diff options
author | Matt Delco <delco@chromium.org> | 2020-01-31 17:29:45 -0800 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-02-04 23:27:21 +0000 |
commit | 8488a0bbbb5828eb0cea77f4081ceecec0119707 (patch) | |
tree | 75885ce273ea6f9e819576e09bc9f99e3a79f18e /seccomp/aarch64 | |
parent | 055de38fcf1159c7b3ce3e05b8ec0fcf07f635dc (diff) | |
download | crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.gz crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.bz2 crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.lz crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.xz crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.tar.zst crosvm-8488a0bbbb5828eb0cea77f4081ceecec0119707.zip |
seccomp: remove redundant unconditional arm/arm64 rules
Minijail's policy compiler complains when there's multiple unconditional rules for a syscall. In most cases the rules are redundant to common_device.policy. BUG=None TEST=Ran compile_seccomp_policy.py until it stopped complaining. Change-Id: Ic43d1fd13f9c012641d71e526942229eb8b08ed4 Signed-off-by: Matt Delco <delco@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2034024 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'seccomp/aarch64')
-rw-r--r-- | seccomp/aarch64/9p_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/balloon_device.policy | 2 | ||||
-rw-r--r-- | seccomp/aarch64/block_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/common_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/cras_audio_device.policy | 3 | ||||
-rw-r--r-- | seccomp/aarch64/fs_device.policy | 3 | ||||
-rw-r--r-- | seccomp/aarch64/gpu_device.policy | 4 | ||||
-rw-r--r-- | seccomp/aarch64/input_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/net_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/null_audio_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/pmem_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/rng_device.policy | 2 | ||||
-rw-r--r-- | seccomp/aarch64/serial.policy | 2 | ||||
-rw-r--r-- | seccomp/aarch64/tpm_device.policy | 2 | ||||
-rw-r--r-- | seccomp/aarch64/vhost_net_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/vhost_vsock_device.policy | 1 | ||||
-rw-r--r-- | seccomp/aarch64/wl_device.policy | 4 | ||||
-rw-r--r-- | seccomp/aarch64/xhci.policy | 8 |
18 files changed, 19 insertions, 20 deletions
diff --git a/seccomp/aarch64/9p_device.policy b/seccomp/aarch64/9p_device.policy index ff6a734..80bdad8 100644 --- a/seccomp/aarch64/9p_device.policy +++ b/seccomp/aarch64/9p_device.policy @@ -17,7 +17,6 @@ fdatasync: 1 fsync: 1 mkdirat: 1 renameat: 1 -writev: 1 linkat: 1 unlinkat: 1 socket: arg0 == AF_UNIX diff --git a/seccomp/aarch64/balloon_device.policy b/seccomp/aarch64/balloon_device.policy index f9e98f0..fa86280 100644 --- a/seccomp/aarch64/balloon_device.policy +++ b/seccomp/aarch64/balloon_device.policy @@ -3,3 +3,5 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +openat: return ENOENT diff --git a/seccomp/aarch64/block_device.policy b/seccomp/aarch64/block_device.policy index cf1816a..9a5d741 100644 --- a/seccomp/aarch64/block_device.policy +++ b/seccomp/aarch64/block_device.policy @@ -10,6 +10,7 @@ fstat: 1 fsync: 1 ftruncate: 1 lseek: 1 +openat: return ENOENT preadv: 1 pwritev: 1 statx: 1 diff --git a/seccomp/aarch64/common_device.policy b/seccomp/aarch64/common_device.policy index b5dcf9f..93b01f1 100644 --- a/seccomp/aarch64/common_device.policy +++ b/seccomp/aarch64/common_device.policy @@ -23,7 +23,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -openat: return ENOENT pipe2: 1 ppoll: 1 prctl: arg0 == PR_SET_NAME diff --git a/seccomp/aarch64/cras_audio_device.policy b/seccomp/aarch64/cras_audio_device.policy index ef9b5ed..19419fd 100644 --- a/seccomp/aarch64/cras_audio_device.policy +++ b/seccomp/aarch64/cras_audio_device.policy @@ -7,8 +7,7 @@ madvise: 1 prlimit64: 1 setrlimit: 1 -recvmsg: 1 sched_setscheduler: 1 -sendmsg: 1 socketpair: arg0 == AF_UNIX clock_gettime: 1 +openat: return ENOENT diff --git a/seccomp/aarch64/fs_device.policy b/seccomp/aarch64/fs_device.policy index 7e0c015..5199092 100644 --- a/seccomp/aarch64/fs_device.policy +++ b/seccomp/aarch64/fs_device.policy @@ -2,8 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -openat: 1 - @include /usr/share/policy/crosvm/common_device.policy fchmodat: 1 @@ -20,6 +18,7 @@ linkat: 1 lseek: 1 mkdirat: 1 mknodat: 1 +openat: 1 preadv: 1 pwritev: 1 readlinkat: 1 diff --git a/seccomp/aarch64/gpu_device.policy b/seccomp/aarch64/gpu_device.policy index 1daedc2..98e15fd 100644 --- a/seccomp/aarch64/gpu_device.policy +++ b/seccomp/aarch64/gpu_device.policy @@ -23,7 +23,6 @@ madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE mremap: 1 munmap: 1 