrom: 1 -recvmsg: 1 -restart_syscall: 1 -rt_sigaction: 1 -rt_sigprocmask: 1 -rt_sigreturn: 1 -sched_getaffinity: 1 -sendmsg: 1 -sendto: 1 -set_robust_list: 1 -sigaltstack: 1 -write: 1 -writev: 1 -uname: 1 - -# Required for perfetto tracing -getsockopt: 1 -shutdown: 1 - -## Rules specific to gpu -connect: 1 -getrandom: 1 -socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 -lseek: 1 -ftruncate: 1 -statx: 1 -fstat: 1 -newfstatat: 1 -getdents64: 1 -sysinfo: 1 -fstatfs: 1 - -# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST -ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543 +@include /usr/share/policy/crosvm/gpu_common.policy -## mmap/mprotect differ from the common_device.policy -mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ -mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ -openat: 1 - -## Rules specific to pvr -geteuid: 1 -getuid: 1 -gettid: 1 -fcntl: 1 -tgkill: 1 -clock_gettime: 1 - -# Rules specific to Mesa. -sched_setscheduler: 1 -sched_setaffinity: 1 -kcmp: 1 +clone: arg0 & CLONE_THREAD diff --git a/seccomp/arm/gpu_common.policy b/seccomp/arm/gpu_common.policy new file mode 100644 index 000000000..d434f8668 --- /dev/null +++ b/seccomp/arm/gpu_common.policy @@ -0,0 +1,106 @@ +# Copyright 2021 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Rules from common_device.policy with some rules removed because they block certain flags needed +# for gpu. +brk: 1 +close: 1 +dup2: 1 +dup: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 +eventfd2: 1 +exit: 1 +exit_group: 1 +futex: 1 +futex_time64: 1 +getcwd: 1 +getpid: 1 +gettimeofday: 1 +kill: 1 +madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mremap: 1 +munmap: 1 +nanosleep: 1 +clock_nanosleep: 1 +clock_nanosleep_time64: 1 +pipe2: 1 +poll: 1 +ppoll: 1 +ppoll_time64: 1 +prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME +read: 1 +readlink: 1 +readlinkat: 1 +readv: 1 +recv: 1 +recvfrom: 1 +recvmsg: 1 +recvmmsg_time64: 1 +restart_syscall: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +sched_yield: 1 +sendmsg: 1 +sendto: 1 +set_robust_list: 1 +sigaltstack: 1 +write: 1 +writev: 1 +uname: 1 + +# Required for perfetto tracing +getsockopt: 1 +shutdown: 1 + +## Rules specific to gpu +connect: 1 +getrandom: 1 +socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 +_llseek: 1 +ftruncate64: 1 +stat64: 1 +statx: 1 +fstat64: 1 +fstatat64: 1 +getdents: 1 +getdents64: 1 +sysinfo: 1 +fstatfs: 1 +fstatfs64: 1 + +# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST +ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543 + +# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING +memfd_create: arg1 == 3 + +## mmap/mprotect differ from the common_device.policy +mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ +mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ +open: return ENOENT +openat: 1 + +## Rules specific to pvr +geteuid32: 1 +getuid32: 1 +lstat64: 1 +gettid: 1 +fcntl64: 1 +tgkill: 1 +clock_gettime: 1 +clock_gettime64: 1 + +# Rules specific to Mesa. +sched_setscheduler: 1 +sched_setaffinity: 1 +kcmp: 1 + +# Rules for Vulkan loader / layers +access: 1 +getgid32: 1 +getegid32: 1 diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy index 13a297cd1..921b25be5 100644 --- a/seccomp/arm/gpu_device.policy +++ b/seccomp/arm/gpu_device.policy @@ -2,106 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -# Rules from common_device.policy with some rules removed