1# Copyright 2019 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Rules from common_device.policy with some rules removed because they block certain flags needed 6# for gpu. 7brk: 1 8clone: arg0 & CLONE_THREAD 9close: 1 10dup3: 1 11dup: 1 12epoll_create1: 1 13epoll_ctl: 1 14epoll_pwait: 1 15eventfd2: 1 16exit: 1 17exit_group: 1 18futex: 1 19getpid: 1 20gettimeofday: 1 21kill: 1 22madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE 23mremap: 1 24munmap: 1 25nanosleep: 1 26pipe2: 1 27ppoll: 1 28prctl: arg0 == PR_SET_NAME 29read: 1 30readv: 1 31recvfrom: 1 32recvmsg: 1 33restart_syscall: 1 34rt_sigaction: 1 35rt_sigprocmask: 1 36rt_sigreturn: 1 37sched_getaffinity: 1 38sendmsg: 1 39sendto: 1 40set_robust_list: 1 41sigaltstack: 1 42write: 1 43writev: 1 44 45## Rules specific to gpu 46connect: 1 47getrandom: 1 48socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 49lseek: 1 50ftruncate: 1 51statx: 1 52fstat: 1 53newfstatat: 1 54getdents64: 1 55sysinfo: 1 56 57# 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali) 58ioctl: arg1 & 0x6400 || arg1 & 0x8000 59 60## mmap/mprotect differ from the common_device.policy 61mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ 62mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ 63openat: 1 64 65## Rules specific to pvr 66geteuid: 1 67getuid: 1 68readlinkat: 1 69gettid: 1 70fcntl: 1 71tgkill: 1 72clock_gettime: 1 73