diff options
author | Zach Reizner <zachr@google.com> | 2019-01-31 16:55:59 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-02-07 03:02:12 -0800 |
commit | bae43dd4c98182736ea601b313e03620a72ccf83 (patch) | |
tree | 8b2eab57c11705d6a6acdb606c2a5375cb8b8b9e /seccomp/x86_64 | |
parent | e403f5ccd0581ec62fbfb86de00b8c01958ffa67 (diff) | |
download | crosvm-bae43dd4c98182736ea601b313e03620a72ccf83.tar crosvm-bae43dd4c98182736ea601b313e03620a72ccf83.tar.gz crosvm-bae43dd4c98182736ea601b313e03620a72ccf83.tar.bz2 crosvm-bae43dd4c98182736ea601b313e03620a72ccf83.tar.lz crosvm-bae43dd4c98182736ea601b313e03620a72ccf83.tar.xz crosvm-bae43dd4c98182736ea601b313e03620a72ccf83.tar.zst crosvm-bae43dd4c98182736ea601b313e03620a72ccf83.zip |
seccomp: refactor policy into common_device.policy
CQ-DEPEND=CL:1449895 BUG=None TEST=vmc start termina Change-Id: Ia3edaafc1d2958bd40e6b1adc89dd5e29b679b06 Reviewed-on: https://chromium-review.googlesource.com/1448292 Commit-Ready: Zach Reizner <zachr@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Tested-by: Zach Reizner <zachr@chromium.org> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Diffstat (limited to 'seccomp/x86_64')
-rw-r--r-- | seccomp/x86_64/9p_device.policy | 32 | ||||
-rw-r--r-- | seccomp/x86_64/9s.policy | 63 | ||||
-rw-r--r-- | seccomp/x86_64/balloon_device.policy | 28 | ||||
-rw-r--r-- | seccomp/x86_64/block_device.policy | 35 | ||||
-rw-r--r-- | seccomp/x86_64/common_device.policy | 41 | ||||
-rw-r--r-- | seccomp/x86_64/cras_audio_device.policy | 39 | ||||
-rw-r--r-- | seccomp/x86_64/gpu_device.policy | 74 | ||||
-rw-r--r-- | seccomp/x86_64/input_device.policy | 32 | ||||
-rw-r--r-- | seccomp/x86_64/net_device.policy | 31 | ||||
-rw-r--r-- | seccomp/x86_64/null_audio_device.policy | 32 | ||||
-rw-r--r-- | seccomp/x86_64/rng_device.policy | 31 | ||||
-rw-r--r-- | seccomp/x86_64/tpm_device.policy | 31 | ||||
-rw-r--r-- | seccomp/x86_64/vhost_net_device.policy | 32 | ||||
-rw-r--r-- | seccomp/x86_64/vhost_vsock_device.policy | 32 | ||||
-rw-r--r-- | seccomp/x86_64/wl_device.policy | 34 |
15 files changed, 81 insertions, 486 deletions
diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy index f86d7b3..ddd7417 100644 --- a/seccomp/x86_64/9p_device.policy +++ b/seccomp/x86_64/9p_device.policy @@ -2,53 +2,25 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -write: 1 +@include /usr/share/policy/crosvm/common_device.policy + writev: 1 -recvfrom: 1 -epoll_wait: 1 -read: 1 pwrite64: 1 stat: 1 lstat: 1 -close: 1 open: 1 openat: 1 fstat: 1 -# ioctl(fd, FIOCLEX, 0) is equivalent to fcntl(fd, F_SETFD, FD_CLOEXEC). ioctl: arg1 == FIOCLEX link: 1 unlink: 1 rename: 1 pread64: 1 getdents: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -munmap: 1 mkdir: 1 -sigaltstack: 1 -epoll_ctl: 1 -mremap: 1 rmdir: 1 fsync: 1 fdatasync: 1 -restart_syscall: 1 -exit: 1 -rt_sigreturn: 1 -epoll_create1: 1 -prctl: arg0 == PR_SET_NAME -eventfd2: 1 -sched_getaffinity: 1 -dup: 1 -getpid: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -set_robust_list: 1 -exit_group: 1 -# Allow MADV_DONTDUMP and MADV_DONTNEED only. -madvise: arg2 == 0x00000010 || arg2 == 0x00000004 -futex: 1 utimensat: 1 ftruncate: 1 fchown: arg1 == 0xffffffff && arg2 == 0xffffffff diff --git a/seccomp/x86_64/9s.policy b/seccomp/x86_64/9s.policy deleted file mode 100644 index 33590a8..0000000 --- a/seccomp/x86_64/9s.policy +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2018 The Chromium OS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -read: 1 -write: 1 -lstat: 1 -stat: 1 -open: 1 -openat: 1 -close: 1 -fstat: 1 -getdents: 1 -ioctl: arg1 == FIOCLEX -pwrite64: 1 -pread64: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -utimensat: 1 -rt_sigaction: 1 -statfs: 1 -sigaltstack: 1 -munmap: 1 -brk: 1 -accept4: 1 -sched_getaffinity: 1 -getpid: 1 -getrlimit: 1 -fcntl: 1 -set_robust_list: 1 -link: 1 -socket: arg0 == AF_UNIX || arg0 == AF_VSOCK -restart_syscall: 1 -exit_group: 1 -rt_sigreturn: 1 -lseek: 1 -uname: 1 -connect: 1 -rt_sigprocmask: 1 -arch_prctl: 1 -access: 1 -exit: 1 -set_tid_address: 1 -listen: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -unlink: 1 -madvise: 1 -futex: 1 -bind: 1 -rmdir: 1 -# Calling fchown with -1 as the uid/gid will change