1# Copyright 2021 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Copyright 2021 The ChromiumOS Authors 6# Use of this source code is governed by a BSD-style license that can be 7# found in the LICENSE file. 8 9# Rules from common_device.policy with some rules removed because they block certain flags needed 10# for gpu. 11brk: 1 12clock_gettime: 1 13clone3: 1 14close: 1 15dup3: 1 16dup: 1 17epoll_create1: 1 18epoll_ctl: 1 19epoll_pwait: 1 20eventfd2: 1 21exit: 1 22exit_group: 1 23ftruncate: 1 24futex: 1 25getcwd: 1 26getpid: 1 27gettid: 1 28gettimeofday: 1 29io_uring_setup: 1 30io_uring_register: 1 31io_uring_enter: 1 32kill: 1 33madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE || arg2 == MADV_FREE 34membarrier: 1 35# memfd_create is used for sharing memory with wayland. 36# For normal use case, we allow arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING, with or without MFD_NOEXEC_SEAL. 37# However, we allow all the arguments here for backtrace when it panics. 38memfd_create: 1 39mremap: 1 40munmap: 1 41nanosleep: 1 42clock_nanosleep: 1 43pipe2: 1 44ppoll: 1 45read: 1 46readlinkat: 1 47readv: 1 48recvfrom: 1 49recvmsg: 1 50restart_syscall: 1 51rseq: 1 52rt_sigaction: 1 53rt_sigprocmask: 1 54rt_sigreturn: 1 55sched_getaffinity: 1 56sched_yield: 1 57sendmsg: 1 58sendto: 1 59set_robust_list: 1 60sigaltstack: 1 61write: 1 62writev: 1 63uname: 1 64 65# Required for perfetto tracing 66getsockopt: 1 67shutdown: 1 68 69## Rules specific to gpu 70connect: 1 71getrandom: 1 72lseek: 1 73statx: 1 74fstat: 1 75newfstatat: 1 76getdents64: 1 77sysinfo: 1 78fstatfs: 1 79prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME 80 81# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST 82# (from vmm-swap below) 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 83# (from wl_device) arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC || arg1 == SYNC_IOC_FILE_INFO || arg1 & DRM_IOCTL_BASE 84ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543 || arg1 == 0xc018aa3f || arg1 == 0xaa00 || arg1 == 0x5421 || arg1 == 0x40086200 || arg1 == 0xc0383e04 || arg1 & 0x6400 85 86## mmap/mprotect differ from the common_device.policy 87mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ 88mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ 89openat: 1 90 91## Rules specific to pvr 92geteuid: 1 93getuid: 1 94fcntl: 1 95tgkill: 1 96 97# Rules specific to Mesa. 98sched_setscheduler: 1 99sched_setaffinity: 1 100kcmp: 1 101 102# Rules for Mesa's u_trace thread 103setpriority: 1 104 105# Rules for Vulkan loader / layers 106faccessat: 1 107faccessat2: 1 108getgid: 1 109getegid: 1 110 111## Rules for vmm-swap 112userfaultfd: 1 113# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 114# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 115 116## Rules for mali shader dump (debug workflow) 117mkdirat: 1 118 119# allow fork() and waitid() 120clone: 1 121waitid: 1 122 123# allow SOCK_STREAM and SOCK_DGRAM (syslog) 124socket: arg0 == AF_UNIX && arg2 == 0 125 126# allow socketpair(AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC) 127socketpair: arg0 == AF_UNIX && arg1 == SOCK_SEQPACKET|SOCK_CLOEXEC && arg2 == 0 128 129# allow signalfd() 130signalfd4: 1 131