seccomp: rename aarch64 -> arm

These policies are not for aarch64 but use the 32-bit system calls.
We call it aarch64 support because that's what we're targetting for
the guest kernel, but it doesn't really make any sense to call the
seccomp policies aarch64 when we're building a 32-bit binary.
We can add real aarch64 seccomp policies when we start building a
aarch64 crosvm binary.

BUG=chromium:866197
TEST=emerge-kevin crosvm, run vm_CrosVmStart
CQ-DEPEND=CL:1145903

Change-Id: I7c5e70fbc127e4209ed392cfcf10ea36a6dd4b2c
Reviewed-on: https://chromium-review.googlesource.com/1145909
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>

7 files changed, 292 insertions, 0 deletions

diff --git a/seccomp/arm/balloon_device.policy b/seccomp/arm/balloon_device.policy
new file mode 100644
index 0000000..d5011be
--- /dev/null
+++ b/seccomp/arm/balloon_device.policy
@@ -0,0 +1,32 @@
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+exit_group: 1
+futex: 1
+gettimeofday: 1
+madvise: 1
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap2: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+read: 1
+recv: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+clone: arg0 & 0x00010000
+write: 1
+eventfd2: 1
+dup: 1
+poll: 1
+ppoll: 1
+getpid: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
diff --git a/seccomp/arm/block_device.policy b/seccomp/arm/block_device.policy
new file mode 100644
index 0000000..9dcaa92
--- /dev/null
+++ b/seccomp/arm/block_device.policy
@@ -0,0 +1,38 @@
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+dup: 1
+dup2: 1
+exit_group: 1
+fdatasync: 1
+fstat64: 1
+fsync: 1
+ftruncate64: 1
+futex: 1
+gettimeofday: 1
+_llseek: 1
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap2: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+read: 1
+recv: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+clone: arg0 & 0x00010000
+write: 1
+eventfd2: 1
+poll: 1
+ppoll: 1
+getpid: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+restart_syscall: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
diff --git a/seccomp/arm/net_device.policy b/seccomp/arm/net_device.policy
new file mode 100644
index 0000000..5f50c87
--- /dev/null
+++ b/seccomp/arm/net_device.policy
@@ -0,0 +1,33 @@
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+dup: 1
+dup2: 1
+exit_group: 1
+futex: 1
+gettimeofday: 1
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap2: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+poll: 1
+ppoll: 1
+read: 1
+recv: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+# arg0 is flags. Because kernel.
+clone: arg0 & 0x00010000
+write: 1
+getpid: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+restart_syscall: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
diff --git a/seccomp/arm/rng_device.policy b/seccomp/arm/rng_device.policy
new file mode 100644
index 0000000..7d2df8f
--- /dev/null
+++ b/seccomp/arm/rng_device.policy
@@ -0,0 +1,33 @@
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+dup: 1
+dup2: 1
+exit_group: 1
+futex: 1
+gettimeofday: 1
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap2: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+read: 1
+recv: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+clone: arg0 & 0x00010000
+write: 1
+eventfd2: 1
+poll: 1
+ppoll: 1
+getpid: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+restart_syscall: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
diff --git a/seccomp/arm/vhost_net_device.policy b/seccomp/arm/vhost_net_device.policy
new file mode 100644
index 0000000..815aa34
--- /dev/null
+++ b/seccomp/arm/vhost_net_device.policy
@@ -0,0 +1,50 @@
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+dup: 1
+dup2: 1
+exit_group: 1
+futex: 1
+gettimeofday: 1
+# Whitelist vhost_net ioctls only.
+# arg1 == VHOST_GET_FEATURES ||
+# arg1 == VHOST_SET_FEATURES ||
+# arg1 == VHOST_SET_OWNER ||
+# arg1 == VHOST_RESET_OWNER ||
+# arg1 == VHOST_SET_MEM_TABLE ||
+# arg1 == VHOST_SET_LOG_BASE ||
+# arg1 == VHOST_SET_LOG_FD ||
+# arg1 == VHOST_SET_VRING_NUM ||
+# arg1 == VHOST_SET_VRING_ADDR ||
+# arg1 == VHOST_SET_VRING_BASE ||
+# arg1 == VHOST_GET_VRING_BASE ||
+# arg1 == VHOST_SET_VRING_KICK ||
+# arg1 == VHOST_SET_VRING_CALL ||
+# arg1 == VHOST_SET_VRING_ERR ||
+# arg1 == VHOST_NET_SET_BACKEND
+ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap2: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+poll: 1
+ppoll: 1
+read: 1
+recv: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+# arg0 is flags. Because kernel.
+clone: arg0 & 0x00010000
+write: 1
+getpid: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+restart_syscall: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
diff --git a/seccomp/arm/vhost_vsock_device.policy b/seccomp/arm/vhost_vsock_device.policy
new file mode 100644
index 0000000..c6efaee
--- /dev/null
+++ b/seccomp/arm/vhost_vsock_device.policy
@@ -0,0 +1,53 @@
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+dup: 1
+dup2: 1
+exit_group: 1
+futex: 1
+gettimeofday: 1
+# Whitelist vhost_vsock ioctls only.
+# arg1 == VHOST_GET_FEATURES ||
+# arg1 == VHOST_SET_FEATURES ||
+# arg1 == VHOST_SET_OWNER ||
+# arg1 == VHOST_RESET_OWNER ||
+# arg1 == VHOST_SET_MEM_TABLE ||
+# arg1 == VHOST_SET_LOG_BASE ||
+# arg1 == VHOST_SET_LOG_FD ||
+# arg1 == VHOST_SET_VRING_NUM ||
+# arg1 == VHOST_SET_VRING_ADDR ||
+# arg1 == VHOST_SET_VRING_BASE ||
+# arg1 == VHOST_GET_VRING_BASE ||
+# arg1 == VHOST_SET_VRING_KICK ||
+# arg1 == VHOST_SET_VRING_CALL ||
+# arg1 == VHOST_SET_VRING_ERR ||
+# arg1 == VHOST_VSOCK_SET_GUEST_CID ||
+# arg1 == VHOST_VSOCK_SET_RUNNING
+ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap2: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+poll: 1
+ppoll: 1
+read: 1
+connect: 1
+sendto: 1
+recv: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+# arg0 is flags. Because kernel.
+clone: arg0 & 0x00010000
+write: 1
+getpid: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+restart_syscall: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
diff --git a/seccomp/arm/wl_device.policy b/seccomp/arm/wl_device.policy
new file mode 100644
index 0000000..7d0c7cb
--- /dev/null
+++ b/seccomp/arm/wl_device.policy
@@ -0,0 +1,53 @@
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+dup: 1
+dup2: 1
+getpid: 1
+gettimeofday: 1
+exit_group: 1
+futex: 1
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap2: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+# Allow MADV_DONTDUMP only.
+madvise: arg2 == 0x00000010
+munmap: 1
+poll: 1
+ppoll: 1
+read: 1
+recv: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+# arg0 is flags. Because kernel.
+clone: arg0 & 0x00010000
+write: 1
+eventfd2: 1
+# Used to connect to wayland. arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC
+socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
+# arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC
+ioctl: arg1 == 0x5421 || arg1 == 0x40086200
+connect: arg2 == 13
+# Used to communicate with wayland
+recvmsg: 1
+sendmsg: 1
+# Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
+memfd_create: arg1 == 3
+# Used to set of size new memfd
+ftruncate64: 1
+# Used to determine shm size after recvmsg with fd
+_llseek: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+restart_syscall: 1
+# Allow F_GETFL only
+fcntl64: arg1 == 3
+pipe2: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1