diff options
| author | Matt Delco <delco@chromium.org> | 2019-11-14 17:48:44 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-01-22 17:36:36 +0000 |
| commit | 4389dab57954af6806c706f29e3dfef7bb324915 (patch) | |
| tree | cae2ee1526b7d238df71b91227e8249561193424 | |
| parent | 45caf91aaa80d2d37a63ed2bf99da69b4da0aafa (diff) | |
| download | crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.gz crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.bz2 crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.lz crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.xz crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.zst crosvm-4389dab57954af6806c706f29e3dfef7bb324915.zip | |
seccomp: remove redundant unconditional rules
Minijail's policy compiler complains when there's multiple unconditional rules for a syscall. In most cases the rules are redundant to common_device.policy. I don't know what to do about the intentionally contradictory rules for open and openat, other than to remove then from the common device policy and add it to all the others. BUG=None TEST=Ran compile_seccomp_policy.py until it stopped complaining. Change-Id: I6813dd1e0b39e975415662bd7de74c25a1be9eb3 Signed-off-by: Matt Delco <delco@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1918607 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
| -rw-r--r-- | seccomp/x86_64/9p_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/balloon_device.policy | 3 | ||||
| -rw-r--r-- | seccomp/x86_64/block_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/common_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/cras_audio_device.policy | 4 | ||||
| -rw-r--r-- | seccomp/x86_64/fs_device.policy | 4 | ||||
| -rw-r--r-- | seccomp/x86_64/input_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/net_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/null_audio_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/pmem_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/rng_device.policy | 3 | ||||
| -rw-r--r-- | seccomp/x86_64/serial.policy | 3 | ||||
| -rw-r--r-- | seccomp/x86_64/tpm_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/vfio_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/vhost_net_device.policy | 2 | ||||
| -rw-r--r-- | seccomp/x86_64/vhost_vsock_device.policy | 3 | ||||
| -rw-r--r-- | seccomp/x86_64/wl_device.policy | 5 | ||||
| -rw-r--r-- | seccomp/x86_64/xhci.policy | 7 |
18 files changed, 33 insertions, 18 deletions
diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy index 498ce6c..114ea11 100644 --- a/seccomp/x86_64/9p_device.policy +++ b/seccomp/x86_64/9p_device.policy @@ -7,7 +7,6 @@ openat: 1 @include /usr/share/policy/crosvm/common_device.policy -writev: 1 pwrite64: 1 stat: 1 statx: 1 diff --git a/seccomp/x86_64/balloon_device.policy b/seccomp/x86_64/balloon_device.policy index 72ecd5a..c668163 100644 --- a/seccomp/x86_64/balloon_device.policy +++ b/seccomp/x86_64/balloon_device.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy index 66d7d0d..fefd719 100644 --- a/seccomp/x86_64/block_device.policy +++ b/seccomp/x86_64/block_device.policy @@ -10,6 +10,8 @@ fstat: 1 fsync: 1 ftruncate: 1 lseek: 1 +open: return ENOENT +openat: return ENOENT pread64: 1 preadv: 1 pwrite64: 1 diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy index ad9ed38..8464c4b 100644 --- a/seccomp/x86_64/common_device.policy +++ b/seccomp/x86_64/common_device.policy @@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -open: return ENOENT -openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/x86_64/cras_audio_device.policy b/seccomp/x86_64/cras_audio_device.policy index ef9b5ed..505208b 100644 --- a/seccomp/x86_64/cras_audio_device.policy +++ b/seccomp/x86_64/cras_audio_device.policy @@ -5,10 +5,10 @@ @include /usr/share/policy/crosvm/common_device.policy madvise: 1 +open: return ENOENT +openat: return ENOENT prlimit64: 1 setrlimit: 1 -recvmsg: 1 sched_setscheduler: 1 -sendmsg: 1 socketpair: arg0 == AF_UNIX clock_gettime: 1 diff --git a/seccomp/x86_64/fs_device.policy b/seccomp/x86_64/fs_device.policy index 8fbb556..32e7477 100644 --- a/seccomp/x86_64/fs_device.policy +++ b/seccomp/x86_64/fs_device.policy @@ -2,8 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -openat: 1 - @include /usr/share/policy/crosvm/common_device.policy fchmodat: 1 @@ -21,6 +19,8 @@ lseek: 1 mkdirat: 1 mknodat: 1 newfstatat: 1 +open: return