diff options
author | Sonny Rao <sonnyrao@chromium.org> | 2018-07-20 17:18:59 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-07-23 21:04:38 -0700 |
commit | b847858e66d58a3bf7506f43f1a22781014a527e (patch) | |
tree | 900397b57bfe31e582b054087be2206450b3fd50 /seccomp/arm | |
parent | 98ca995c395905a6fe9d9d6394399d5336ef2608 (diff) | |
download | crosvm-b847858e66d58a3bf7506f43f1a22781014a527e.tar crosvm-b847858e66d58a3bf7506f43f1a22781014a527e.tar.gz crosvm-b847858e66d58a3bf7506f43f1a22781014a527e.tar.bz2 crosvm-b847858e66d58a3bf7506f43f1a22781014a527e.tar.lz crosvm-b847858e66d58a3bf7506f43f1a22781014a527e.tar.xz crosvm-b847858e66d58a3bf7506f43f1a22781014a527e.tar.zst crosvm-b847858e66d58a3bf7506f43f1a22781014a527e.zip |
seccomp: rename aarch64 -> arm
These policies are not for aarch64 but use the 32-bit system calls. We call it aarch64 support because that's what we're targetting for the guest kernel, but it doesn't really make any sense to call the seccomp policies aarch64 when we're building a 32-bit binary. We can add real aarch64 seccomp policies when we start building a aarch64 crosvm binary. BUG=chromium:866197 TEST=emerge-kevin crosvm, run vm_CrosVmStart CQ-DEPEND=CL:1145903 Change-Id: I7c5e70fbc127e4209ed392cfcf10ea36a6dd4b2c Reviewed-on: https://chromium-review.googlesource.com/1145909 Commit-Ready: Sonny Rao <sonnyrao@chromium.org> Tested-by: Sonny Rao <sonnyrao@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org> Reviewed-by: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'seccomp/arm')
-rw-r--r-- | seccomp/arm/balloon_device.policy | 32 | ||||
-rw-r--r-- | seccomp/arm/block_device.policy | 38 | ||||
-rw-r--r-- | seccomp/arm/net_device.policy | 33 | ||||
-rw-r--r-- | seccomp/arm/rng_device.policy | 33 | ||||
-rw-r--r-- | seccomp/arm/vhost_net_device.policy | 50 | ||||
-rw-r--r-- | seccomp/arm/vhost_vsock_device.policy | 53 | ||||
-rw-r--r-- | seccomp/arm/wl_device.policy | 53 |
7 files changed, 292 insertions, 0 deletions
diff --git a/seccomp/arm/balloon_device.policy b/seccomp/arm/balloon_device.policy new file mode 100644 index 0000000..d5011be --- /dev/null +++ b/seccomp/arm/balloon_device.policy @@ -0,0 +1,32 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +exit_group: 1 +futex: 1 +gettimeofday: 1 +madvise: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap2: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +read: 1 +recv: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +clone: arg0 & 0x00010000 +write: 1 +eventfd2: 1 +dup: 1 +poll: 1 +ppoll: 1 +getpid: 1 +# Allow PR_SET_NAME only. +prctl: arg0 == 15 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 diff --git a/seccomp/arm/block_device.policy b/seccomp/arm/block_device.policy new file mode 100644 index 0000000..9dcaa92 --- /dev/null +++ b/seccomp/arm/block_device.policy @@ -0,0 +1,38 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +dup: 1 +dup2: 1 +exit_group: 1 +fdatasync: 1 +fstat64: 1 +fsync: 1 +ftruncate64: 1 +futex: 1 +gettimeofday: 1 +_llseek: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap2: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +read: 1 +recv: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +clone: arg0 & 0x00010000 +write: 1 +eventfd2: 1 +poll: 1 +ppoll: 1 +getpid: 1 +# Allow PR_SET_NAME only. +prctl: arg0 == 15 +restart_syscall: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 diff --git a/seccomp/arm/net_device.policy b/seccomp/arm/net_device.policy new file mode 100644 index 0000000..5f50c87 --- /dev/null +++ b/seccomp/arm/net_device.policy @@ -0,0 +1,33 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +dup: 1 +dup2: 1 +exit_group: 1 +futex: 1 +gettimeofday: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap2: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +poll: 1 +ppoll: 1 +read: 1 +recv: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +# arg0 is flags. Because kernel. +clone: arg0 & 0x00010000 +write: 1 +getpid: 1 +# Allow PR_SET_NAME only. +prctl: arg0 == 15 +restart_syscall: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 diff --git a/seccomp/arm/rng_device.policy b/seccomp/arm/rng_device.policy new file mode 100644 index 0000000..7d2df8f --- /dev/null +++ b/seccomp/arm/rng_device.policy @@ -0,0 +1,33 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +dup: 1 +dup2: 1 +exit_group: 1 +futex: 1 +gettimeofday: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap2: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +read: 1 +recv: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +clone: arg0 & 0x00010000 +write: 1 +eventfd2: 1 +poll: 1 +ppoll: 1 +getpid: 1 +# Allow PR_SET_NAME only. +prctl: arg0 == 15 +restart_syscall: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 diff --git a/seccomp/arm/vhost_net_device.policy b/seccomp/arm/vhost_net_device.policy new file mode 100644 index 0000000..815aa34 --- /dev/null +++ b/seccomp/arm/vhost_net_device.policy @@ -0,0 +1,50 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +dup: 1 +dup2: 1 +exit_group: 1 +futex: 1 +gettimeofday: 1 +# Whitelist vhost_net ioctls only. +# arg1 == VHOST_GET_FEATURES || +# arg1 == VHOST_SET_FEATURES || +# arg1 == VHOST_SET_OWNER || +# arg1 == VHOST_RESET_OWNER || +# arg1 == VHOST_SET_MEM_TABLE || +# arg1 == VHOST_SET_LOG_BASE || +# arg1 == VHOST_SET_LOG_FD || +# arg1 == VHOST_SET_VRING_NUM || +# arg1 == VHOST_SET_VRING_ADDR || +# arg1 == VHOST_SET_VRING_BASE || +# arg1 == VHOST_GET_VRING_BASE || +# arg1 == VHOST_SET_VRING_KICK || +# arg1 == VHOST_SET_VRING_CALL || +# arg1 == VHOST_SET_VRING_ERR || +# arg1 == VHOST_NET_SET_BACKEND +ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap2: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +poll: 1 +ppoll: 1 +read: 1 +recv: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +# arg0 is flags. Because kernel. +clone: arg0 & 0x00010000 +write: 1 +getpid: 1 +# Allow PR_SET_NAME only. +prctl: arg0 == 15 +restart_syscall: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 diff --git a/seccomp/arm/vhost_vsock_device.policy b/seccomp/arm/vhost_vsock_device.policy new file mode 100644 index 0000000..c6efaee --- /dev/null +++ b/seccomp/arm/vhost_vsock_device.policy @@ -0,0 +1,53 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +dup: 1 +dup2: 1 +exit_group: 1 +futex: 1 +gettimeofday: 1 +# Whitelist vhost_vsock ioctls only. +# arg1 == VHOST_GET_FEATURES || +# arg1 == VHOST_SET_FEATURES || +# arg1 == VHOST_SET_OWNER || +# arg1 == VHOST_RESET_OWNER || +# arg1 == VHOST_SET_MEM_TABLE || +# arg1 == VHOST_SET_LOG_BASE || +# arg1 == VHOST_SET_LOG_FD || +# arg1 == VHOST_SET_VRING_NUM || +# arg1 == VHOST_SET_VRING_ADDR || +# arg1 == VHOST_SET_VRING_BASE || +# arg1 == VHOST_GET_VRING_BASE || +# arg1 == VHOST_SET_VRING_KICK || +# arg1 == VHOST_SET_VRING_CALL || +# arg1 == VHOST_SET_VRING_ERR || +# arg1 == VHOST_VSOCK_SET_GUEST_CID || +# arg1 == VHOST_VSOCK_SET_RUNNING +ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap2: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +poll: 1 +ppoll: 1 +read: 1 +connect: 1 +sendto: 1 +recv: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +# arg0 is flags. Because kernel. +clone: arg0 & 0x00010000 +write: 1 +getpid: 1 +# Allow PR_SET_NAME only. +prctl: arg0 == 15 +restart_syscall: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 diff --git a/seccomp/arm/wl_device.policy b/seccomp/arm/wl_device.policy new file mode 100644 index 0000000..7d0c7cb --- /dev/null +++ b/seccomp/arm/wl_device.policy @@ -0,0 +1,53 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +dup: 1 +dup2: 1 +getpid: 1 +gettimeofday: 1 +exit_group: 1 +futex: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap2: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +# Allow MADV_DONTDUMP only. +madvise: arg2 == 0x00000010 +munmap: 1 +poll: 1 +ppoll: 1 +read: 1 +recv: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +# arg0 is flags. Because kernel. +clone: arg0 & 0x00010000 +write: 1 +eventfd2: 1 +# Used to connect to wayland. arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC +socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 +# arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC +ioctl: arg1 == 0x5421 || arg1 == 0x40086200 +connect: arg2 == 13 +# Used to communicate with wayland +recvmsg: 1 +sendmsg: 1 +# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING +memfd_create: arg1 == 3 +# Used to set of size new memfd +ftruncate64: 1 +# Used to determine shm size after recvmsg with fd +_llseek: 1 +# Allow PR_SET_NAME only. +prctl: arg0 == 15 +restart_syscall: 1 +# Allow F_GETFL only +fcntl64: arg1 == 3 +pipe2: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 |