1# Copyright 2019 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# This is an allow list of syscalls for most of crosvm devices. 6# 7# Note that some device policy files don't depend on this policy file 8# because of some conflicts such as gpu_common.policy. 9# If you want to modify policies for all the devices, please modify 10# not only this file but also other *_common.policy files. 11 12@frequency ./common_device.frequency 13brk: 1 14clock_gettime: 1 15# ANDROID: modified to 1 because of duplicate error with jail_warden 16clone: 1 17clone3: 1 18close: 1 19dup2: 1 20dup: 1 21epoll_create1: 1 22epoll_ctl: 1 23epoll_pwait: 1 24epoll_wait: 1 25eventfd2: 1 26exit: 1 27exit_group: 1 28ftruncate: 1 29futex: 1 30getcwd: 1 31getpid: 1 32gettid: 1 33gettimeofday: 1 34io_uring_setup: 1 35io_uring_register: 1 36io_uring_enter: 1 37kill: 1 38lseek: 1 39# ANDROID: modified to 1 because of duplicate error with jail_warden 40madvise: 1 41membarrier: 1 42memfd_create: 1 43# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 44mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 45# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 46mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 47mremap: 1 48munmap: 1 49nanosleep: 1 50clock_nanosleep: 1 51pipe2: 1 52poll: 1 53ppoll: 1 54read: 1 55readlink: 1 56readlinkat: 1 57readv: 1 58recvfrom: 1 59recvmsg: 1 60restart_syscall: 1 61rseq: 1 62rt_sigaction: 1 63rt_sigprocmask: 1 64rt_sigreturn: 1 65sched_getaffinity: 1 66sched_yield: 1 67sendmsg: 1 68sendto: 1 69set_robust_list: 1 70sigaltstack: 1 71# arg2 == SIGABRT -- ANDROID(b/270404912): modified to 1 - duplicate error. 72tgkill: 1 73write: 1 74writev: 1 75fcntl: 1 76uname: 1 77 78# ANDROID(b/271625758): disabled to fix duplicate syscall error. 79# ## Rules for vmm-swap 80# userfaultfd: 1 81# # 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 82# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 83