diff options
| author | Yusuke Sato <yusukes@google.com> | 2020-01-10 16:01:11 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-01-13 21:26:19 +0000 |
| commit | 1617c21918c30479ab705f45d4ef3c21ccc0d4fa (patch) | |
| tree | 4e9e12be92410b10694e1e427abe6f82a6de3f8d /seccomp | |
| parent | d5aa9954237f9eb9c7ec468362fb8262f0975429 (diff) | |
| download | crosvm-1617c21918c30479ab705f45d4ef3c21ccc0d4fa.tar crosvm-1617c21918c30479ab705f45d4ef3c21ccc0d4fa.tar.gz crosvm-1617c21918c30479ab705f45d4ef3c21ccc0d4fa.tar.bz2 crosvm-1617c21918c30479ab705f45d4ef3c21ccc0d4fa.tar.lz crosvm-1617c21918c30479ab705f45d4ef3c21ccc0d4fa.tar.xz crosvm-1617c21918c30479ab705f45d4ef3c21ccc0d4fa.tar.zst crosvm-1617c21918c30479ab705f45d4ef3c21ccc0d4fa.zip | |
seccomp: Allow 9p device to use open/openat
This allows us to use export a directory to a VM with the '--shared-dir tag:/dir' crosvm command line flag without relying on seneschal. The fs device's policy already does the same. BUG=b:123309049 TEST=Start tot ARCVM, run 'mkdir /var/run/arc/arcvm && mount -t 9p -o "trans=virtio,version=9p2000.L,cache=none,access=any" host_generated /var/run/arc/arcvm && ls /var/run/arc/arcvm', verify ls prints files. Change-Id: I8f8b265fc8a7de159508afbee5114b6a3f084d01 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1995319 Tested-by: Yusuke Sato <yusukes@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Lepton Wu <lepton@chromium.org> Reviewed-by: Chirantan Ekbote <chirantan@chromium.org> Commit-Queue: Yusuke Sato <yusukes@chromium.org>
Diffstat (limited to 'seccomp')
| -rw-r--r-- | seccomp/aarch64/9p_device.policy | 4 | ||||
| -rw-r--r-- | seccomp/arm/9p_device.policy | 5 | ||||
| -rw-r--r-- | seccomp/x86_64/9p_device.policy | 5 |
3 files changed, 9 insertions, 5 deletions
diff --git a/seccomp/aarch64/9p_device.policy b/seccomp/aarch64/9p_device.policy index f52e971..ff6a734 100644 --- a/seccomp/aarch64/9p_device.policy +++ b/seccomp/aarch64/9p_device.policy @@ -2,12 +2,14 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +open: 1 +openat: 1 + @include /usr/share/policy/crosvm/common_device.policy pread64: 1 pwrite64: 1 statx: 1 -openat: 1 fstat: 1 ioctl: arg1 == FIOCLEX getdents64: 1 diff --git a/seccomp/arm/9p_device.policy b/seccomp/arm/9p_device.policy index b3167b9..dc369e3 100644 --- a/seccomp/arm/9p_device.policy +++ b/seccomp/arm/9p_device.policy @@ -2,14 +2,15 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +open: 1 +openat: 1 + @include /usr/share/policy/crosvm/common_device.policy pread64: 1 pwrite64: 1 lstat64: 1 stat64: 1 -open: 1 -openat: 1 fstat64: 1 ioctl: arg1 == FIOCLEX getdents64: 1 diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy index ddd7417..e1bddde 100644 --- a/seccomp/x86_64/9p_device.policy +++ b/seccomp/x86_64/9p_device.policy @@ -2,14 +2,15 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +open: 1 +openat: 1 + @include /usr/share/policy/crosvm/common_device.policy writev: 1 pwrite64: 1 stat: 1 lstat: 1 -open: 1 -openat: 1 fstat: 1 ioctl: arg1 == FIOCLEX link: 1 |