• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright 2021 The ChromiumOS Authors
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5# Rules from common_device.policy with some rules removed because they block certain flags needed
6# for gpu.
7brk: 1
8clock_gettime: 1
9clone3: 1
10close: 1
11dup2: 1
12dup: 1
13epoll_create1: 1
14epoll_ctl: 1
15epoll_pwait: 1
16epoll_wait: 1
17eventfd2: 1
18exit: 1
19exit_group: 1
20futex: 1
21getcwd: 1
22getpid: 1
23gettid: 1
24gettimeofday: 1
25io_uring_setup: 1
26io_uring_register: 1
27io_uring_enter: 1
28kill: 1
29madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE || arg2 == MADV_FREE
30membarrier: 1
31mremap: 1
32munmap: 1
33nanosleep: 1
34clock_nanosleep: 1
35pipe2: 1
36poll: 1
37ppoll: 1
38read: 1
39readlink: 1
40readlinkat: 1
41readv: 1
42recvfrom: 1
43recvmsg: 1
44restart_syscall: 1
45rseq: 1
46rt_sigaction: 1
47rt_sigprocmask: 1
48rt_sigreturn: 1
49sched_getaffinity: 1
50sched_yield: 1
51sendmsg: 1
52sendto: 1
53set_robust_list: 1
54sigaltstack: 1
55write: 1
56writev: 1
57uname: 1
58
59# Rules specific to gpu
60connect: 1
61# 1033 is F_ADD_SEALS, 1034 is F_GET_SEALS
62fcntl: arg1 == F_DUPFD_CLOEXEC || arg1 == F_GETFD || arg1 == F_SETFD || \
63       arg1 == F_GETFL || arg1 == F_SETFL || arg1 == 1033 || arg1 == 1034
64fstat: 1
65# Used to set of size new memfd.
66ftruncate: 1
67getdents: 1
68getdents64: 1
69geteuid: 1
70getrandom: 1
71getuid: 1
72# 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x6400 == DRM_IOCTL_BASE, 0x40087543 == UDMABUF_CREATE_LIST
73ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400 || arg1 == 0x40087543 || arg1 == 0x5421 || arg1 == 0xc0383e04 || arg1 == 0xc018aa3f || arg1 == 0xaa00
74lseek: 1
75lstat: 1
76# Used for sharing memory with wayland. Also internally by Intel anv.
77# arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING or simply MFD_CLOEXEC.
78memfd_create: arg1 == 3 || arg1 == 1
79# mmap/mprotect/open/openat differ from the common_device.policy
80mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ
81mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
82open: 1
83openat: 1
84stat: 1
85statx: 1
86sysinfo: 1
87fstatfs: 1
88prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME
89
90# Required for perfetto tracing
91# fcntl: arg1 == F_SETFD || arg1 == F_GETFL || arg1 == F_SETFL (merged above)
92getsockopt: 1
93shutdown: 1
94
95# Rules for Mesa's shader binary cache.
96flock: 1
97inotify_add_watch: 1
98inotify_init1: 1
99inotify_rm_watch: 1
100mkdir: 1
101newfstatat: 1
102rename: 1
103setpriority: 1
104unlink: 1
105
106# Rules specific to AMD gpus.
107sched_setscheduler: 1
108sched_setaffinity: 1
109kcmp: 1
110
111# Rules for Vulkan loader / layers
112access: 1
113getgid: 1
114getegid: 1
115
116## Rules for vmm-swap
117userfaultfd: 1
118# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW
119# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00
120