diff options
author | Chirantan Ekbote <chirantan@chromium.org> | 2018-06-22 19:00:30 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-08-08 13:45:41 -0700 |
commit | a79073ad7d244b45bca5ba0c5ddf92b04827fc24 (patch) | |
tree | f1cea7b698de43de0718a7d9116ff66b496ebb5b /seccomp | |
parent | f226e28632d95c8b3c8d90fbaaef1eda8509fc74 (diff) | |
download | crosvm-a79073ad7d244b45bca5ba0c5ddf92b04827fc24.tar crosvm-a79073ad7d244b45bca5ba0c5ddf92b04827fc24.tar.gz crosvm-a79073ad7d244b45bca5ba0c5ddf92b04827fc24.tar.bz2 crosvm-a79073ad7d244b45bca5ba0c5ddf92b04827fc24.tar.lz crosvm-a79073ad7d244b45bca5ba0c5ddf92b04827fc24.tar.xz crosvm-a79073ad7d244b45bca5ba0c5ddf92b04827fc24.tar.zst crosvm-a79073ad7d244b45bca5ba0c5ddf92b04827fc24.zip |
9s: Server binary for the 9p file system
Add the 9s crate, which provides an executable that can serve the 9p file system protocol. It initially only supports connections over vsock but can easily be extended to support network and unix domain socket based connections. BUG=chromium:703939 TEST=Run the server, have maitred connect to it over vsock, mount the 9p file system in the guest kernel, share it with the penguin container, and run `bonnie++ -r 256 -s 512` CQ-DEPEND=CL:1121550, CL:1166446 Change-Id: Ia0c72bcf29188bba4c07b6c0a2dd5a83d02339b5 Signed-off-by: Chirantan Ekbote <chirantan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1112870 Reviewed-by: Dylan Reid <dgreid@chromium.org>
Diffstat (limited to 'seccomp')
-rw-r--r-- | seccomp/aarch64/9s.policy | 61 | ||||
-rw-r--r-- | seccomp/x86_64/9s.policy | 60 |
2 files changed, 121 insertions, 0 deletions
diff --git a/seccomp/aarch64/9s.policy b/seccomp/aarch64/9s.policy new file mode 100644 index 0000000..37325d3 --- /dev/null +++ b/seccomp/aarch64/9s.policy @@ -0,0 +1,61 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +read: 1 +write: 1 +stat64: 1 +open: 1 +close: 1 +fstat64: 1 +lstat64: 1 +getdents64: 1 +ioctl: arg1 == FIOCLEX +pread64: 1 +pwrite64: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap2: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +rt_sigaction: 1 +sigaltstack: 1 +munmap: 1 +utimensat: 1 +brk: 1 +uname: 1 +accept4: 1 +mkdir: 1 +sched_getaffinity: 1 +getpid: 1 +ugetrlimit: 1 +set_robust_list: 1 +fcntl64: 1 +socket: arg0 == AF_UNIX || arg0 == AF_VSOCK +gettimeofday: 1 +restart_syscall: 1 +exit_group: 1 +rt_sigreturn: 1 +rename: 1 +ftruncate64: 1 +connect: 1 +madvise: 1 +rt_sigprocmask: 1 +access: 1 +ARM_set_tls: 1 +_llseek: 1 +exit: 1 +fdatasync: 1 +set_tid_address: 1 +listen: 1 +# Disallow clone's other than new threads. +clone: arg0 & 0x00010000 +statfs64: 1 +link: 1 +unlink: 1 +fsync: 1 +futex: 1 +bind: 1 +rmdir: 1 +# Calling fchown with -1 as the uid/gid will change the ctime but do nothing else. +fchown: arg1 == 0xffffffff && arg2 == 0xffffffff +mremap: 1 diff --git a/seccomp/x86_64/9s.policy b/seccomp/x86_64/9s.policy new file mode 100644 index 0000000..75cf032 --- /dev/null +++ b/seccomp/x86_64/9s.policy @@ -0,0 +1,60 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +read: 1 +write: 1 +lstat: 1 +stat: 1 +open: 1 +close: 1 +fstat: 1 +getdents: 1 +ioctl: arg1 == FIOCLEX +pwrite64: 1 +pread64: 1 +# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit +# negation, thus the manually negated mask constant. +mmap: arg2 in 0xfffffffb +mprotect: arg2 in 0xfffffffb +utimensat: 1 +rt_sigaction: 1 +statfs: 1 +sigaltstack: 1 +munmap: 1 +brk: 1 +accept4: 1 +sched_getaffinity: 1 +getpid: 1 +getrlimit: 1 +fcntl: 1 +set_robust_list: 1 +link: 1 +socket: arg0 == AF_UNIX || arg0 == AF_VSOCK +restart_syscall: 1 +exit_group: 1 +rt_sigreturn: 1 +lseek: 1 +uname: 1 +connect: 1 +rt_sigprocmask: 1 +arch_prctl: 1 +access: 1 +exit: 1 +set_tid_address: 1 +listen: 1 +# Disallow clone's other than new threads. +clone: arg0 & 0x00010000 +unlink: 1 +madvise: 1 +futex: 1 +bind: 1 +rmdir: 1 +# Calling fchown with -1 as the uid/gid will change the ctime but do nothing else. +fchown: arg1 == 0xffffffff && arg2 == 0xffffffff +fsync: 1 +fdatasync: 1 +ftruncate: 1 +mkdir: 1 +mremap: 1 +rename: 1 |