1# Copyright 2021 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Rules from common_device.policy with some rules removed because they block certain flags needed 6# for gpu. 7brk: 1 8clone3: 1 9close: 1 10dup2: 1 11dup: 1 12epoll_create1: 1 13epoll_ctl: 1 14epoll_pwait: 1 15epoll_wait: 1 16eventfd2: 1 17exit: 1 18exit_group: 1 19ftruncate: 1 20ftruncate64: 1 21futex: 1 22futex_time64: 1 23getcwd: 1 24getpid: 1 25gettid: 1 26gettimeofday: 1 27io_uring_setup: 1 28io_uring_register: 1 29io_uring_enter: 1 30kill: 1 31madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE || arg2 == MADV_FREE 32membarrier: 1 33# memfd_create is used for sharing memory with wayland. 34# For normal use case, we allow arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING, with or without MFD_NOEXEC_SEAL. 35# However, we allow all the arguments here for backtrace when it panics. 36memfd_create: 1 37mremap: 1 38munmap: 1 39nanosleep: 1 40clock_nanosleep: 1 41clock_nanosleep_time64: 1 42pipe2: 1 43poll: 1 44ppoll: 1 45ppoll_time64: 1 46read: 1 47readlink: 1 48readlinkat: 1 49readv: 1 50recv: 1 51recvfrom: 1 52recvmsg: 1 53recvmmsg_time64: 1 54restart_syscall: 1 55rseq: 1 56rt_sigaction: 1 57rt_sigprocmask: 1 58rt_sigreturn: 1 59sched_getaffinity: 1 60sched_yield: 1 61sendmsg: 1 62sendto: 1 63set_robust_list: 1 64sigaltstack: 1 65write: 1 66writev: 1 67uname: 1 68unlinkat: 1 69 70# Required for perfetto tracing 71getsockopt: 1 72shutdown: 1 73 74## Rules specific to gpu 75connect: 1 76getrandom: 1 77_llseek: 1 78stat64: 1 79statx: 1 80fstat64: 1 81fstatat64: 1 82getdents: 1 83getdents64: 1 84sysinfo: 1 85fstatfs: 1 86fstatfs64: 1 87prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME 88 89# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST 90ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543 91 92## mmap/mprotect differ from the common_device.policy 93mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ 94mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ 95open: return ENOENT 96openat: 1 97 98## Rules specific to pvr 99geteuid32: 1 100getuid32: 1 101lstat64: 1 102fcntl64: 1 103tgkill: 1 104clock_gettime: 1 105clock_gettime64: 1 106 107# Rules specific to Mesa. 108sched_setscheduler: 1 109sched_setaffinity: 1 110kcmp: 1 111 112# Rules for Mesa's u_trace thread 113setpriority: 1 114 115# Rules for Vulkan loader / layers 116access: 1 117getgid32: 1 118getegid32: 1 119 120## Rules for vmm-swap 121userfaultfd: 1 122# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 123ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 124 125## Rules for mali shader dump (debug workflow) 126mkdir: 1 127mkdirat: 1 128