nanosleep: 1 -open: return ENOENT pipe2: 1 ppoll: 1 prctl: arg0 == PR_SET_NAME @@ -57,9 +56,10 @@ getdents64: 1 # 0x6400 == DRM_IOCTL_BASE, 0x8000 = KBASE_IOCTL_TYPE (mali) ioctl: arg1 & 0x6400 || arg1 & 0x8000 -## mmap/mprotect/openat differ from the common_device.policy +## mmap/mprotect differ from the common_device.policy mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC || arg2 == PROT_WRITE || arg2 == PROT_READ mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ +open: return ENOENT openat: 1 ## Rules specific to pvr diff --git a/seccomp/aarch64/input_device.policy b/seccomp/aarch64/input_device.policy index f26998e..07d3b5f 100644 --- a/seccomp/aarch64/input_device.policy +++ b/seccomp/aarch64/input_device.policy @@ -7,3 +7,4 @@ ioctl: 1 fcntl: 1 getsockname: 1 +openat: return ENOENT diff --git a/seccomp/aarch64/net_device.policy b/seccomp/aarch64/net_device.policy index 1b8f2b6..a1c2eef 100644 --- a/seccomp/aarch64/net_device.policy +++ b/seccomp/aarch64/net_device.policy @@ -6,3 +6,4 @@ # TUNSETOFFLOAD ioctl: arg1 == 0x400454d0 +openat: return ENOENT diff --git a/seccomp/aarch64/null_audio_device.policy b/seccomp/aarch64/null_audio_device.policy index 46864c1..7a88fe2 100644 --- a/seccomp/aarch64/null_audio_device.policy +++ b/seccomp/aarch64/null_audio_device.policy @@ -8,3 +8,4 @@ madvise: 1 prlimit64: 1 setrlimit: 1 clock_gettime: 1 +openat: return ENOENT diff --git a/seccomp/aarch64/pmem_device.policy b/seccomp/aarch64/pmem_device.policy index b3cd64d..77719a9 100644 --- a/seccomp/aarch64/pmem_device.policy +++ b/seccomp/aarch64/pmem_device.policy @@ -6,3 +6,4 @@ fdatasync: 1 fsync: 1 +openat: return ENOENT diff --git a/seccomp/aarch64/rng_device.policy b/seccomp/aarch64/rng_device.policy index f9e98f0..fa86280 100644 --- a/seccomp/aarch64/rng_device.policy +++ b/seccomp/aarch64/rng_device.policy @@ -3,3 +3,5 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +openat: return ENOENT diff --git a/seccomp/aarch64/serial.policy b/seccomp/aarch64/serial.policy index f9e98f0..fa86280 100644 --- a/seccomp/aarch64/serial.policy +++ b/seccomp/aarch64/serial.policy @@ -3,3 +3,5 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +openat: return ENOENT diff --git a/seccomp/aarch64/tpm_device.policy b/seccomp/aarch64/tpm_device.policy index 66e0ef1..7b59c8d 100644 --- a/seccomp/aarch64/tpm_device.policy +++ b/seccomp/aarch64/tpm_device.policy @@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -#open: return ENOENT -#openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/aarch64/vhost_net_device.policy b/seccomp/aarch64/vhost_net_device.policy index 1868322..4de1967 100644 --- a/seccomp/aarch64/vhost_net_device.policy +++ b/seccomp/aarch64/vhost_net_device.policy @@ -21,3 +21,4 @@ # arg1 == VHOST_SET_VRING_ERR || # arg1 == VHOST_NET_SET_BACKEND ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 +openat: return ENOENT diff --git a/seccomp/aarch64/vhost_vsock_device.policy b/seccomp/aarch64/vhost_vsock_device.policy index 9cdc57f..82b6650 100644 --- a/seccomp/aarch64/vhost_vsock_device.policy +++ b/seccomp/aarch64/vhost_vsock_device.policy @@ -22,3 +22,4 @@ # arg1 == VHOST_VSOCK_SET_GUEST_CID || # arg1 == VHOST_VSOCK_SET_RUNNING ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61 +openat: return ENOENT diff --git a/seccomp/aarch64/wl_device.policy b/seccomp/aarch64/wl_device.policy index d8bbccd..864aefb 100644 --- a/seccomp/aarch64/wl_device.policy +++ b/seccomp/aarch64/wl_device.policy @@ -9,9 +9,7 @@ socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC ioctl: arg1 == 0x5421 || arg1 == 0x40086200 connect: 1 -# Used to communicate with wayland -recvmsg: 1 -sendmsg: 1 +openat: return ENOENT # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING memfd_create: arg1 == 3 # Used to set of size new memfd diff --git a/seccomp/aarch64/xhci.policy b/seccomp/aarch64/xhci.policy index 7e5b1c7..e3e2952 100644 --- a/seccomp/aarch64/xhci.policy +++ b/seccomp/aarch64/xhci.policy @@ -2,21 +2,18 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -openat: 1 @include /usr/share/policy/crosvm/common_device.policy statx: 1 -fcntl: 1 readlinkat: 1 getdents64: 1 -getrandom: 1 name_to_handle_at: 1 faccessat: 1 gettid: 1 clock_gettime: 1 timerfd_create: 1 getsockname: 1 -pipe2: 1 +openat: 1 setsockopt: 1 bind: 1 fcntl: 1 @@ -37,8 +34,5 @@ uname: 1 # 0x80185520 == USBDEVFS_CONNINFO_EX ioctl: arg1 == 0xc0105500 || arg1 == 0x802c550a || arg1 == 0x8004551a || arg1 == 0x4004550d || arg1 == 0x8004550f || arg1 == 0x80045510 || arg1 == 0x550b || arg1 == 0x5514 || arg1 == 0x80045505 || arg1 == 0x8108551b || arg1 == 0x40085511 || arg1 == 0x80185520 fstat: 1 -sigaltstack: 1 -recvmsg: 1 getrandom: 1 -getdents64: 1 lseek: 1 |