1*bb4ee6a4SAndroid Build Coastguard Worker# Copyright 2018 The ChromiumOS Authors 2*bb4ee6a4SAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 3*bb4ee6a4SAndroid Build Coastguard Worker# found in the LICENSE file. 4*bb4ee6a4SAndroid Build Coastguard Worker 5*bb4ee6a4SAndroid Build Coastguard Worker# This is an allow list of syscalls for most of crosvm devices. 6*bb4ee6a4SAndroid Build Coastguard Worker# 7*bb4ee6a4SAndroid Build Coastguard Worker# Note that some device policy files don't depend on this policy file 8*bb4ee6a4SAndroid Build Coastguard Worker# because of some conflicts such as gpu_common.policy. 9*bb4ee6a4SAndroid Build Coastguard Worker# If you want to modify policies for all the devices, please modify 10*bb4ee6a4SAndroid Build Coastguard Worker# not only this file but also other *_common.policy files. 11*bb4ee6a4SAndroid Build Coastguard Worker 12*bb4ee6a4SAndroid Build Coastguard Workerbrk: 1 13*bb4ee6a4SAndroid Build Coastguard Workerclock_gettime: 1 14*bb4ee6a4SAndroid Build Coastguard Workerclock_gettime64: 1 15*bb4ee6a4SAndroid Build Coastguard Workerclone: arg0 & CLONE_THREAD 16*bb4ee6a4SAndroid Build Coastguard Workerclone3: 1 17*bb4ee6a4SAndroid Build Coastguard Workerclose: 1 18*bb4ee6a4SAndroid Build Coastguard Workerdup2: 1 19*bb4ee6a4SAndroid Build Coastguard Workerdup: 1 20*bb4ee6a4SAndroid Build Coastguard Workerepoll_create1: 1 21*bb4ee6a4SAndroid Build Coastguard Workerepoll_ctl: 1 22*bb4ee6a4SAndroid Build Coastguard Workerepoll_pwait: 1 23*bb4ee6a4SAndroid Build Coastguard Workerepoll_wait: 1 24*bb4ee6a4SAndroid Build Coastguard Workereventfd2: 1 25*bb4ee6a4SAndroid Build Coastguard Workerexit: 1 26*bb4ee6a4SAndroid Build Coastguard Workerexit_group: 1 27*bb4ee6a4SAndroid Build Coastguard Workerftruncate: 1 28*bb4ee6a4SAndroid Build Coastguard Workerftruncate64: 1 29*bb4ee6a4SAndroid Build Coastguard Workerfutex: 1 30*bb4ee6a4SAndroid Build Coastguard Workerfutex_time64: 1 31*bb4ee6a4SAndroid Build Coastguard Workergetcwd: 1 32*bb4ee6a4SAndroid Build Coastguard Workergetpid: 1 33*bb4ee6a4SAndroid Build Coastguard Workergettid: 1 34*bb4ee6a4SAndroid Build Coastguard Workergettimeofday: 1 35*bb4ee6a4SAndroid Build Coastguard Workerio_uring_setup: 1 36*bb4ee6a4SAndroid Build Coastguard Workerio_uring_register: 1 37*bb4ee6a4SAndroid Build Coastguard Workerio_uring_enter: 1 38*bb4ee6a4SAndroid Build Coastguard Workerkill: 1 39*bb4ee6a4SAndroid Build Coastguard Workerlseek: 1 40*bb4ee6a4SAndroid Build Coastguard Worker_llseek: 1 41*bb4ee6a4SAndroid Build Coastguard Workermadvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE || arg2 == MADV_FREE 42*bb4ee6a4SAndroid Build Coastguard Workermembarrier: 1 43*bb4ee6a4SAndroid Build Coastguard Workermemfd_create: 1 44*bb4ee6a4SAndroid Build Coastguard Workermmap2: arg2 in ~PROT_EXEC 45*bb4ee6a4SAndroid Build Coastguard Workermprotect: arg2 in ~PROT_EXEC 46*bb4ee6a4SAndroid Build Coastguard Workermremap: 1 47*bb4ee6a4SAndroid Build Coastguard Workermunmap: 1 48*bb4ee6a4SAndroid Build Coastguard Workernanosleep: 1 49*bb4ee6a4SAndroid Build Coastguard Workerclock_nanosleep: 1 50*bb4ee6a4SAndroid Build Coastguard Workerclock_nanosleep_time64: 1 51*bb4ee6a4SAndroid Build Coastguard Workerpipe2: 1 52*bb4ee6a4SAndroid Build Coastguard Workerpoll: 1 53*bb4ee6a4SAndroid Build Coastguard Workerppoll: 1 54*bb4ee6a4SAndroid Build Coastguard Workerppoll_time64: 1 55*bb4ee6a4SAndroid Build Coastguard Workerread: 1 56*bb4ee6a4SAndroid Build Coastguard Workerreadlink: 1 57*bb4ee6a4SAndroid Build Coastguard Workerreadlinkat: 1 58*bb4ee6a4SAndroid Build Coastguard Workerreadv: 1 59*bb4ee6a4SAndroid Build Coastguard Workerrecv: 1 60*bb4ee6a4SAndroid Build Coastguard Workerrecvfrom: 1 61*bb4ee6a4SAndroid Build Coastguard Workerrecvmsg: 1 62*bb4ee6a4SAndroid Build Coastguard Workerrecvmmsg_time64: 1 63*bb4ee6a4SAndroid Build Coastguard Workerrestart_syscall: 1 64*bb4ee6a4SAndroid Build Coastguard Workerrseq: 1 65*bb4ee6a4SAndroid Build Coastguard Workerrt_sigaction: 1 66*bb4ee6a4SAndroid Build Coastguard Workerrt_sigprocmask: 1 67*bb4ee6a4SAndroid Build Coastguard Workerrt_sigreturn: 1 68*bb4ee6a4SAndroid Build Coastguard Workersched_getaffinity: 1 69*bb4ee6a4SAndroid Build Coastguard Workersched_yield: 1 70*bb4ee6a4SAndroid Build Coastguard Workersendmsg: 1 71*bb4ee6a4SAndroid Build Coastguard Workersendto: 1 72*bb4ee6a4SAndroid Build Coastguard Workerset_robust_list: 1 73*bb4ee6a4SAndroid Build Coastguard Workersigaltstack: 1 74*bb4ee6a4SAndroid Build Coastguard Workertgkill: arg2 == SIGABRT 75*bb4ee6a4SAndroid Build Coastguard Workerwrite: 1 76*bb4ee6a4SAndroid Build Coastguard Workerwritev: 1 77*bb4ee6a4SAndroid Build Coastguard Workerfcntl64: 1 78*bb4ee6a4SAndroid Build Coastguard Workeruname: 1 79*bb4ee6a4SAndroid Build Coastguard Worker 80*bb4ee6a4SAndroid Build Coastguard Worker## Rules for vmm-swap 81*bb4ee6a4SAndroid Build Coastguard Workeruserfaultfd: 1 82*bb4ee6a4SAndroid Build Coastguard Worker# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 83*bb4ee6a4SAndroid Build Coastguard Workerioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 84