1# Copyright 2018 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5open: 1 6openat: 1 7 8# Copyright 2019 The ChromiumOS Authors 9# Use of this source code is governed by a BSD-style license that can be 10# found in the LICENSE file. 11 12# This is an allow list of syscalls for most of crosvm devices. 13# 14# Note that some device policy files don't depend on this policy file 15# because of some conflicts such as gpu_common.policy. 16# If you want to modify policies for all the devices, please modify 17# not only this file but also other *_common.policy files. 18 19brk: 1 20clock_gettime: 1 21# ANDROID: modified to 1 because of duplicate error with jail_warden 22clone: 1 23clone3: 1 24close: 1 25dup2: 1 26dup: 1 27epoll_create1: 1 28epoll_ctl: 1 29epoll_pwait: 1 30epoll_wait: 1 31eventfd2: 1 32exit: 1 33exit_group: 1 34ftruncate: 1 35futex: 1 36getcwd: 1 37getpid: 1 38gettid: 1 39gettimeofday: 1 40io_uring_setup: 1 41io_uring_register: 1 42io_uring_enter: 1 43kill: 1 44lseek: 1 45# ANDROID: modified to 1 because of duplicate error with jail_warden 46madvise: 1 47membarrier: 1 48memfd_create: 1 49# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 50mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 51# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 52mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 53mremap: 1 54munmap: 1 55nanosleep: 1 56clock_nanosleep: 1 57pipe2: 1 58poll: 1 59ppoll: 1 60read: 1 61readlink: 1 62readlinkat: 1 63readv: 1 64recvfrom: 1 65recvmsg: 1 66restart_syscall: 1 67rseq: 1 68rt_sigaction: 1 69rt_sigprocmask: 1 70rt_sigreturn: 1 71sched_getaffinity: 1 72sched_yield: 1 73sendmsg: 1 74sendto: 1 75set_robust_list: 1 76sigaltstack: 1 77# arg2 == SIGABRT -- ANDROID(b/270404912): modified to 1 - duplicate error. 78tgkill: 1 79write: 1 80writev: 1 81fcntl: 1 82uname: 1 83 84# ANDROID(b/271625758): disabled to fix duplicate syscall error. 85# ## Rules for vmm-swap 86# userfaultfd: 1 87# # 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 88# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 89 90pwrite64: 1 91stat: 1 92statx: 1 93fstat: 1 94ioctl: arg1 == FIOCLEX 95linkat: 1 96unlinkat: 1 97renameat: 1 98pread64: 1 99getdents64: 1 100mkdirat: 1 101rmdir: 1 102fsync: 1 103fdatasync: 1 104utimensat: 1 105fchmod: 1 106fchmodat: 1 107fchown: 1 108fchownat: 1 109fstatfs: 1 110newfstatat: 1 111prctl: arg0 == PR_SET_NAME 112