because they block certain flags needed -# for gpu. -brk: 1 -clone: arg0 & CLONE_THREAD -close: 1 -dup2: 1 -dup: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 -eventfd2: 1 -exit: 1 -exit_group: 1 -futex: 1 -futex_time64: 1 -getcwd: 1 -getpid: 1 -gettimeofday: 1 -kill: 1 -madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE -mremap: 1 -munmap: 1 -nanosleep: 1 -clock_nanosleep: 1 -clock_nanosleep_time64: 1 -pipe2: 1 -poll: 1 -ppoll: 1 -ppoll_time64: 1 -prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME -read: 1 -readlink: 1 -readlinkat: 1 -readv: 1 -recv: 1 -recvfrom: 1 -recvmsg: 1 -recvmmsg_time64: 1 -restart_syscall: 1 -rt_sigaction: 1 -rt_sigprocmask: 1 -rt_sigreturn: 1 -sched_getaffinity: 1 -sched_yield: 1 -sendmsg: 1 -sendto: 1 -set_robust_list: 1 -sigaltstack: 1 -write: 1 -writev: 1 -uname: 1 - -# Required for perfetto tracing -getsockopt: 1 -shutdown: 1 - -## Rules specific to gpu -connect: 1 -getrandom: 1 -socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 -_llseek: 1 -ftruncate64: 1 -stat64: 1 -statx: 1 -fstat64: 1 -fstatat64: 1 -getdents: 1 -getdents64: 1 -sysinfo: 1 -fstatfs: 1 -fstatfs64: 1 - -# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST -ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543 - -# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING -memfd_create: arg1 == 3 +@include /usr/share/policy/crosvm/gpu_common.policy -## mmap/mprotect differ from the common_device.policy -mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ -mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ -open: return ENOENT -openat: 1 - -## Rules specific to pvr -geteuid32: 1 -getuid32: 1 -lstat64: 1 -gettid: 1 -fcntl64: 1 -tgkill: 1 -clock_gettime: 1 -clock_gettime64: 1 - -# Rules specific to Mesa. -sched_setscheduler: 1 -sched_setaffinity: 1 -kcmp: 1 - -# Rules for Vulkan loader / layers -access: 1 -getgid32: 1 -getegid32: 1 +clone: arg0 & CLONE_THREAD diff --git a/seccomp/x86_64/gpu_common.policy b/seccomp/x86_64/gpu_common.policy new file mode 100644 index 000000000..f43ca6290 --- /dev/null +++ b/seccomp/x86_64/gpu_common.policy @@ -0,0 +1,104 @@ +# Copyright 2021 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Rules from common_device.policy with some rules removed because they block certain flags needed +# for gpu. +brk: 1 +clock_gettime: 1 +close: 1 +dup2: 1 +dup: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 +eventfd2: 1 +exit: 1 +exit_group: 1 +futex: 1 +getcwd: 1 +getpid: 1 +gettid: 1 +gettimeofday: 1 +kill: 1 +madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mremap: 1 +munmap: 1 +nanosleep: 1 +clock_nanosleep: 1 +pipe2: 1 +poll: 1 +ppoll: 1 +prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME +read: 1 +readlink: 1 +readlinkat: 1 +readv: 1 +recvfrom: 1 +recvmsg: 1 +restart_syscall: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +sched_yield: 1 +sendmsg: 1 +sendto: 1 +set_robust_list: 1 +sigaltstack: 1 +write: 1 +writev: 1 +uname: 1 + +# Rules specific to gpu +connect: 1 +fcntl: arg1 == F_DUPFD_CLOEXEC || arg1 == F_SETFD || arg1 == F_GETFL || \ + arg1 == F_SETFL +fstat: 1 +# Used to set of size new memfd. +ftruncate: 1 +getdents: 1 +getdents64: 1 +geteuid: 1 +getrandom: 1 +getuid: 1 +# 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x6400 == DRM_IOCTL_BASE, 0x40087543 == UDMABUF_CREATE_LIST +ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400 || arg1 == 0x40087543 +lseek: 1 +lstat: 