ENOENT +openat: 1 preadv: 1 pwritev: 1 readlinkat: 1 diff --git a/seccomp/x86_64/input_device.policy b/seccomp/x86_64/input_device.policy index f26998e..d32c312 100644 --- a/seccomp/x86_64/input_device.policy +++ b/seccomp/x86_64/input_device.policy @@ -7,3 +7,5 @@ ioctl: 1 fcntl: 1 getsockname: 1 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy index c7f17d9..5d6535a 100644 --- a/seccomp/x86_64/net_device.policy +++ b/seccomp/x86_64/net_device.policy @@ -6,3 +6,5 @@ # TUNSETOFFLOAD ioctl: arg1 == 0x400454d0 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/null_audio_device.policy b/seccomp/x86_64/null_audio_device.policy index 9ea7015..f118d88 100644 --- a/seccomp/x86_64/null_audio_device.policy +++ b/seccomp/x86_64/null_audio_device.policy @@ -5,5 +5,7 @@ @include /usr/share/policy/crosvm/common_device.policy madvise: 1 +open: return ENOENT +openat: return ENOENT prlimit64: 1 setrlimit: 1 diff --git a/seccomp/x86_64/pmem_device.policy b/seccomp/x86_64/pmem_device.policy index b3cd64d..12a3b04 100644 --- a/seccomp/x86_64/pmem_device.policy +++ b/seccomp/x86_64/pmem_device.policy @@ -6,3 +6,5 @@ fdatasync: 1 fsync: 1 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy index 72ecd5a..c668163 100644 --- a/seccomp/x86_64/rng_device.policy +++ b/seccomp/x86_64/rng_device.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/serial.policy b/seccomp/x86_64/serial.policy index f9e98f0..6b33c51 100644 --- a/seccomp/x86_64/serial.policy +++ b/seccomp/x86_64/serial.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy index 7e6d8c9..33c64f5 100644 --- a/seccomp/x86_64/tpm_device.policy +++ b/seccomp/x86_64/tpm_device.policy @@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -#open: return ENOENT -#openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/x86_64/vfio_device.policy b/seccomp/x86_64/vfio_device.policy index 8dd5961..aa28d1a 100644 --- a/seccomp/x86_64/vfio_device.policy +++ b/seccomp/x86_64/vfio_device.policy @@ -5,6 +5,8 @@ # VFIO_DEVICE_SET_IRQS, VFIO_IOMMU_MAP/UNMAP_DMA ioctl: arg1 == 0x3B6E || arg1 == 0x3B71 || arg1 == 0x3B72 +open: return ENOENT +openat: return ENOENT readlink: 1 pread64: 1 pwrite64: 1 diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy index 306328b..c9182e6 100644 --- a/seccomp/x86_64/vhost_net_device.policy +++ b/seccomp/x86_64/vhost_net_device.policy @@ -21,3 +21,5 @@ # arg1 == VHOST_SET_VRING_ERR || # arg1 == VHOST_NET_SET_BACKEND ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/vhost_vsock_device.policy b/seccomp/x86_64/vhost_vsock_device.policy index 9c2274c..69fca47 100644 --- a/seccomp/x86_64/vhost_vsock_device.policy +++ b/seccomp/x86_64/vhost_vsock_device.policy @@ -23,4 +23,5 @@ # arg1 == VHOST_VSOCK_SET_RUNNING ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61 connect: 1 -sendto: 1 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy index 2ca7ed9..f79b08a 100644 --- a/seccomp/x86_64/wl_device.policy +++ b/seccomp/x86_64/wl_device.policy @@ -9,9 +9,6 @@ socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC ioctl: arg1 == 0x5421 || arg1 == 0x40086200 connect: 1 -# Used to communicate with wayland -recvmsg: 1 -sendmsg: 1 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING memfd_create: arg1 == 3 # Used to set of size new memfd @@ -20,3 +17,5 @@ ftruncate: 1 lseek: 1 # Allow F_GETFL only fcntl: arg1 == 3 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/xhci.policy b/seccomp/x86_64/xhci.policy index df4acef..4b4fc3d 100644 --- a/seccomp/x86_64/xhci.policy +++ b/seccomp/x86_64/xhci.policy @@ -2,8 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -# xhci need "openat" to enumerate device. "openat" is disabled in comman_device policy. -openat: 1 @include /usr/share/policy/crosvm/common_device.policy lstat: 1 @@ -12,12 +10,13 @@ readlinkat: 1 timerfd_create: 1 name_to_handle_at: 1 access: 1 -timerfd_create: 1 getsockname: 1 pipe: 1 setsockopt: 1 bind: 1 fcntl: 1 +open: return ENOENT +openat: 1 socket: arg0 == AF_NETLINK stat: 1 uname: 1 @@ -37,8 +36,6 @@ uname: 1 # 0x80185520 == USBDEVFS_CONNINFO_EX ioctl: arg1 == 0xc0185500 || arg1 == 0x41045508 || arg1 == 0x8004550f || arg1 == 0x4008550d || arg1 == 0x8004551a || arg1 == 0x550b || arg1 == 0x80045510 || arg1 == 0x8038550a || arg1 == 0x5514 || arg1 == 0x80045505 || arg1 == 0x8108551b || arg1 == 0x40085511 || arg1 == 0x80185520 fstat: 1 -sigaltstack: 1 -recvmsg: 1 getrandom: 1 getdents: 1 lseek: 1 |