1# Copyright 2019 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Copyright 2019 The ChromiumOS Authors 6# Use of this source code is governed by a BSD-style license that can be 7# found in the LICENSE file. 8 9# This is an allow list of syscalls for most of crosvm devices. 10# 11# Note that some device policy files don't depend on this policy file 12# because of some conflicts such as gpu_common.policy. 13# If you want to modify policies for all the devices, please modify 14# not only this file but also other *_common.policy files. 15 16brk: 1 17clock_gettime: 1 18# ANDROID: modified to 1 because of duplicate error with jail_warden 19clone: 1 20clone3: 1 21close: 1 22dup2: 1 23dup: 1 24epoll_create1: 1 25epoll_ctl: 1 26epoll_pwait: 1 27epoll_wait: 1 28eventfd2: 1 29exit: 1 30exit_group: 1 31ftruncate: 1 32futex: 1 33getcwd: 1 34getpid: 1 35gettid: 1 36gettimeofday: 1 37io_uring_setup: 1 38io_uring_register: 1 39io_uring_enter: 1 40kill: 1 41lseek: 1 42# ANDROID: modified to 1 because of duplicate error with jail_warden 43madvise: 1 44membarrier: 1 45memfd_create: 1 46# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 47mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 48# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 49mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 50mremap: 1 51munmap: 1 52nanosleep: 1 53clock_nanosleep: 1 54pipe2: 1 55poll: 1 56ppoll: 1 57read: 1 58readlink: 1 59readlinkat: 1 60readv: 1 61recvfrom: 1 62recvmsg: 1 63restart_syscall: 1 64rseq: 1 65rt_sigaction: 1 66rt_sigprocmask: 1 67rt_sigreturn: 1 68sched_getaffinity: 1 69sched_yield: 1 70sendmsg: 1 71sendto: 1 72set_robust_list: 1 73sigaltstack: 1 74# arg2 == SIGABRT -- ANDROID(b/270404912): modified to 1 - duplicate error. 75tgkill: 1 76write: 1 77writev: 1 78fcntl: 1 79uname: 1 80 81# ANDROID(b/271625758): disabled to fix duplicate syscall error. 82# ## Rules for vmm-swap 83# userfaultfd: 1 84# # 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 85# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 86 87# 0x3B6E: VFIO_DEVICE_SET_IRQS 88# 0x3B71: VFIO_IOMMU_MAP_DMA 89# 0x3B72: VFIO_IOMMU_UNMAP_DMA 90# 0x3B75: VFIO_DEVICE_FEATURE 91# 0x3B76: VFIO_DEVICE_ACPI_DSM 92ioctl: arg1 == 0x3B6E || \ 93arg1 == 0x3B71 || \ 94arg1 == 0x3B72 || \ 95arg1 == 0x3B75 || \ 96arg1 == 0x3B76 97msync: 1 98open: return ENOENT 99openat: return ENOENT 100pread64: 1 101pwrite64: 1 102prctl: arg0 == PR_SET_NAME 103