seccomp: refactor policy into common_device.policy

CQ-DEPEND=CL:1449895
BUG=None
TEST=vmc start termina

Change-Id: Ia3edaafc1d2958bd40e6b1adc89dd5e29b679b06
Reviewed-on: https://chromium-review.googlesource.com/1448292
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>

15 files changed, 81 insertions, 486 deletions

diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy
index f86d7b3..ddd7417 100644
--- a/seccomp/x86_64/9p_device.policy
+++ b/seccomp/x86_64/9p_device.policy
@@ -2,53 +2,25 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-write: 1
+@include /usr/share/policy/crosvm/common_device.policy
+
 writev: 1
-recvfrom: 1
-epoll_wait: 1
-read: 1
 pwrite64: 1
 stat: 1
 lstat: 1
-close: 1
 open: 1
 openat: 1
 fstat: 1
-# ioctl(fd, FIOCLEX, 0) is equivalent to fcntl(fd, F_SETFD, FD_CLOEXEC).
 ioctl: arg1 == FIOCLEX
 link: 1
 unlink: 1
 rename: 1
 pread64: 1
 getdents: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-munmap: 1
 mkdir: 1
-sigaltstack: 1
-epoll_ctl: 1
-mremap: 1
 rmdir: 1
 fsync: 1
 fdatasync: 1
-restart_syscall: 1
-exit: 1
-rt_sigreturn: 1
-epoll_create1: 1
-prctl: arg0 == PR_SET_NAME
-eventfd2: 1
-sched_getaffinity: 1
-dup: 1
-getpid: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-set_robust_list: 1
-exit_group: 1
-# Allow MADV_DONTDUMP and MADV_DONTNEED only.
-madvise: arg2 == 0x00000010 || arg2 == 0x00000004
-futex: 1
 utimensat: 1
 ftruncate: 1
 fchown: arg1 == 0xffffffff && arg2 == 0xffffffff
diff --git a/seccomp/x86_64/9s.policy b/seccomp/x86_64/9s.policy
deleted file mode 100644
index 33590a8..0000000
--- a/seccomp/x86_64/9s.policy
+++ /dev/null
@@ -1,63 +0,0 @@
-# Copyright 2018 The Chromium OS Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-read: 1
-write: 1
-lstat: 1
-stat: 1
-open: 1
-openat: 1
-close: 1
-fstat: 1
-getdents: 1
-ioctl: arg1 == FIOCLEX
-pwrite64: 1
-pread64: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-utimensat: 1
-rt_sigaction: 1
-statfs: 1
-sigaltstack: 1
-munmap: 1
-brk: 1
-accept4: 1
-sched_getaffinity: 1
-getpid: 1
-getrlimit: 1
-fcntl: 1
-set_robust_list: 1
-link: 1
-socket: arg0 == AF_UNIX || arg0 == AF_VSOCK
-restart_syscall: 1
-exit_group: 1
-rt_sigreturn: 1
-lseek: 1
-uname: 1
-connect: 1
-rt_sigprocmask: 1
-arch_prctl: 1
-access: 1
-exit: 1
-set_tid_address: 1
-listen: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-unlink: 1
-madvise: 1
-futex: 1
-bind: 1
-rmdir: 1
-# Calling fchown with -1 as the uid/gid will change the ctime but do nothing else.
-fchown: arg1 == 0xffffffff && arg2 == 0xffffffff
-fsync: 1
-fdatasync: 1
-ftruncate: 1
-mkdir: 1
-mremap: 1
-rename: 1
-newfstatat: 1
-prlimit64: arg2 == 0 && arg3 != 0
diff --git a/seccomp/x86_64/balloon_device.policy b/seccomp/x86_64/balloon_device.policy
index b10f9ef..72ecd5a 100644
--- a/seccomp/x86_64/balloon_device.policy
+++ b/seccomp/x86_64/balloon_device.policy
@@ -2,30 +2,4 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-exit_group: 1
-futex: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED || arg2 == MADV_REMOVE
-munmap: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-write: 1
-eventfd2: 1
-dup: 1
-poll: 1
-ppoll: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
+@include /usr/share/policy/crosvm/common_device.policy
diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy
index 871a64e..20eca1a 100644
--- a/seccomp/x86_64/block_device.policy
+++ b/seccomp/x86_64/block_device.policy
@@ -2,45 +2,14 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit_group: 1
+@include /usr/share/policy/crosvm/common_device.policy
+
 fallocate: 1
 fdatasync: 1
 fstat: 1
 fsync: 1
 ftruncate: 1
-futex: 1
 lseek: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED
-mremap: 1
-munmap: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-write: 1
-eventfd2: 1
-poll: 1
-ppoll: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-restart_syscall: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
 timerfd_create: 1
 timerfd_gettime: 1
 timerfd_settime: 1
-# libc free() attempts to open /proc/sys/vm/overcommit_memory
-open: return ENOENT
-openat: return ENOENT
diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy
new file mode 100644
index 0000000..7fa6e52
--- /dev/null
+++ b/seccomp/x86_64/common_device.policy
@@ -0,0 +1,41 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+brk: 1
+clone: arg0 & CLONE_THREAD
+close: 1
+dup2: 1
+dup: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
+eventfd2: 1
+exit: 1
+exit_group: 1
+futex: 1
+getpid: 1
+gettimeofday: 1
+kill: 1
+madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
