diff options
author | Matt Delco <delco@chromium.org> | 2019-11-14 17:48:44 -0800 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-01-22 17:36:36 +0000 |
commit | 4389dab57954af6806c706f29e3dfef7bb324915 (patch) | |
tree | cae2ee1526b7d238df71b91227e8249561193424 /seccomp/x86_64/xhci.policy | |
parent | 45caf91aaa80d2d37a63ed2bf99da69b4da0aafa (diff) | |
download | crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.gz crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.bz2 crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.lz crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.xz crosvm-4389dab57954af6806c706f29e3dfef7bb324915.tar.zst crosvm-4389dab57954af6806c706f29e3dfef7bb324915.zip |
seccomp: remove redundant unconditional rules
Minijail's policy compiler complains when there's multiple unconditional rules for a syscall. In most cases the rules are redundant to common_device.policy. I don't know what to do about the intentionally contradictory rules for open and openat, other than to remove then from the common device policy and add it to all the others. BUG=None TEST=Ran compile_seccomp_policy.py until it stopped complaining. Change-Id: I6813dd1e0b39e975415662bd7de74c25a1be9eb3 Signed-off-by: Matt Delco <delco@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1918607 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'seccomp/x86_64/xhci.policy')
-rw-r--r-- | seccomp/x86_64/xhci.policy | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/seccomp/x86_64/xhci.policy b/seccomp/x86_64/xhci.policy index df4acef..4b4fc3d 100644 --- a/seccomp/x86_64/xhci.policy +++ b/seccomp/x86_64/xhci.policy @@ -2,8 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -# xhci need "openat" to enumerate device. "openat" is disabled in comman_device policy. -openat: 1 @include /usr/share/policy/crosvm/common_device.policy lstat: 1 @@ -12,12 +10,13 @@ readlinkat: 1 timerfd_create: 1 name_to_handle_at: 1 access: 1 -timerfd_create: 1 getsockname: 1 pipe: 1 setsockopt: 1 bind: 1 fcntl: 1 +open: return ENOENT +openat: 1 socket: arg0 == AF_NETLINK stat: 1 uname: 1 @@ -37,8 +36,6 @@ uname: 1 # 0x80185520 == USBDEVFS_CONNINFO_EX ioctl: arg1 == 0xc0185500 || arg1 == 0x41045508 || arg1 == 0x8004550f || arg1 == 0x4008550d || arg1 == 0x8004551a || arg1 == 0x550b || arg1 == 0x80045510 || arg1 == 0x8038550a || arg1 == 0x5514 || arg1 == 0x80045505 || arg1 == 0x8108551b || arg1 == 0x40085511 || arg1 == 0x80185520 fstat: 1 -sigaltstack: 1 -recvmsg: 1 getrandom: 1 getdents: 1 lseek: 1 |