1# Copyright 2019 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Copyright 2019 The ChromiumOS Authors 6# Use of this source code is governed by a BSD-style license that can be 7# found in the LICENSE file. 8 9# This is an allow list of syscalls for most of crosvm devices. 10# 11# Note that some device policy files don't depend on this policy file 12# because of some conflicts such as gpu_common.policy. 13# If you want to modify policies for all the devices, please modify 14# not only this file but also other *_common.policy files. 15 16brk: 1 17clock_gettime: 1 18# ANDROID: modified to 1 because of duplicate error with jail_warden 19clone: 1 20clone3: 1 21close: 1 22dup2: 1 23dup: 1 24epoll_create1: 1 25epoll_ctl: 1 26epoll_pwait: 1 27epoll_wait: 1 28eventfd2: 1 29exit: 1 30exit_group: 1 31ftruncate: 1 32futex: 1 33getcwd: 1 34getpid: 1 35gettid: 1 36gettimeofday: 1 37io_uring_setup: 1 38io_uring_register: 1 39io_uring_enter: 1 40kill: 1 41lseek: 1 42# ANDROID: modified to 1 because of duplicate error with jail_warden 43madvise: 1 44membarrier: 1 45memfd_create: 1 46# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 47mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 48# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 49mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 50mremap: 1 51munmap: 1 52nanosleep: 1 53clock_nanosleep: 1 54pipe2: 1 55poll: 1 56ppoll: 1 57read: 1 58readlink: 1 59readlinkat: 1 60readv: 1 61recvfrom: 1 62recvmsg: 1 63restart_syscall: 1 64rseq: 1 65rt_sigaction: 1 66rt_sigprocmask: 1 67rt_sigreturn: 1 68sched_getaffinity: 1 69sched_yield: 1 70sendmsg: 1 71sendto: 1 72set_robust_list: 1 73sigaltstack: 1 74# arg2 == SIGABRT -- ANDROID(b/270404912): modified to 1 - duplicate error. 75tgkill: 1 76write: 1 77writev: 1 78fcntl: 1 79uname: 1 80 81# ANDROID(b/271625758): disabled to fix duplicate syscall error. 82# ## Rules for vmm-swap 83# userfaultfd: 1 84# # 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 85# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 86 87copy_file_range: 1 88fallocate: 1 89fchdir: 1 90fchmod: 1 91fchmodat: 1 92fchown: 1 93fchownat: 1 94fdatasync: 1 95fgetxattr: 1 96getxattr: 1 97fsetxattr: 1 98setxattr: 1 99flistxattr: 1 100listxattr: 1 101fremovexattr: 1 102removexattr: 1 103fstatfs: 1 104fsync: 1 105getdents64: 1 106getegid: 1 107geteuid: 1 108getrandom: 1 109getresuid: 1 110# Use constants for verity ioctls since minijail doesn't understand them yet. 111# 0x40806685 = FS_IOC_ENABLE_VERITY 112# 0xc0046686 = FS_IOC_MEASURE_VERITY 113ioctl: arg1 == FS_IOC_FSGETXATTR || \ 114arg1 == FS_IOC_FSSETXATTR || \ 115arg1 == FS_IOC_GETFLAGS || \ 116arg1 == FS_IOC_SETFLAGS || \ 117arg1 == FS_IOC_GET_ENCRYPTION_POLICY_EX || \ 118arg1 == 0x40806685 || \ 119arg1 == 0xc0046686 120linkat: 1 121mkdir: 1 122mkdirat: 1 123mknodat: 1 124newfstatat: 1 125open: return ENOENT 126openat: 1 127preadv: 1 128pwritev: 1 129renameat2: 1 130setresgid: 1 131setresuid: 1 132symlinkat: 1 133statx: 1 134umask: 1 135unlinkat: 1 136utimensat: 1 137prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECUREBITS 138capget: 1 139capset: 1 140unshare: 1 141