Diff - ac62778ab294ad8db0338b32344222d2c45d2ff2^! - platform/external/crosvm

commit	ac62778ab294ad8db0338b32344222d2c45d2ff2	[log] [tgz]
author	Chuanxiao Dong <chuanxiao.dong@intel.corp-partner.google.com>	Fri Apr 09 15:39:58 2021 +0800
committer	Commit Bot <commit-bot@chromium.org>	Sat Apr 10 00:47:02 2021 +0000
tree	5f0b76507a79f51b48dc5e0d887ab6564879a1ed
parent	a90649ab7cc8447691160d7e159456caccb8dbd1 [diff]

seccomp: vfio: add one policy to allow fcntl

VFIO is updated to use try_clone() to duplicate a File recently.
The try_clone() implementation will use fcntl with the argument
F_DUPFD_CLOEXEC to duplicate the File, so need to add one more
rule in vfio_device.policy to allow it otherwise VFIO will be
failed when sandbox is enabled.

BUG=None
TEST=boot VM with VFIO passthrough + sandbox enabled

Change-Id: I55cce937f1c12a32537aaff8d3ddafa135a674d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2816822
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>

diff --git a/seccomp/x86_64/vfio_device.policy b/seccomp/x86_64/vfio_device.policy
index aa28d1a..ee3253d 100644
--- a/seccomp/x86_64/vfio_device.policy
+++ b/seccomp/x86_64/vfio_device.policy

@@ -10,3 +10,4 @@
 readlink: 1
 pread64: 1
 pwrite64: 1
+fcntl: arg1 == F_DUPFD_CLOEXEC