+mmap: arg2 in ~PROT_EXEC
+mprotect: arg2 in ~PROT_EXEC
+mremap: 1
+munmap: 1
+nanosleep: 1
+open: return ENOENT
+openat: return ENOENT
+pipe2: 1
+poll: 1
+ppoll: 1
+prctl: arg0 == PR_SET_NAME
+read: 1
+recvfrom: 1
+restart_syscall: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+rt_sigreturn: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+write: 1
diff --git a/seccomp/x86_64/cras_audio_device.policy b/seccomp/x86_64/cras_audio_device.policy
index 9257a18..e5a074e 100644
--- a/seccomp/x86_64/cras_audio_device.policy
+++ b/seccomp/x86_64/cras_audio_device.policy
@@ -2,46 +2,11 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit: 1
-exit_group: 1
-futex: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
+@include /usr/share/policy/crosvm/common_device.policy
+
 madvise: 1
-munmap: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-write: 1
-eventfd2: 1
-nanosleep: 1
-poll: 1
-ppoll: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
 prlimit64: 1
-restart_syscall: 1
 setrlimit: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
-# Kill child thread when it fails
-tgkill: 1
-# Real time priority
-rt_sigprocmask: 1
-rt_sigaction: 1
-rt_sigreturn: 1
-# Sockets
 recvmsg: 1
 sendmsg: 1
 socketpair: arg0 == AF_UNIX
diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy
index 24da3bb..c3d7fbf 100644
--- a/seccomp/x86_64/gpu_device.policy
+++ b/seccomp/x86_64/gpu_device.policy
@@ -2,62 +2,28 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-open: 1
-openat: 1
-close: 1
-sigaltstack: 1
-munmap: 1
-write: 1
-# Allow mmap to allow loading of GL shared libraries.
-mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC
-restart_syscall: 1
-exit_group: 1
-rt_sigreturn: 1
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED
-# Used to determine shm size after recvmsg with fd.
-lseek: 1
-mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
-sched_getaffinity: 1
-set_robust_list: 1
-exit: 1
-getpid: 1
-recvfrom: 1
-dup: 1
-eventfd2: 1
-futex: 1
-# Disallow clone's other than new threads.
-# arg0 is flags. Because kernel.
-clone: arg0 & 0x00010000
-# arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == DMA_BUF_IOCTL_SYNC ||
-#   arg1 & DRM_IOCTL
-ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400
+@include /usr/share/policy/crosvm/common_device.policy
+
+connect: 1
+fcntl: arg1 == F_DUPFD_CLOEXEC
 fstat: 1
-# Used to communicate with wayland.
-recvmsg: 1
-sendmsg: 1
-poll: 1
-getrandom: 1
-read: 1
+# Used to set of size new memfd.
+ftruncate: 1
+getdents: 1
 geteuid: 1
+getrandom: 1
 getuid: 1
-readlink: 1
-getdents: 1
-stat: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
-# Used to connect to wayland.
-# arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC
-socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
-connect: 1
+ioctl: arg1 == FIONBIO || arg1 == FIOCLEX || arg1 == 0x40086200 || arg1 & 0x6400
+lseek: 1
+lstat: 1
 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
 memfd_create: arg1 == 3
-# Used to set of size new memfd.
-ftruncate: 1
-fcntl: arg1 == F_DUPFD_CLOEXEC
-lstat: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-dup2: 1
-brk: 1
+mmap: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ|PROT_EXEC
+mprotect: arg2 == PROT_READ|PROT_WRITE || arg2 == PROT_NONE || arg2 == PROT_READ
+open: 1
+openat: 1
+readlink: 1
+recvmsg: 1
+sendmsg: 1
+socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
+stat: 1
diff --git a/seccomp/x86_64/input_device.policy b/seccomp/x86_64/input_device.policy
index 877f80e..f26998e 100644
--- a/seccomp/x86_64/input_device.policy
+++ b/seccomp/x86_64/input_device.policy
@@ -2,36 +2,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit_group: 1
-futex: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == 0x00000010
-munmap: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-write: 1
-eventfd2: 1
-poll: 1
-ppoll: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-restart_syscall: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
+@include /usr/share/policy/crosvm/common_device.policy
+
 ioctl: 1
 fcntl: 1
 getsockname: 1
diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy
index 69580dc..72ecd5a 100644
--- a/seccomp/x86_64/net_device.policy
+++ b/seccomp/x86_64/net_device.policy
@@ -2,33 +2,4 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit_group: 1
-futex: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == 0x00000010
-munmap: 1
-poll: 1
-ppoll: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-# arg0 is flags. Because kernel.
