diff options
| author | Zach Reizner <zachr@google.com> | 2018-01-26 21:21:37 -0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-01-27 01:36:52 -0800 |
| commit | fc44d8059b2333b7f49c1a11012eb6ca7d2250a5 (patch) | |
| tree | 8ad9b732f19b6df8a41fca136b0e90e753ff6c7c | |
| parent | 7cc4ac3a17fd9a0132efe7eab949cc6eb39719b4 (diff) | |
| download | crosvm-fc44d8059b2333b7f49c1a11012eb6ca7d2250a5.tar crosvm-fc44d8059b2333b7f49c1a11012eb6ca7d2250a5.tar.gz crosvm-fc44d8059b2333b7f49c1a11012eb6ca7d2250a5.tar.bz2 crosvm-fc44d8059b2333b7f49c1a11012eb6ca7d2250a5.tar.lz crosvm-fc44d8059b2333b7f49c1a11012eb6ca7d2250a5.tar.xz crosvm-fc44d8059b2333b7f49c1a11012eb6ca7d2250a5.tar.zst crosvm-fc44d8059b2333b7f49c1a11012eb6ca7d2250a5.zip | |
sys_util: add ppoll to seccomp policies
This really should have been added along with the poll timeout support, which changed the syscalls used in every jailed device. TEST=run crosvm with sandboxing enabled BUG=None Change-Id: I6129fa589640bb2b85fb4274775192bdd49db672 Reviewed-on: https://chromium-review.googlesource.com/890379 Commit-Ready: Zach Reizner <zachr@chromium.org> Tested-by: Zach Reizner <zachr@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org>
| -rw-r--r-- | seccomp/x86_64/balloon_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/block_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/net_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/rng_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/vhost_net_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/vhost_vsock_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/wl_device.policy | 1 |
7 files changed, 7 insertions, 0 deletions
diff --git a/seccomp/x86_64/balloon_device.policy b/seccomp/x86_64/balloon_device.policy index aa55273..8f56d4e 100644 --- a/seccomp/x86_64/balloon_device.policy +++ b/seccomp/x86_64/balloon_device.policy @@ -22,6 +22,7 @@ write: 1 eventfd2: 1 dup: 1 poll: 1 +ppoll: 1 getpid: 1 # Allow PR_SET_NAME only. prctl: arg0 == 15 diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy index 55e50a3..ff5bc8f 100644 --- a/seccomp/x86_64/block_device.policy +++ b/seccomp/x86_64/block_device.policy @@ -25,6 +25,7 @@ clone: arg0 & 0x00010000 write: 1 eventfd2: 1 poll: 1 +ppoll: 1 getpid: 1 # Allow PR_SET_NAME only. prctl: arg0 == 15 diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy index 6820665..af90a4d 100644 --- a/seccomp/x86_64/net_device.policy +++ b/seccomp/x86_64/net_device.policy @@ -13,6 +13,7 @@ mmap: arg2 in 0xfffffffb mprotect: arg2 in 0xfffffffb munmap: 1 poll: 1 +ppoll: 1 read: 1 recvfrom: 1 sched_getaffinity: 1 diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy index 4eeb7ed..7b9a2cc 100644 --- a/seccomp/x86_64/rng_device.policy +++ b/seccomp/x86_64/rng_device.policy @@ -22,6 +22,7 @@ clone: arg0 & 0x00010000 write: 1 eventfd2: 1 poll: 1 +ppoll: 1 getpid: 1 # Allow PR_SET_NAME only. prctl: arg0 == 15 diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy index d64dd81..254c1c6 100644 --- a/seccomp/x86_64/vhost_net_device.policy +++ b/seccomp/x86_64/vhost_net_device.policy @@ -30,6 +30,7 @@ mmap: arg2 in 0xfffffffb mprotect: arg2 in 0xfffffffb munmap: 1 poll: 1 +ppoll: 1 read: 1 recvfrom: 1 sched_getaffinity: 1 diff --git a/seccomp/x86_64/vhost_vsock_device.policy b/seccomp/x86_64/vhost_vsock_device.policy index 5b21d51..b04b51c 100644 --- a/seccomp/x86_64/vhost_vsock_device.policy +++ b/seccomp/x86_64/vhost_vsock_device.policy @@ -31,6 +31,7 @@ mmap: arg2 in 0xfffffffb mprotect: arg2 in 0xfffffffb munmap: 1 poll: 1 +ppoll: 1 read: 1 connect: 1 sendto: 1 diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy index bc1ebb6..cf7fb96 100644 --- a/seccomp/x86_64/wl_device.policy +++ b/seccomp/x86_64/wl_device.policy @@ -10,6 +10,7 @@ mmap: arg2 in 0xfffffffb mprotect: arg2 in 0xfffffffb munmap: 1 poll: 1 +ppoll: 1 read: 1 recvfrom: 1 sched_getaffinity: 1 |