diff options
| author | Daniel Verkamp <dverkamp@chromium.org> | 2020-01-15 13:34:09 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-01-17 23:04:03 +0000 |
| commit | 5de0604f2922681f1414bc05f8cfe9b30387e59e (patch) | |
| tree | a34a2ea8d4c92269876a708c450e167417b95dea /seccomp/x86_64 | |
| parent | dd21cf7b38dd367b8d053fe0fb849db337f7740e (diff) | |
| download | crosvm-5de0604f2922681f1414bc05f8cfe9b30387e59e.tar crosvm-5de0604f2922681f1414bc05f8cfe9b30387e59e.tar.gz crosvm-5de0604f2922681f1414bc05f8cfe9b30387e59e.tar.bz2 crosvm-5de0604f2922681f1414bc05f8cfe9b30387e59e.tar.lz crosvm-5de0604f2922681f1414bc05f8cfe9b30387e59e.tar.xz crosvm-5de0604f2922681f1414bc05f8cfe9b30387e59e.tar.zst crosvm-5de0604f2922681f1414bc05f8cfe9b30387e59e.zip | |
seccomp: allow statx syscall where stat/fstat was allowed
This is used in Rust 1.40.0's libstd in place of stat/fstat; update the whitelists to allow the new syscall as well. BUG=chromium:1042461 TEST=`crosvm disk resize` does not trigger seccomp failure Change-Id: Ia3f0e49ee009547295c7af7412dfb5eb3ac1efcb Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2003685 Reviewed-by: Chirantan Ekbote <chirantan@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Diffstat (limited to 'seccomp/x86_64')
| -rw-r--r-- | seccomp/x86_64/9p_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/block_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/fs_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/gpu_device.policy | 1 | ||||
| -rw-r--r-- | seccomp/x86_64/tpm_device.policy | 1 |
5 files changed, 5 insertions, 0 deletions
diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy index e1bddde..498ce6c 100644 --- a/seccomp/x86_64/9p_device.policy +++ b/seccomp/x86_64/9p_device.policy @@ -10,6 +10,7 @@ openat: 1 writev: 1 pwrite64: 1 stat: 1 +statx: 1 lstat: 1 fstat: 1 ioctl: arg1 == FIOCLEX diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy index c1ddf26..66d7d0d 100644 --- a/seccomp/x86_64/block_device.policy +++ b/seccomp/x86_64/block_device.policy @@ -14,6 +14,7 @@ pread64: 1 preadv: 1 pwrite64: 1 pwritev: 1 +statx: 1 timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 diff --git a/seccomp/x86_64/fs_device.policy b/seccomp/x86_64/fs_device.policy index 20db0bf..8fbb556 100644 --- a/seccomp/x86_64/fs_device.policy +++ b/seccomp/x86_64/fs_device.policy @@ -28,6 +28,7 @@ renameat2: 1 setresgid: 1 setresuid: 1 symlinkat: 1 +statx: 1 umask: 1 unlinkat: 1 utimensat: 1 \ No newline at end of file diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy index b98dbd2..23b6b6c 100644 --- a/seccomp/x86_64/gpu_device.policy +++ b/seccomp/x86_64/gpu_device.policy @@ -68,6 +68,7 @@ openat: 1 readlink: 1 socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 stat: 1 +statx: 1 sysinfo: 1 # Rules specific to AMD gpus. diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy index c3e727d..7e6d8c9 100644 --- a/seccomp/x86_64/tpm_device.policy +++ b/seccomp/x86_64/tpm_device.policy @@ -55,3 +55,4 @@ open: 1 openat: 1 socket: return EACCES stat: 1 +statx: 1 |