diff options
| author | Matt Delco <delco@chromium.org> | 2020-01-31 17:29:45 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-02-04 23:27:21 +0000 |
| commit | 8488a0bbbb5828eb0cea77f4081ceecec0119707 (patch) | |
| tree | 75885ce273ea6f9e819576e09bc9f99e3a79f18e | |
| parent | 055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc (diff) | |
| download | crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.gz crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.bz2 crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.lz crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.xz crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.zst crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.zip | |
seccomp: remove redundant unconditional arm/arm64 rules
Minijail's policy compiler complains when there's multiple unconditional rules for a syscall. In most cases the rules are redundant to common_device.policy. BUG=None TEST=Ran compile_seccomp_policy.py until it stopped complaining. Change-Id: Ic43d1fd13f9c012641d71e526942229eb8b08ed4 Signed-off-by: Matt Delco <delco@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2034024 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
36 files changed, 54 insertions, 41 deletions
diff --git a/seccomp/aarch64/9p_device.policy b/seccomp/aarch64/9p_device.policy index ff6a734..80bdad8 100644 --- a/seccomp/aarch64/9p_device.policy +++ b/seccomp/aarch64/9p_device.policy @@ -17,7 +17,6 @@ fdatasync: 1 fsync: 1 mkdirat: 1 renameat: 1 -writev: 1 linkat: 1 unlinkat: 1 socket: arg0 == AF_UNIX diff --git a/seccomp/aarch64/balloon_device.policy b/seccomp/aarch64/balloon_device.policy index f9e98f0..fa86280 100644 --- a/seccomp/aarch64/balloon_device.policy +++ b/seccomp/aarch64/balloon_device.policy @@ -3,3 +3,5 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +openat: return ENOENT diff --git a/seccomp/aarch64/block_device.policy b/seccomp/aarch64/block_device.policy index cf1816a..9a5d741 100644 --- a/seccomp/aarch64/block_device.policy +++ b/seccomp/aarch64/block_device.policy @@ -10,6 +10,7 @@ fstat: 1 fsync: 1 ftruncate: 1 lseek: 1 +openat: return ENOENT preadv: 1 pwritev: 1 statx: 1 diff --git a/seccomp/aarch64/common_device.policy b/seccomp/aarch64/common_device.policy index b5dcf9f..93b01f1 100644 --- a/seccomp/aarch64/common_device.policy +++ b/seccomp/aarch64/common_device.policy @@ -23,7 +23,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -openat: return ENOENT pipe2: 1 ppoll: 1 prctl: arg0 == PR_SET_NAME diff --git a/seccomp/aarch64/cras_audio_device.policy b/seccomp/aarch64/cras_audio_device.policy index ef9b5ed..19419fd 100644 --- a/seccomp/aarch64/cras_audio_device.policy +++ b/seccomp/aarch64/cras_audio_device.policy @@ -7,8 +7,7 @@ madvise: 1 prlimit64: 1 setrlimit: 1 -recvmsg: 1 sched_setscheduler: 1 -sendmsg: 1 socketpair: arg0 == AF_UNIX clock_gettime: 1 +openat: return ENOENT diff --git a/seccomp/aarch64/fs_device.policy b/seccomp/aarch64/fs_device.policy index 7e0c015..5199092 100644 --- a/seccomp/aarch64/fs_device.policy +++ b/seccomp/aarch64/fs_device.policy @@ -2,8 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -openat: 1 - @include /usr/share/policy/crosvm/common_device.policy fchmodat: 1 @@ -20,6 +18,7 @@ linkat: 1 lseek: 1 mkdirat: 1 mknodat: 1 +openat: 1 preadv: 1 pwritev: 1 readlinkat: 1 diff --git a/seccomp/aarch64/gpu_device.policy b/seccomp/aarch64/gpu_device.policy index 1daedc2..98e15fd 100644 --- a/seccomp/aarch64/gpu_device.policy +++ b/seccomp/aarch64/gpu_device.policy @@ -23,7 +23,6 @@ madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE mremap: 1 munmap: 1 nanosleep: 1 -open: return ENOENT pipe2: 1 ppoll: 1 prctl: arg0 == PR_SET_NAME @@ -57,9 +56,10 @@ getdents64: 1 # 