diff options
author | Chirantan Ekbote <chirantan@chromium.org> | 2017-08-23 11:20:36 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-08-25 19:54:16 -0700 |
commit | 41d5b5b12a87764b00bbe3266005996a4620ca94 (patch) | |
tree | 98589ce8d7bc40fecda9abb5e448bc5fb0685eb8 /seccomp | |
parent | 29ad3c7d0fed6a4d2ffa1d02268a9aeb4f2ebf14 (diff) | |
download | crosvm-41d5b5b12a87764b00bbe3266005996a4620ca94.tar crosvm-41d5b5b12a87764b00bbe3266005996a4620ca94.tar.gz crosvm-41d5b5b12a87764b00bbe3266005996a4620ca94.tar.bz2 crosvm-41d5b5b12a87764b00bbe3266005996a4620ca94.tar.lz crosvm-41d5b5b12a87764b00bbe3266005996a4620ca94.tar.xz crosvm-41d5b5b12a87764b00bbe3266005996a4620ca94.tar.zst crosvm-41d5b5b12a87764b00bbe3266005996a4620ca94.zip |
Put seccomp policy files in a common directory
We will almost certainly require different seccomp policy files for different architectures. Move all the existing secommp policy files into a common directory grouped by architecture. This will make it easier to install them via the ebuild later. BUG=none TEST=none Change-Id: I0495789cd4143dc374ee6ebe083dc20ce724edbb Signed-off-by: Chirantan Ekbote <chirantan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/630058 Reviewed-by: Zach Reizner <zachr@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'seccomp')
-rw-r--r-- | seccomp/x86_64/block_device.policy | 24 | ||||
-rw-r--r-- | seccomp/x86_64/net_device.policy | 22 | ||||
-rw-r--r-- | seccomp/x86_64/rng_device.policy | 23 | ||||
-rw-r--r-- | seccomp/x86_64/vhost_net_device.policy | 39 |
4 files changed, 108 insertions, 0 deletions
diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy new file mode 100644 index 0000000..67a2786 --- /dev/null +++ b/seccomp/x86_64/block_device.policy @@ -0,0 +1,24 @@ +# Copyright 2017 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +exit_group: 1 +futex: 1 +lseek: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +read: 1 +recvfrom: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +clone: arg0 & 0x00010000 +write: 1 +eventfd2: 1 +dup: 1 +poll: 1 diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy new file mode 100644 index 0000000..61a1753 --- /dev/null +++ b/seccomp/x86_64/net_device.policy @@ -0,0 +1,22 @@ +# Copyright 2017 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +exit_group: 1 +futex: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +poll: 1 +read: 1 +recvfrom: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +# arg0 is flags. Because kernel. +clone: arg0 & 0x00010000 +write: 1 diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy new file mode 100644 index 0000000..cf7ac9b --- /dev/null +++ b/seccomp/x86_64/rng_device.policy @@ -0,0 +1,23 @@ +# Copyright 2017 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +exit_group: 1 +futex: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +read: 1 +recvfrom: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +clone: arg0 & 0x00010000 +write: 1 +eventfd2: 1 +dup: 1 +poll: 1 diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy new file mode 100644 index 0000000..65801fe --- /dev/null +++ b/seccomp/x86_64/vhost_net_device.policy @@ -0,0 +1,39 @@ +# Copyright 2017 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +close: 1 +exit_group: 1 +futex: 1 +# Whitelist vhost_net ioctls only. +# arg1 == VHOST_GET_FEATURES || +# arg1 == VHOST_SET_FEATURES || +# arg1 == VHOST_SET_OWNER || +# arg1 == VHOST_RESET_OWNER || +# arg1 == VHOST_SET_MEM_TABLE || +# arg1 == VHOST_SET_LOG_BASE || +# arg1 == VHOST_SET_LOG_FD || +# arg1 == VHOST_SET_VRING_NUM || +# arg1 == VHOST_SET_VRING_ADDR || +# arg1 == VHOST_SET_VRING_BASE || +# arg1 == VHOST_GET_VRING_BASE || +# arg1 == VHOST_SET_VRING_KICK || +# arg1 == VHOST_SET_VRING_CALL || +# arg1 == VHOST_SET_VRING_ERR || +# arg1 == VHOST_NET_SET_BACKEND +ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +munmap: 1 +poll: 1 +read: 1 +recvfrom: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +# Disallow clone's other than new threads. +# arg0 is flags. Because kernel. +clone: arg0 & 0x00010000 +write: 1 |