seccomp: add mremap to arm common_device.policy

The glibc realloc() implementation may call the mremap syscall in some
cases; we currently allow mremap in x86_64/common_device.policy but not
the arm equivalent, but this path appears to be reachable on any Linux
platform[1].  Add mremap to the arm policy as well for consistency.

mremap is no more powerful than the existing mmap and munmap syscalls,
so I believe this is safe to allow for all device processes.

Also reorder the mmap2 line in the arm policy so it is in alphabetical
order and can be more easily compared to the x86_64 policy.

TEST=Boot crosvm on kevin


Change-Id: Ie51a21baf30d3e37ce3adacf8e255f981613543d
Signed-off-by: Daniel Verkamp <>
Tested-by: kokoro <>
Reviewed-by: Dylan Reid <>
diff --git a/seccomp/arm/common_device.policy b/seccomp/arm/common_device.policy
index 25db5af..9ccf48b 100644
--- a/seccomp/arm/common_device.policy
+++ b/seccomp/arm/common_device.policy
@@ -17,9 +17,10 @@
 getpid: 1
 gettimeofday: 1
 kill: 1
-mmap2: arg2 in ~PROT_EXEC
 madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
+mmap2: arg2 in ~PROT_EXEC
 mprotect: arg2 in ~PROT_EXEC
+mremap: 1
 munmap: 1
 nanosleep: 1
 open: return ENOENT