-clone: arg0 & 0x00010000
-write: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-restart_syscall: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
+@include /usr/share/policy/crosvm/common_device.policy
diff --git a/seccomp/x86_64/null_audio_device.policy b/seccomp/x86_64/null_audio_device.policy
index ad8b513..9ea7015 100644
--- a/seccomp/x86_64/null_audio_device.policy
+++ b/seccomp/x86_64/null_audio_device.policy
@@ -2,36 +2,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit: 1
-exit_group: 1
-futex: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
+@include /usr/share/policy/crosvm/common_device.policy
+
 madvise: 1
-munmap: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-write: 1
-eventfd2: 1
-nanosleep: 1
-poll: 1
-ppoll: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
 prlimit64: 1
-restart_syscall: 1
 setrlimit: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy
index c7de96d..72ecd5a 100644
--- a/seccomp/x86_64/rng_device.policy
+++ b/seccomp/x86_64/rng_device.policy
@@ -2,33 +2,4 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit_group: 1
-futex: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == 0x00000010
-munmap: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-write: 1
-eventfd2: 1
-poll: 1
-ppoll: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-restart_syscall: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
+@include /usr/share/policy/crosvm/common_device.policy
diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy
index 0a44ecd..4f7aafd 100644
--- a/seccomp/x86_64/tpm_device.policy
+++ b/seccomp/x86_64/tpm_device.policy
@@ -2,33 +2,4 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit_group: 1
-futex: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == 0x00000010
-munmap: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-clone: arg0 & 0x00010000
-write: 1
-eventfd2: 1
-poll: 1
-ppoll: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-restart_syscall: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
+@include /usr/share/policy/crosvm/common_device.policy
diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy
index 15ea1a3..306328b 100644
--- a/seccomp/x86_64/vhost_net_device.policy
+++ b/seccomp/x86_64/vhost_net_device.policy
@@ -2,11 +2,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit_group: 1
-futex: 1
+@include /usr/share/policy/crosvm/common_device.policy
+
 # Whitelist vhost_net ioctls only.
 # arg1 == VHOST_GET_FEATURES ||
 # arg1 == VHOST_SET_FEATURES ||
@@ -24,28 +21,3 @@ futex: 1
 # arg1 == VHOST_SET_VRING_ERR ||
 # arg1 == VHOST_NET_SET_BACKEND
 ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == 0x00000010
-munmap: 1
-poll: 1
-ppoll: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-# arg0 is flags. Because kernel.
-clone: arg0 & 0x00010000
-write: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-restart_syscall: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
diff --git a/seccomp/x86_64/vhost_vsock_device.policy b/seccomp/x86_64/vhost_vsock_device.policy
index 28e0a42..9c2274c 100644
--- a/seccomp/x86_64/vhost_vsock_device.policy
+++ b/seccomp/x86_64/vhost_vsock_device.policy
@@ -2,11 +2,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-exit_group: 1
-futex: 1
+@include /usr/share/policy/crosvm/common_device.policy
+
 # Whitelist vhost_vsock ioctls only.
 # arg1 == VHOST_GET_FEATURES ||
 # arg1 == VHOST_SET_FEATURES ||
@@ -25,30 +22,5 @@ futex: 1
 # arg1 == VHOST_VSOCK_SET_GUEST_CID ||
 # arg1 == VHOST_VSOCK_SET_RUNNING
 ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == 0x00000010
-munmap: 1
-poll: 1
-ppoll: 1
-read: 1
 connect: 1
 sendto: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-# arg0 is flags. Because kernel.
-clone: arg0 & 0x00010000
-write: 1
-getpid: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-restart_syscall: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1
diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy
index bffc5ee..2ca7ed9 100644
--- a/seccomp/x86_64/wl_device.policy
+++ b/seccomp/x86_64/wl_device.policy
@@ -2,31 +2,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-close: 1
-dup: 1
-dup2: 1
-getpid: 1
-exit_group: 1
-futex: 1
-# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
-# negation, thus the manually negated mask constant.
-mmap: arg2 in 0xfffffffb
-mprotect: arg2 in 0xfffffffb
-# Allow MADV_DONTDUMP only.
-madvise: arg2 == 0x00000010
-munmap: 1
-poll: 1
-ppoll: 1
-read: 1
-recvfrom: 1
-sched_getaffinity: 1
-set_robust_list: 1
-sigaltstack: 1
-# Disallow clone's other than new threads.
-# arg0 is flags. Because kernel.
-clone: arg0 & 0x00010000
-write: 1
-eventfd2: 1
+@include /usr/share/policy/crosvm/common_device.policy
+
 # Used to connect to wayland. arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC
 socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC
@@ -41,12 +18,5 @@ memfd_create: arg1 == 3
 ftruncate: 1
 # Used to determine shm size after recvmsg with fd
 lseek: 1
-# Allow PR_SET_NAME only.
-prctl: arg0 == 15
-restart_syscall: 1
 # Allow F_GETFL only
 fcntl: arg1 == 3
-pipe2: 1
-epoll_create1: 1
-epoll_ctl: 1
-epoll_wait: 1