1# Copyright 2018 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Rules from common_device.policy with some rules removed because they block certain flags needed 6# for gpu. 7brk: 1 8clock_gettime: 1 9clone: arg0 & CLONE_THREAD 10close: 1 11dup2: 1 12dup: 1 13epoll_create1: 1 14epoll_ctl: 1 15epoll_wait: 1 16eventfd2: 1 17exit: 1 18exit_group: 1 19futex: 1 20getpid: 1 21gettid: 1 22gettimeofday: 1 23kill: 1 24madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE 25mremap: 1 26munmap: 1 27nanosleep: 1 28pipe2: 1 29poll: 1 30ppoll: 1 31prctl: arg0 == PR_SET_NAME 32read: 1 33readv: 1 34recvfrom: 1 35recvmsg: 1 36restart_syscall: 1 37rt_sigaction: 1 38rt_sigprocmask: 1 39rt_sigreturn: 1 40sched_getaffinity: 1 41sendmsg: 1 42sendto: 1 43set_robust_list: 1 44sigaltstack: 1 45write: 1 46writev: 1 47 48# Rules specific to gpu 49connect: 1 50fcntl: arg1 == F_DUPFD_CLOEXEC 51fstat: 1 52# Used to set of size new memfd. 53ftruncate: 1 54getdents: 1 55geteuid: 1 56getrandom: 1 57getuid: 1 58ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400 59lseek: 1 60lstat: 1 61# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING 62memfd_create: arg1 == 3 63# mmap/mprotect/open/openat differ from the common_device.policy 64mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ 65mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ 66open: 1 67openat: 1 68readlink: 1 69socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 70stat: 1 71statx: 1 72sysinfo: 1 73 74# Rules specific to AMD gpus. 75uname: 1 76sched_setscheduler: 1 77sched_setaffinity: 1 78kcmp: 1 79