1# Copyright 2021 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Rules from common_device.policy with some rules removed because they block certain flags needed 6# for gpu. 7brk: 1 8clone3: 1 9close: 1 10dup2: 1 11dup: 1 12epoll_create1: 1 13epoll_ctl: 1 14epoll_pwait: 1 15epoll_wait: 1 16eventfd2: 1 17exit: 1 18exit_group: 1 19ftruncate: 1 20ftruncate64: 1 21futex: 1 22futex_time64: 1 23getcwd: 1 24getpid: 1 25gettid: 1 26gettimeofday: 1 27io_uring_setup: 1 28io_uring_register: 1 29io_uring_enter: 1 30kill: 1 31madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE || arg2 == MADV_MERGEABLE || arg2 == MADV_FREE 32membarrier: 1 33# memfd_create is used for sharing memory with wayland. 34# For normal use case, we allow arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING, with or without MFD_NOEXEC_SEAL. 35# However, we allow all the arguments here for backtrace when it panics. 36memfd_create: 1 37mremap: 1 38munmap: 1 39nanosleep: 1 40clock_nanosleep: 1 41clock_nanosleep_time64: 1 42pipe2: 1 43poll: 1 44ppoll: 1 45ppoll_time64: 1 46read: 1 47readlink: 1 48readlinkat: 1 49readv: 1 50recv: 1 51recvfrom: 1 52recvmsg: 1 53recvmmsg_time64: 1 54restart_syscall: 1 55rseq: 1 56rt_sigaction: 1 57rt_sigprocmask: 1 58rt_sigreturn: 1 59sched_getaffinity: 1 60sched_yield: 1 61sendmsg: 1 62sendto: 1 63set_robust_list: 1 64sigaltstack: 1 65write: 1 66writev: 1 67uname: 1 68 69# Required for perfetto tracing 70getsockopt: 1 71shutdown: 1 72 73## Rules specific to gpu 74connect: 1 75getrandom: 1 76_llseek: 1 77stat64: 1 78statx: 1 79fstat64: 1 80fstatat64: 1 81getdents: 1 82getdents64: 1 83sysinfo: 1 84fstatfs: 1 85fstatfs64: 1 86prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME 87 88# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali), 0x40086200 = DMA_BUF_IOCTL_SYNC, 0x40087543 == UDMABUF_CREATE_LIST 89ioctl: arg1 & 0x6400 || arg1 & 0x8000 || arg1 == 0x40086200 || arg1 == 0x40087543 90 91## mmap/mprotect differ from the common_device.policy 92mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ 93mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ 94open: return ENOENT 95openat: 1 96 97## Rules specific to pvr 98geteuid32: 1 99getuid32: 1 100lstat64: 1 101fcntl64: 1 102tgkill: 1 103clock_gettime: 1 104clock_gettime64: 1 105 106# Rules specific to Mesa. 107sched_setscheduler: 1 108sched_setaffinity: 1 109kcmp: 1 110 111# Rules for Mesa's u_trace thread 112setpriority: 1 113 114# Rules for Vulkan loader / layers 115access: 1 116getgid32: 1 117getegid32: 1 118 119## Rules for vmm-swap 120userfaultfd: 1 121# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 122ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 123 124## Rules for mali shader dump (debug workflow) 125mkdir: 1 126mkdirat: 1 127