1# Copyright 2022 The ChromiumOS Authors
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5# Copyright 2019 The ChromiumOS Authors
6# Use of this source code is governed by a BSD-style license that can be
7# found in the LICENSE file.
8
9# This is an allow list of syscalls for most of crosvm devices.
10#
11# Note that some device policy files don't depend on this policy file
12# because of some conflicts such as gpu_common.policy.
13# If you want to modify policies for all the devices, please modify
14# not only this file but also other *_common.policy files.
15
16brk: 1
17clock_gettime: 1
18# ANDROID: modified to 1 because of duplicate error with jail_warden
19clone: 1
20clone3: 1
21close: 1
22dup2: 1
23dup: 1
24epoll_create1: 1
25epoll_ctl: 1
26epoll_pwait: 1
27epoll_wait: 1
28eventfd2: 1
29exit: 1
30exit_group: 1
31ftruncate: 1
32futex: 1
33getcwd: 1
34getpid: 1
35gettid: 1
36gettimeofday: 1
37io_uring_setup: 1
38io_uring_register: 1
39io_uring_enter: 1
40kill: 1
41lseek: 1
42# ANDROID: modified to 1 because of duplicate error with jail_warden
43madvise: 1
44membarrier: 1
45memfd_create: 1
46# ANDROID: added PROT_WRITE because of duplicate error with jail_warden
47mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
48# ANDROID: added PROT_WRITE because of duplicate error with jail_warden
49mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
50mremap: 1
51munmap: 1
52nanosleep: 1
53clock_nanosleep: 1
54pipe2: 1
55poll: 1
56ppoll: 1
57read: 1
58readlink: 1
59readlinkat: 1
60readv: 1
61recvfrom: 1
62recvmsg: 1
63restart_syscall: 1
64rseq: 1
65rt_sigaction: 1
66rt_sigprocmask: 1
67rt_sigreturn: 1
68sched_getaffinity: 1
69sched_yield: 1
70sendmsg: 1
71sendto: 1
72set_robust_list: 1
73sigaltstack: 1
74# arg2 == SIGABRT -- ANDROID(b/270404912): modified to 1 - duplicate error.
75tgkill: 1
76write: 1
77writev: 1
78fcntl: 1
79uname: 1
80
81# ANDROID(b/271625758): disabled to fix duplicate syscall error.
82# ## Rules for vmm-swap
83# userfaultfd: 1
84# # 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW
85# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00
86
87# VFIO_IOMMU_MAP/UNMAP_DMA
88ioctl: arg1 == 0x3B71 || arg1 == 0x3B72
89prctl: arg0 == PR_SET_NAME
90timerfd_create: 1
91timerfd_settime: 1
92timerfd_gettime: 1
93