diff options
| author | David Tolnay <dtolnay@chromium.org> | 2019-03-01 16:13:27 -0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2019-03-02 17:41:26 -0800 |
| commit | 25a86d99cca821e18a8af28403b415a530e17c38 (patch) | |
| tree | 082af96e112cefaf990a73cd1389332cbd0a3361 /seccomp | |
| parent | 96f2d8ebe2b2523ed2ca0cf54005ded8d9cd8e4f (diff) | |
| download | crosvm-25a86d99cca821e18a8af28403b415a530e17c38.tar crosvm-25a86d99cca821e18a8af28403b415a530e17c38.tar.gz crosvm-25a86d99cca821e18a8af28403b415a530e17c38.tar.bz2 crosvm-25a86d99cca821e18a8af28403b415a530e17c38.tar.lz crosvm-25a86d99cca821e18a8af28403b415a530e17c38.tar.xz crosvm-25a86d99cca821e18a8af28403b415a530e17c38.tar.zst crosvm-25a86d99cca821e18a8af28403b415a530e17c38.zip | |
tpm: Update tpm device policy to support libtpm2
Tested by running the following on a grunt board (Barla) in dev mode
together with CL:1496910:
sudo crosvm run \
--root rootfs.ext4 \
--socket crosvm.sock \
--seccomp-policy-dir seccomp \
--software-tpm \
-p init=/bin/bash \
-p panic=-1 \
vmlinux.bin
and confirming that /dev/tpm0 and /dev/tpmrm0 are present in the VM.
I needed to override the common device policy's `open` and `openat` and
was not able to get that working with the existing @include.
Note: untested on arm.
BUG=chromium:921841
TEST=manual testing on grunt
Change-Id: Ied7f18a631ce8c0ae280f8b6c01511ca20c3d1c8
Reviewed-on: https://chromium-review.googlesource.com/1496909
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Tested-by: David Tolnay <dtolnay@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'seccomp')
| -rw-r--r-- | seccomp/arm/tpm_device.policy | 55 | ||||
| -rw-r--r-- | seccomp/x86_64/tpm_device.policy | 54 |
2 files changed, 107 insertions, 2 deletions
diff --git a/seccomp/arm/tpm_device.policy b/seccomp/arm/tpm_device.policy index 4f7aafd..fa644a8 100644 --- a/seccomp/arm/tpm_device.policy +++ b/seccomp/arm/tpm_device.policy @@ -2,4 +2,57 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -@include /usr/share/policy/crosvm/common_device.policy +# common policy +brk: 1 +clone: arg0 & CLONE_THREAD +close: 1 +dup2: 1 +dup: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 +eventfd2: 1 +exit: 1 +exit_group: 1 +futex: 1 +getpid: 1 +gettimeofday: 1 +kill: 1 +madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mmap2: arg2 in ~PROT_EXEC +mprotect: arg2 in ~PROT_EXEC +mremap: 1 +munmap: 1 +nanosleep: 1 +#open: return ENOENT +#openat: return ENOENT +pipe2: 1 +poll: 1 +ppoll: 1 +prctl: arg0 == PR_SET_NAME +read: 1 +recv: 1 +recvfrom: 1 +recvmsg: 1 +restart_syscall: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +sendmsg: 1 +set_robust_list: 1 +sigaltstack: 1 +write: 1 + +# tpm-specific policy +chdir: 1 +fseek: 1 +fstat: 1 +fsync: 1 +ftruncate: 1 +getuid: 1 +lseek: 1 +mkdir: 1 +open: 1 +openat: 1 +stat: 1 diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy index 4f7aafd..f290c4e 100644 --- a/seccomp/x86_64/tpm_device.policy +++ b/seccomp/x86_64/tpm_device.policy @@ -2,4 +2,56 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -@include /usr/share/policy/crosvm/common_device.policy +# common policy +brk: 1 +clone: arg0 & CLONE_THREAD +close: 1 +dup2: 1 +dup: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 +eventfd2: 1 +exit: 1 +exit_group: 1 +futex: 1 +getpid: 1 +gettimeofday: 1 +kill: 1 +madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mmap: arg2 in ~PROT_EXEC +mprotect: arg2 in ~PROT_EXEC +mremap: 1 +munmap: 1 +nanosleep: 1 +#open: return ENOENT +#openat: return ENOENT +pipe2: 1 +poll: 1 +ppoll: 1 +prctl: arg0 == PR_SET_NAME +read: 1 +recvfrom: 1 +recvmsg: 1 +restart_syscall: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +sendmsg: 1 +set_robust_list: 1 +sigaltstack: 1 +write: 1 + +# tpm-specific policy +chdir: 1 +fseek: 1 +fstat: 1 +fsync: 1 +ftruncate: 1 +getuid: 1 +lseek: 1 +mkdir: 1 +open: 1 +openat: 1 +stat: 1 |