1 +# Used for sharing memory with wayland. Also internally by Intel anv. +# arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING or simply MFD_CLOEXEC. +memfd_create: arg1 == 3 || arg1 == 1 +# mmap/mprotect/open/openat differ from the common_device.policy +mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ +mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ +open: 1 +openat: 1 +socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 +stat: 1 +statx: 1 +sysinfo: 1 +fstatfs: 1 + +# Required for perfetto tracing +# fcntl: arg1 == F_SETFD || arg1 == F_GETFL || arg1 == F_SETFL (merged above) +getsockopt: 1 +shutdown: 1 + +# Rules for Mesa's shader binary cache. +flock: 1 +mkdir: 1 +newfstatat: 1 +rename: 1 +setpriority: 1 +unlink: 1 + +# Rules specific to AMD gpus. +sched_setscheduler: 1 +sched_setaffinity: 1 +kcmp: 1 + +# Rules for Vulkan loader / layers +access: 1 +getgid: 1 +getegid: 1 diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy index 4a5d57e28..94dfde1b5 100644 --- a/seccomp/x86_64/gpu_device.policy +++ b/seccomp/x86_64/gpu_device.policy @@ -2,104 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -# Rules from common_device.policy with some rules removed because they block certain flags needed -# for gpu. -brk: 1 -clock_gettime: 1 -clone: arg0 & CLONE_THREAD -close: 1 -dup2: 1 -dup: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 -eventfd2: 1 -exit: 1 -exit_group: 1 -futex: 1 -getcwd: 1 -getpid: 1 -gettid: 1 -gettimeofday: 1 -kill: 1 -madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE -mremap: 1 -munmap: 1 -nanosleep: 1 -clock_nanosleep: 1 -pipe2: 1 -poll: 1 -ppoll: 1 -prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME -read: 1 -readlink: 1 -readlinkat: 1 -readv: 1 -recvfrom: 1 -recvmsg: 1 -restart_syscall: 1 -rt_sigaction: 1 -rt_sigprocmask: 1 -rt_sigreturn: 1 -sched_getaffinity: 1 -sched_yield: 1 -sendmsg: 1 -sendto: 1 -set_robust_list: 1 -sigaltstack: 1 -write: 1 -writev: 1 -uname: 1 - -# Rules specific to gpu -connect: 1 -fcntl: arg1 == F_DUPFD_CLOEXEC || arg1 == F_SETFD || arg1 == F_GETFL || \ - arg1 == F_SETFL -fstat: 1 -# Used to set of size new memfd. -ftruncate: 1 -getdents: 1 -getdents64: 1 -geteuid: 1 -getrandom: 1 -getuid: 1 -# 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x6400 == DRM_IOCTL_BASE, 0x40087543 == UDMABUF_CREATE_LIST -ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400 || arg1 == 0x40087543 -lseek: 1 -lstat: 1 -# Used for sharing memory with wayland. Also internally by Intel anv. -# arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING or simply MFD_CLOEXEC. -memfd_create: arg1 == 3 || arg1 == 1 -# mmap/mprotect/open/openat differ from the common_device.policy -mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ -mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ -open: 1 -openat: 1 -socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 -stat: 1 -statx: 1 -sysinfo: 1 -fstatfs: 1 - -# Required for perfetto tracing -# fcntl: arg1 == F_SETFD || arg1 == F_GETFL || arg1 == F_SETFL (merged above) -getsockopt: 1 -shutdown: 1 +@include /usr/share/policy/crosvm/gpu_common.policy -# Rules for Mesa's shader binary cache. -flock: 1 -mkdir: 1 -newfstatat: 1 -rename: 1 -setpriority: 1 -unlink: 1 - -# Rules specific to AMD gpus. -sched_setscheduler: 1 -sched_setaffinity: 1 -kcmp: 1 - -# Rules for Vulkan loader / layers -access: 1 -getgid: 1 -getegid: 1 +clone: arg0 & CLONE_THREAD |