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali) ioctl: arg1 & 0x6400 || arg1 & 0x8000 -## mmap/mprotect/openat differ from the common_device.policy +## mmap/mprotect differ from the common_device.policy mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ +open: return ENOENT openat: 1 ## Rules specific to pvr diff --git a/seccomp/aarch64/input_device.policy b/seccomp/aarch64/input_device.policy index f26998e..07d3b5f 100644 --- a/seccomp/aarch64/input_device.policy +++ b/seccomp/aarch64/input_device.policy @@ -7,3 +7,4 @@ ioctl: 1 fcntl: 1 getsockname: 1 +openat: return ENOENT diff --git a/seccomp/aarch64/net_device.policy b/seccomp/aarch64/net_device.policy index 1b8f2b6..a1c2eef 100644 --- a/seccomp/aarch64/net_device.policy +++ b/seccomp/aarch64/net_device.policy @@ -6,3 +6,4 @@ # TUNSETOFFLOAD ioctl: arg1 == 0x400454d0 +openat: return ENOENT diff --git a/seccomp/aarch64/null_audio_device.policy b/seccomp/aarch64/null_audio_device.policy index 46864c1..7a88fe2 100644 --- a/seccomp/aarch64/null_audio_device.policy +++ b/seccomp/aarch64/null_audio_device.policy @@ -8,3 +8,4 @@ madvise: 1 prlimit64: 1 setrlimit: 1 clock_gettime: 1 +openat: return ENOENT diff --git a/seccomp/aarch64/pmem_device.policy b/seccomp/aarch64/pmem_device.policy index b3cd64d..77719a9 100644 --- a/seccomp/aarch64/pmem_device.policy +++ b/seccomp/aarch64/pmem_device.policy @@ -6,3 +6,4 @@ fdatasync: 1 fsync: 1 +openat: return ENOENT diff --git a/seccomp/aarch64/rng_device.policy b/seccomp/aarch64/rng_device.policy index f9e98f0..fa86280 100644 --- a/seccomp/aarch64/rng_device.policy +++ b/seccomp/aarch64/rng_device.policy @@ -3,3 +3,5 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +openat: return ENOENT diff --git a/seccomp/aarch64/serial.policy b/seccomp/aarch64/serial.policy index f9e98f0..fa86280 100644 --- a/seccomp/aarch64/serial.policy +++ b/seccomp/aarch64/serial.policy @@ -3,3 +3,5 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +openat: return ENOENT diff --git a/seccomp/aarch64/tpm_device.policy b/seccomp/aarch64/tpm_device.policy index 66e0ef1..7b59c8d 100644 --- a/seccomp/aarch64/tpm_device.policy +++ b/seccomp/aarch64/tpm_device.policy @@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -#open: return ENOENT -#openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/aarch64/vhost_net_device.policy b/seccomp/aarch64/vhost_net_device.policy index 1868322..4de1967 100644 --- a/seccomp/aarch64/vhost_net_device.policy +++ b/seccomp/aarch64/vhost_net_device.policy @@ -21,3 +21,4 @@ # arg1 == VHOST_SET_VRING_ERR || # arg1 == VHOST_NET_SET_BACKEND ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 +openat: return ENOENT diff --git a/seccomp/aarch64/vhost_vsock_device.policy b/seccomp/aarch64/vhost_vsock_device.policy index 9cdc57f..82b6650 100644 --- a/seccomp/aarch64/vhost_vsock_device.policy +++ b/seccomp/aarch64/vhost_vsock_device.policy @@ -22,3 +22,4 @@ # arg1 == VHOST_VSOCK_SET_GUEST_CID || # arg1 == VHOST_VSOCK_SET_RUNNING ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61 +openat: return ENOENT diff --git a/seccomp/aarch64/wl_device.policy b/seccomp/aarch64/wl_device.policy index d8bbccd..864aefb 100644 --- a/seccomp/aarch64/wl_device.policy +++ b/seccomp/aarch64/wl_device.policy @@ -9,9 +9,7 @@ socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC ioctl: arg1 == 0x5421 || arg1 == 0x40086200 connect: 1 -# Used to communicate with wayland -recvmsg: 1 -sendmsg: 1 +openat: return ENOENT # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING memfd_create: arg1 == 3 # Used to set of size new memfd diff --git a/seccomp/aarch64/xhci.policy b/seccomp/aarch64/xhci.policy index 7e5b1c7..e3e2952 100644 --- a/seccomp/aarch64/xhci.policy +++ b/seccomp/aarch64/xhci.policy @@ -2,21 +2,18 