1# Copyright 2018 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# This is an allow list of syscalls for most of crosvm devices. 6# 7# Note that some device policy files don't depend on this policy file 8# because of some conflicts such as gpu_common.policy. 9# If you want to modify policies for all the devices, please modify 10# not only this file but also other *_common.policy files. 11 12brk: 1 13clock_gettime: 1 14clock_gettime64: 1 15clone: arg0 & CLONE_THREAD 16clone3: 1 17close: 1 18dup2: 1 19dup: 1 20epoll_create1: 1 21epoll_ctl: 1 22epoll_pwait: 1 23epoll_wait: 1 24eventfd2: 1 25exit: 1 26exit_group: 1 27ftruncate: 1 28ftruncate64: 1 29futex: 1 30futex_time64: 1 31getcwd: 1 32getpid: 1 33gettid: 1 34gettimeofday: 1 35io_uring_setup: 1 36io_uring_register: 1 37io_uring_enter: 1 38kill: 1 39lseek: 1 40_llseek: 1 41madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE || arg2 == MADV_FREE 42membarrier: 1 43memfd_create: 1 44mmap2: arg2 in ~PROT_EXEC 45mprotect: arg2 in ~PROT_EXEC 46mremap: 1 47munmap: 1 48nanosleep: 1 49clock_nanosleep: 1 50clock_nanosleep_time64: 1 51pipe2: 1 52poll: 1 53ppoll: 1 54ppoll_time64: 1 55read: 1 56readlink: 1 57readlinkat: 1 58readv: 1 59recv: 1 60recvfrom: 1 61recvmsg: 1 62recvmmsg_time64: 1 63restart_syscall: 1 64rseq: 1 65rt_sigaction: 1 66rt_sigprocmask: 1 67rt_sigreturn: 1 68sched_getaffinity: 1 69sched_yield: 1 70sendmsg: 1 71sendto: 1 72set_robust_list: 1 73sigaltstack: 1 74tgkill: arg2 == SIGABRT 75write: 1 76writev: 1 77fcntl64: 1 78uname: 1 79 80## Rules for vmm-swap 81userfaultfd: 1 82# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 83ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 84