1# Copyright 2021 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Copyright 2021 The ChromiumOS Authors 6# Use of this source code is governed by a BSD-style license that can be 7# found in the LICENSE file. 8 9# Rules from common_device.policy with some rules removed because they block certain flags needed 10# for gpu. 11brk: 1 12clock_gettime: 1 13clone3: 1 14close: 1 15dup3: 1 16dup: 1 17epoll_create1: 1 18epoll_ctl: 1 19epoll_pwait: 1 20eventfd2: 1 21exit: 1 22exit_group: 1 23ftruncate: 1 24futex: 1 25getcwd: 1 26getpid: 1 27gettid: 1 28gettimeofday: 1 29io_uring_setup: 1 30io_uring_register: 1 31io_uring_enter: 1 32kill: 1 33madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE || arg2 == MADV_FREE 34membarrier: 1 35# memfd_create is used for sharing memory with wayland. 36# For normal use case, we allow arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING, with or without MFD_NOEXEC_SEAL. 37# However, we allow all the arguments here for backtrace when it panics. 38memfd_create: 1 39mremap: 1 40munmap: 1 41nanosleep: 1 42clock_nanosleep: 1 43pipe2: 1 44ppoll: 1 45read: 1 46readlinkat: 1 47readv: 1 48recvfrom: 1 49recvmsg: 1 50restart_syscall: 1 51rseq: 1 52rt_sigaction: 1 53rt_sigprocmask: 1 54rt_sigreturn: 1 55sched_getaffinity: 1 56sched_yield: 1 57sendmsg: 1 58sendto: 1 59set_robust_list: 1 60sigaltstack: 1 61write: 1 62writev: 1 63uname: 1 64unlinkat: 1 65 66# Required for perfetto tracing 67getsockopt: 1 68shutdown: 1 69 70## Rules specific to gpu 71connect: 1 72getrandom: 1 73lseek: 1 74statx: 1 75fstat: 1 76newfstatat: 1 77getdents64: 1 78sysinfo: 1 79fstatfs: 1 80prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME 81 82# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST 83# (from vmm-swap below) 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 84# (from wl_device) arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC || arg1 == SYNC_IOC_FILE_INFO || arg1 & DRM_IOCTL_BASE 85ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543 || arg1 == 0xc018aa3f || arg1 == 0xaa00 || arg1 == 0x5421 || arg1 == 0x40086200 || arg1 == 0xc0383e04 || arg1 & 0x6400 86 87## mmap/mprotect differ from the common_device.policy 88mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ 89mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ 90openat: 1 91 92## Rules specific to pvr 93geteuid: 1 94getuid: 1 95fcntl: 1 96tgkill: 1 97 98# Rules specific to Mesa. 99sched_setscheduler: 1 100sched_setaffinity: 1 101kcmp: 1 102 103# Rules for Mesa's u_trace thread 104setpriority: 1 105 106# Rules for Vulkan loader / layers 107faccessat: 1 108faccessat2: 1 109getgid: 1 110getegid: 1 111 112## Rules for vmm-swap 113userfaultfd: 1 114# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 115# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 116 117## Rules for mali shader dump (debug workflow) 118mkdirat: 1 119 120# allow fork() and waitid() 121clone: 1 122waitid: 1 123 124# allow SOCK_STREAM and SOCK_DGRAM (syslog) 125socket: arg0 == AF_UNIX && arg2 == 0 126 127# allow socketpair(AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC) 128socketpair: arg0 == AF_UNIX && arg1 == SOCK_SEQPACKET|SOCK_CLOEXEC && arg2 == 0 129 130# allow signalfd() 131signalfd4: 1 132