1# Copyright 2020 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Rules from common_device.policy with mmap and mprotect removed because the video device needs 6# to allow more arguments for them. 7brk: 1 8clock_gettime: 1 9clone: arg0 & CLONE_THREAD 10clone3: 1 11close: 1 12dup2: 1 13dup: 1 14epoll_create1: 1 15epoll_ctl: 1 16epoll_pwait: 1 17epoll_wait: 1 18eventfd2: 1 19exit: 1 20exit_group: 1 21ftruncate: 1 22futex: 1 23getcwd: 1 24getpid: 1 25gettid: 1 26gettimeofday: 1 27io_uring_setup: 1 28io_uring_register: 1 29io_uring_enter: 1 30kill: 1 31lseek: 1 32madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE || arg2 == MADV_FREE 33membarrier: 1 34mremap: 1 35munmap: 1 36nanosleep: 1 37clock_nanosleep: 1 38pipe2: 1 39poll: 1 40ppoll: 1 41read: 1 42readlink: 1 43readlinkat: 1 44readv: 1 45recvfrom: 1 46recvmsg: 1 47restart_syscall: 1 48rseq: 1 49rt_sigaction: 1 50rt_sigprocmask: 1 51rt_sigreturn: 1 52sched_getaffinity: 1 53sched_yield: 1 54sendmsg: 1 55sendto: 1 56set_robust_list: 1 57sigaltstack: 1 58write: 1 59writev: 1 60fcntl: 1 61uname: 1 62 63# Syscalls specific to video devices. 64clock_getres: 1 65connect: 1 66getdents: 1 67getdents64: 1 68getegid: 1 69geteuid: 1 70getgid: 1 71getresgid: 1 72getresuid: 1 73getsockname: 1 74getuid: 1 75# ioctl: arg1 == DRM_IOCTL_* 76ioctl: arg1 & 0x6400 77memfd_create: 1 78newfstatat: 1 79openat: 1 80setpriority: 1 81socket: arg0 == AF_UNIX 82stat: 1 83fstat: 1 84fstatfs: 1 85statx: 1 86 87# Rules needed for minigbm on AMD devices. 88getrandom: 1 89lstat: 1 90# mmap/mprotect differ from the common_device.policy 91mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ 92mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ 93sched_setaffinity: 1 94sched_setscheduler: arg1 == SCHED_IDLE || arg1 == SCHED_BATCH 95 96# Required by mesa on AMD GPU 97kcmp: 1 98sysinfo: 1 99 100prctl: arg0 == PR_SET_NAME 101 102# ANDROID(b/271625758): disabled to fix duplicate syscall error. 103## Rules for vmm-swap 104#userfaultfd: 1 105# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 106#ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 107 108# Required by VAAPI backend 109access: 1 110