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -openat: 1 @include /usr/share/policy/crosvm/common_device.policy statx: 1 -fcntl: 1 readlinkat: 1 getdents64: 1 -getrandom: 1 name_to_handle_at: 1 faccessat: 1 gettid: 1 clock_gettime: 1 timerfd_create: 1 getsockname: 1 -pipe2: 1 +openat: 1 setsockopt: 1 bind: 1 fcntl: 1 @@ -37,8 +34,5 @@ uname: 1 # 0x80185520 == USBDEVFS_CONNINFO_EX ioctl: arg1 == 0xc0105500 || arg1 == 0x802c550a || arg1 == 0x8004551a || arg1 == 0x4004550d || arg1 == 0x8004550f || arg1 == 0x80045510 || arg1 == 0x550b || arg1 == 0x5514 || arg1 == 0x80045505 || arg1 == 0x8108551b || arg1 == 0x40085511 || arg1 == 0x80185520 fstat: 1 -sigaltstack: 1 -recvmsg: 1 getrandom: 1 -getdents64: 1 lseek: 1 diff --git a/seccomp/arm/9p_device.policy b/seccomp/arm/9p_device.policy index b24d439..1c26079 100644 --- a/seccomp/arm/9p_device.policy +++ b/seccomp/arm/9p_device.policy @@ -2,9 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -open: 1 -openat: 1 - @include /usr/share/policy/crosvm/common_device.policy pread64: 1 @@ -18,9 +15,10 @@ getdents64: 1 fdatasync: 1 fsync: 1 mkdir: 1 +open: 1 +openat: 1 rmdir: 1 rename: 1 -writev: 1 link: 1 unlink: 1 socket: arg0 == AF_UNIX diff --git a/seccomp/arm/balloon_device.policy b/seccomp/arm/balloon_device.policy index 4f7aafd..0c7d258 100644 --- a/seccomp/arm/balloon_device.policy +++ b/seccomp/arm/balloon_device.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/arm/block_device.policy b/seccomp/arm/block_device.policy index bc25f07..2910c16 100644 --- a/seccomp/arm/block_device.policy +++ b/seccomp/arm/block_device.policy @@ -10,6 +10,8 @@ fstat64: 1 fsync: 1 ftruncate64: 1 _llseek: 1 +open: return ENOENT +openat: return ENOENT pread64: 1 preadv: 1 pwrite64: 1 diff --git a/seccomp/arm/common_device.policy b/seccomp/arm/common_device.policy index d7c1b80..41b176c 100644 --- a/seccomp/arm/common_device.policy +++ b/seccomp/arm/common_device.policy @@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -open: return ENOENT -openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/arm/cras_audio_device.policy b/seccomp/arm/cras_audio_device.policy index ef9b5ed..505208b 100644 --- a/seccomp/arm/cras_audio_device.policy +++ b/seccomp/arm/cras_audio_device.policy @@ -5,10 +5,10 @@ @include /usr/share/policy/crosvm/common_device.policy madvise: 1 +open: return ENOENT +openat: return ENOENT prlimit64: 1 setrlimit: 1 -recvmsg: 1 sched_setscheduler: 1 -sendmsg: 1 socketpair: arg0 == AF_UNIX clock_gettime: 1 diff --git a/seccomp/arm/fs_device.policy b/seccomp/arm/fs_device.policy index 6224247..5822261 100644 --- a/seccomp/arm/fs_device.policy +++ b/seccomp/arm/fs_device.policy @@ -2,8 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -openat: 1 - @include /usr/share/policy/crosvm/common_device.policy fchmodat: 1 @@ -21,6 +19,8 @@ linkat: 1 _llseek: 1 mkdirat: 1 mknodat: 1 +open: return ENOENT +openat: 1 preadv: 1 pwritev: 1 readlinkat: 1 diff --git a/seccomp/arm/gpu_device.policy b/seccomp/arm/gpu_device.policy index f177775..4e3a052 100644 --- a/seccomp/arm/gpu_device.policy +++ b/seccomp/arm/gpu_device.policy @@ -23,7 +23,6 @@ madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE mremap: 1 munmap: 1 nanosleep: 1 -open: return ENOENT pipe2: 1 poll: 1 ppoll: 1 @@ -62,9 +61,10 @@ ioctl: arg1 & 0x6400 || arg1 & 0x8000 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING memfd_create: arg1 == 3 -## mmap/mprotect/openat differ from the common_device.policy +## mmap/mprotect differ from the common_device.policy mmap2: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ +open: return ENOENT openat: 1 ## Rules specific to pvr diff --git a/seccomp/arm/input_device.policy b/seccomp/arm/input_device.policy index f26998e..d32c312 100644 --- a/seccomp/arm/input_device.policy +++ b/seccomp/arm/input_device.policy @@ -7,3 +7,5 @@ ioctl: 1 fcntl: 1 getsockname: 1 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/arm/net_device.policy b/seccomp/arm/net_device.policy index 26770ab..cf0584c 100644 --- a/seccomp/arm/net_device.policy +++ b/seccomp/arm/net_device.policy @@ -6,3 +6,5 @@ # TUNSETOFFLOAD ioctl: arg1 == 0x400454d0 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/arm/null_audio_device.policy b/seccomp/arm/null_audio_device.policy index 089d1bd..f89397b 100644 --- a/seccomp/arm/null_audio_device.policy +++ b/seccomp/arm/null_audio_device.policy @@ -5,6 +5,8 @@ @include /usr/share/policy/crosvm/common_device.policy madvise: 1 +open: return ENOENT +openat: return ENOENT prlimit64: 1 setrlimit: 1 clock_gettime: 1 diff --git a/seccomp/arm/pmem_device.policy b/seccomp/arm/pmem_device.policy index b3cd64d..12a3b04 100644 --- a/seccomp/arm/pmem_device.policy +++ b/seccomp/arm/pmem_device.policy @@ -6,3 +6,5 @@ fdatasync: 1 fsync: 1 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/arm/rng_device.policy b/seccomp/arm/rng_device.policy index 4f7aafd..0c7d258 100644 --- a/seccomp/arm/rng_device.policy +++ b/seccomp/arm/rng_device.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/arm/serial.policy b/seccomp/arm/serial.policy index f9e98f0..6b33c51 100644 --- a/seccomp/arm/serial.policy +++ b/seccomp/arm/serial.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/arm/tpm_device.policy b/seccomp/arm/tpm_device.policy index f21201d..f71737f 100644 --- a/seccomp/arm/tpm_device.policy +++ b/seccomp/arm/tpm_device.policy @@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -#open: return ENOENT -#openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/arm/vhost_net_device.policy b/seccomp/arm/vhost_net_device.policy index 58fc7ef..4571a93 100644 --- a/seccomp/arm/vhost_net_device.policy +++ b/seccomp/arm/vhost_net_device.policy @@ -21,3 +21,5 @@ # arg1 == VHOST_SET_VRING_ERR || # arg1 == VHOST_NET_SET_BACKEND ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/arm/vhost_vsock_device.policy b/seccomp/arm/vhost_vsock_device.policy index 9d9ca59..c6a984c 100644 --- a/seccomp/arm/vhost_vsock_device.policy +++ b/seccomp/arm/vhost_vsock_device.policy @@ -22,3 +22,5 @@ # arg1 == VHOST_VSOCK_SET_GUEST_CID || # arg1 == VHOST_VSOCK_SET_RUNNING ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/arm/wl_device.policy b/seccomp/arm/wl_device.policy index 1104fba..0b84c4b 100644 --- a/seccomp/arm/wl_device.policy +++ b/seccomp/arm/wl_device.policy @@ -9,9 +9,8 @@ socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC ioctl: arg1 == 0x5421 || arg1 == 0x40086200 connect: 1 -# Used to communicate with wayland -recvmsg: 1 -sendmsg: 1 +open: return ENOENT +openat: return ENOENT # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING memfd_create: arg1 == 3 # Used to set of size new memfd diff --git a/seccomp/arm/xhci.policy b/seccomp/arm/xhci.policy index 7815e42..ca41b74 100644 --- a/seccomp/arm/xhci.policy +++ b/seccomp/arm/xhci.policy @@ -2,7 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -openat: 1 @include /usr/share/policy/crosvm/common_device.policy stat64: 1 @@ -11,7 +10,6 @@ lstat64: 1 readlink: 1 readlinkat: 1 getdents64: 1 -getrandom: 1 name_to_handle_at: 1 access: 1 clock_gettime: 1 @@ -40,8 +38,8 @@ uname: 1 # 0x80185520 == USBDEVFS_CONNINFO_EX ioctl: arg1 == 0xc0105500 || arg1 == 0x802c550a || arg1 == 0x8004551a || arg1 == 0x4004550d || arg1 == 0x8004550f || arg1 == 0x80045510 || arg1 == 0x550b || arg1 == 0x5514 || arg1 == 0x80045505 || arg1 == 0x8108551b || arg1 == 0x40085511 || arg1 == 0x80185520 fstat: 1 -sigaltstack: 1 -recvmsg: 1 getrandom: 1 getdents: 1 _llseek: 1 +open: return ENOENT +openat: 1 |