1# Copyright 2022 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Policy file for a block device used as a regular, in-VMM virtio device. 6 7# Copyright 2019 The ChromiumOS Authors 8# Use of this source code is governed by a BSD-style license that can be 9# found in the LICENSE file. 10 11# This is an allow list of syscalls for most of crosvm devices. 12# 13# Note that some device policy files don't depend on this policy file 14# because of some conflicts such as gpu_common.policy. 15# If you want to modify policies for all the devices, please modify 16# not only this file but also other *_common.policy files. 17 18brk: 1 19clock_gettime: 1 20# ANDROID: modified to 1 because of duplicate error with jail_warden 21clone: 1 22clone3: 1 23close: 1 24dup2: 1 25dup: 1 26epoll_create1: 1 27epoll_ctl: 1 28epoll_pwait: 1 29epoll_wait: 1 30eventfd2: 1 31exit: 1 32exit_group: 1 33ftruncate: 1 34futex: 1 35getcwd: 1 36getpid: 1 37gettid: 1 38gettimeofday: 1 39io_uring_setup: 1 40io_uring_register: 1 41io_uring_enter: 1 42kill: 1 43lseek: 1 44# ANDROID: modified to 1 because of duplicate error with jail_warden 45madvise: 1 46membarrier: 1 47memfd_create: 1 48# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 49mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 50# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 51mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 52mremap: 1 53munmap: 1 54nanosleep: 1 55clock_nanosleep: 1 56pipe2: 1 57poll: 1 58ppoll: 1 59read: 1 60readlink: 1 61readlinkat: 1 62readv: 1 63recvfrom: 1 64recvmsg: 1 65restart_syscall: 1 66rseq: 1 67rt_sigaction: 1 68rt_sigprocmask: 1 69rt_sigreturn: 1 70sched_getaffinity: 1 71sched_yield: 1 72sendmsg: 1 73sendto: 1 74set_robust_list: 1 75sigaltstack: 1 76# arg2 == SIGABRT -- ANDROID(b/270404912): modified to 1 - duplicate error. 77tgkill: 1 78write: 1 79writev: 1 80fcntl: 1 81uname: 1 82 83# ANDROID(b/271625758): disabled to fix duplicate syscall error. 84# ## Rules for vmm-swap 85# userfaultfd: 1 86# # 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 87# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 88# Copyright 2022 The ChromiumOS Authors 89# Use of this source code is governed by a BSD-style license that can be 90# found in the LICENSE file. 91 92fallocate: 1 93fdatasync: 1 94fstat: 1 95fsync: 1 96# 0x1277 == BLKDISCARD. 97# ANDROID(b/241306374): merged into entry in vhost_user.policy 98# ioctl: arg1 == 0x1277 99open: return ENOENT 100openat: return ENOENT 101newfstatat: 1 102pread64: 1 103preadv: 1 104pwrite64: 1 105pwritev: 1 106statx: 1 107timerfd_create: 1 108timerfd_gettime: 1 109timerfd_settime: 1 110prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_PDEATHSIG 111