seccomp: remove redundant unconditional rules

Minijail's policy compiler complains when there's multiple
unconditional rules for a syscall.  In most cases the rules
are redundant to common_device.policy.  I don't know what
to do about the intentionally contradictory rules for open
and openat, other than to remove then from the common device
policy and add it to all the others.

BUG=None
TEST=Ran compile_seccomp_policy.py until it stopped
complaining.

Change-Id: I6813dd1e0b39e975415662bd7de74c25a1be9eb3
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1918607
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

1 files changed, 2 insertions, 5 deletions

diff --git a/seccomp/x86_64/xhci.policy b/seccomp/x86_64/xhci.policy
index df4acef..4b4fc3d 100644
--- a/seccomp/x86_64/xhci.policy
+++ b/seccomp/x86_64/xhci.policy
@@ -2,8 +2,6 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-# xhci need "openat" to enumerate device. "openat" is disabled in comman_device policy.
-openat: 1
 @include /usr/share/policy/crosvm/common_device.policy
 
 lstat: 1
@@ -12,12 +10,13 @@ readlinkat: 1
 timerfd_create: 1
 name_to_handle_at: 1
 access: 1
-timerfd_create: 1
 getsockname: 1
 pipe: 1
 setsockopt: 1
 bind: 1
 fcntl: 1
+open: return ENOENT
+openat: 1
 socket: arg0 == AF_NETLINK
 stat: 1
 uname: 1
@@ -37,8 +36,6 @@ uname: 1
 # 0x80185520 == USBDEVFS_CONNINFO_EX
 ioctl: arg1 == 0xc0185500 || arg1 == 0x41045508 || arg1 == 0x8004550f || arg1 == 0x4008550d || arg1 == 0x8004551a || arg1 == 0x550b || arg1 == 0x80045510 || arg1 == 0x8038550a || arg1 == 0x5514 || arg1 == 0x80045505 || arg1 == 0x8108551b || arg1 == 0x40085511 || arg1 == 0x80185520
 fstat: 1
-sigaltstack: 1
-recvmsg: 1
 getrandom: 1
 getdents: 1
 lseek: 1