the ctime but do nothing else. -fchown: arg1 == 0xffffffff && arg2 == 0xffffffff -fsync: 1 -fdatasync: 1 -ftruncate: 1 -mkdir: 1 -mremap: 1 -rename: 1 -newfstatat: 1 -prlimit64: arg2 == 0 && arg3 != 0 diff --git a/seccomp/x86_64/balloon_device.policy b/seccomp/x86_64/balloon_device.policy index b10f9ef..72ecd5a 100644 --- a/seccomp/x86_64/balloon_device.policy +++ b/seccomp/x86_64/balloon_device.policy @@ -2,30 +2,4 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED || arg2 == MADV_REMOVE -munmap: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -dup: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy index 871a64e..20eca1a 100644 --- a/seccomp/x86_64/block_device.policy +++ b/seccomp/x86_64/block_device.policy @@ -2,45 +2,14 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 +@include /usr/share/policy/crosvm/common_device.policy + fallocate: 1 fdatasync: 1 fstat: 1 fsync: 1 ftruncate: 1 -futex: 1 lseek: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED -mremap: 1 -munmap: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 -# libc free() attempts to open /proc/sys/vm/overcommit_memory -open: return ENOENT -openat: return ENOENT diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy new file mode 100644 index 0000000..7fa6e52 --- /dev/null +++ b/seccomp/x86_64/common_device.policy @@ -0,0 +1,41 @@ +# Copyright 2019 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +brk: 1 +clone: arg0 & CLONE_THREAD +close: 1 +dup2: 1 +dup: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 +eventfd2: 1 +exit: 1 +exit_group: 1 +futex: 1 +getpid: 1 +gettimeofday: 1 +kill: 1 +madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mmap: arg2 in ~PROT_EXEC +mprotect: arg2 in ~PROT_EXEC +mremap: 1 +munmap: 1 +nanosleep: 1 +open: return ENOENT +openat: return ENOENT +pipe2: 1 +poll: 1 +ppoll: 1 +prctl: arg0 == PR_SET_NAME +read: 1 +recvfrom: 1 +restart_syscall: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +write: 1 diff --git a/seccomp/x86_64/cras_audio_device.policy b/seccomp/x86_64/cras_audio_device.policy index 9257a18..e5a074e 100644 --- a/seccomp/x86_64/cras_audio_device.policy +++ b/seccomp/x86_64/cras_audio_device.policy @@ -2,46 +2,11 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb +@include /usr/share/policy/crosvm/common_device.policy + madvise: 1 -munmap: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -nanosleep: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 prlimit64: 1 -restart_syscall: 1 setrlimit: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 -# Kill child thread when it fails -tgkill: 1 -# Real time priority -rt_sigprocmask: 1 -rt_sigaction: 1 -rt_sigreturn: 1 -# Sockets recvmsg: 1 sendmsg: 1 socketpair: arg0 == AF_UNIX diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy index 24da3bb..c3d7fbf 100644 --- a/seccomp/x86_64/gpu_device.policy +++ b/seccomp/x86_64/gpu_device.policy @@ -2,62 +2,28 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -open: 1 -openat: 1 -close: 1 -sigaltstack: 1 -munmap: 1 -write: 1 -# Allow mmap to allow loading of GL shared libraries. -mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC -restart_syscall: 1 -exit_group: 1 -rt_sigreturn: 1 -# Allow MADV_DONTDUMP only. -madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED -# Used to determine shm size after recvmsg with fd. -lseek: 1 -mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ -sched_getaffinity: 1 -set_robust_list: 1 -exit: 1 -getpid: 1 -recvfrom: 1 -dup: 1 -eventfd2: 1 -futex: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -# arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == DMA_BUF_IOCTL_SYNC || -# arg1 & DRM_IOCTL -ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400 +@include /usr/share/policy/crosvm/common_device.policy + +connect: 1 +fcntl: arg1 == F_DUPFD_CLOEXEC fstat: 1 -# Used to communicate with wayland. -recvmsg: 1 -sendmsg: 1 -poll: 1 -getrandom: 1 -read: 1 +# Used to set of size new memfd. +ftruncate: 1 +getdents: 1 geteuid: 1 +getrandom: 1 getuid: 1 -readlink: 1 -getdents: 1 -stat: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 -# Used to connect to wayland. -# arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC -socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 -connect: 1 +ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400 +lseek: 1 +lstat: 1 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING memfd_create: arg1 == 3 -# Used to set of size new memfd. -ftruncate: 1 -fcntl: arg1 == F_DUPFD_CLOEXEC -lstat: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -dup2: 1 -brk: 1 +mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC +mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ +open: 1 +openat: 1 +readlink: 1 +recvmsg: 1 +sendmsg: 1 +socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 +stat: 1 diff --git a/seccomp/x86_64/input_device.policy b/seccomp/x86_64/input_device.policy index 877f80e..f26998e 100644 --- a/seccomp/x86_64/input_device.policy +++ b/seccomp/x86_64/input_device.policy @@ -2,36 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy + ioctl: 1 fcntl: 1 getsockname: 1 diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy index 69580dc..72ecd5a 100644 --- a/seccomp/x86_64/net_device.policy +++ b/seccomp/x86_64/net_device.policy @@ -2,33 +2,4 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -poll: 1 -ppoll: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -write: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy diff --git a/seccomp/x86_64/null_audio_device.policy b/seccomp/x86_64/null_audio_device.policy index ad8b513..9ea7015 100644 --- a/seccomp/x86_64/null_audio_device.policy +++ b/seccomp/x86_64/null_audio_device.policy @@ -2,36 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb +@include /usr/share/policy/crosvm/common_device.policy + madvise: 1 -munmap: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -nanosleep: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 prlimit64: 1 -restart_syscall: 1 setrlimit: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy index c7de96d..72ecd5a 100644 --- a/seccomp/x86_64/rng_device.policy +++ b/seccomp/x86_64/rng_device.policy @@ -2,33 +2,4 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy index 0a44ecd..4f7aafd 100644 --- a/seccomp/x86_64/tpm_device.policy +++ b/seccomp/x86_64/tpm_device.policy @@ -2,33 +2,4 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy index 15ea1a3..306328b 100644 --- a/seccomp/x86_64/vhost_net_device.policy +++ b/seccomp/x86_64/vhost_net_device.policy @@ -2,11 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 +@include /usr/share/policy/crosvm/common_device.policy + # Whitelist vhost_net ioctls only. # arg1 == VHOST_GET_FEATURES || # arg1 == VHOST_SET_FEATURES || @@ -24,28 +21,3 @@ futex: 1 # arg1 == VHOST_SET_VRING_ERR || # arg1 == VHOST_NET_SET_BACKEND ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -poll: 1 -ppoll: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -write: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 diff --git a/seccomp/x86_64/vhost_vsock_device.policy b/seccomp/x86_64/vhost_vsock_device.policy index 28e0a42..9c2274c 100644 --- a/seccomp/x86_64/vhost_vsock_device.policy +++ b/seccomp/x86_64/vhost_vsock_device.policy @@ -2,11 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 +@include /usr/share/policy/crosvm/common_device.policy + # Whitelist vhost_vsock ioctls only. # arg1 == VHOST_GET_FEATURES || # arg1 == VHOST_SET_FEATURES || @@ -25,30 +22,5 @@ futex: 1 # arg1 == VHOST_VSOCK_SET_GUEST_CID || # arg1 == VHOST_VSOCK_SET_RUNNING ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -poll: 1 -ppoll: 1 -read: 1 connect: 1 sendto: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -write: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy index bffc5ee..2ca7ed9 100644 --- a/seccomp/x86_64/wl_device.policy +++ b/seccomp/x86_64/wl_device.policy @@ -2,31 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -getpid: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -poll: 1 -ppoll: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 +@include /usr/share/policy/crosvm/common_device.policy + # Used to connect to wayland. arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC @@ -41,12 +18,5 @@ memfd_create: arg1 == 3 ftruncate: 1 # Used to determine shm size after recvmsg with fd lseek: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 # Allow F_GETFL only fcntl: arg1 == 3 -pipe2: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 |