diff options
author | Dylan Reid <dgreid@chromium.org> | 2017-09-26 13:49:42 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-10-25 05:52:42 -0700 |
commit | d37aa9fab5dfa79e2859d86debd02ed11da932c9 (patch) | |
tree | af6d789f1009993884eb03651c8118b9d0a213c8 /seccomp | |
parent | 77ec85ea3bd9b0cf5e29f7365e7d00b3e4f882da (diff) | |
download | crosvm-d37aa9fab5dfa79e2859d86debd02ed11da932c9.tar crosvm-d37aa9fab5dfa79e2859d86debd02ed11da932c9.tar.gz crosvm-d37aa9fab5dfa79e2859d86debd02ed11da932c9.tar.bz2 crosvm-d37aa9fab5dfa79e2859d86debd02ed11da932c9.tar.lz crosvm-d37aa9fab5dfa79e2859d86debd02ed11da932c9.tar.xz crosvm-d37aa9fab5dfa79e2859d86debd02ed11da932c9.tar.zst crosvm-d37aa9fab5dfa79e2859d86debd02ed11da932c9.zip |
Add ability to minijail_fork
Change-Id: I0c774816067449cbb838dcf29c6fa947ae5916e1 Reviewed-on: https://chromium-review.googlesource.com/719442 Commit-Ready: Dylan Reid <dgreid@chromium.org> Tested-by: Dylan Reid <dgreid@chromium.org> Reviewed-by: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'seccomp')
-rw-r--r-- | seccomp/x86_64/block_device.policy | 3 | ||||
-rw-r--r-- | seccomp/x86_64/net_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/rng_device.policy | 3 | ||||
-rw-r--r-- | seccomp/x86_64/vhost_net_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/vhost_vsock_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/wl_device.policy | 3 |
6 files changed, 12 insertions, 3 deletions
diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy index f1f31f8..581169a 100644 --- a/seccomp/x86_64/block_device.policy +++ b/seccomp/x86_64/block_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 lseek: 1 @@ -20,6 +22,5 @@ sigaltstack: 1 clone: arg0 & 0x00010000 write: 1 eventfd2: 1 -dup: 1 poll: 1 getpid: 1 diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy index e15a00e..23abcfe 100644 --- a/seccomp/x86_64/net_device.policy +++ b/seccomp/x86_64/net_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 # Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy index a5e5bf7..429e94d 100644 --- a/seccomp/x86_64/rng_device.policy +++ b/seccomp/x86_64/rng_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 # Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit @@ -19,6 +21,5 @@ sigaltstack: 1 clone: arg0 & 0x00010000 write: 1 eventfd2: 1 -dup: 1 poll: 1 getpid: 1 diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy index 30f79d9..6e61bba 100644 --- a/seccomp/x86_64/vhost_net_device.policy +++ b/seccomp/x86_64/vhost_net_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 # Whitelist vhost_net ioctls only. diff --git a/seccomp/x86_64/vhost_vsock_device.policy b/seccomp/x86_64/vhost_vsock_device.policy index 0310470..fe54042 100644 --- a/seccomp/x86_64/vhost_vsock_device.policy +++ b/seccomp/x86_64/vhost_vsock_device.policy @@ -3,6 +3,8 @@ # found in the LICENSE file. close: 1 +dup: 1 +dup2: 1 exit_group: 1 futex: 1 # Whitelist vhost_vsock ioctls only. diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy index be404be..7f1ee1b 100644 --- a/seccomp/x86_64/wl_device.policy +++ b/seccomp/x86_64/wl_device.policy @@ -1,4 +1,6 @@ close: 1 +dup: 1 +dup2: 1 getpid: 1 exit_group: 1 futex: 1 @@ -18,7 +20,6 @@ sigaltstack: 1 clone: arg0 & 0x00010000 write: 1 eventfd2: 1 -dup: 1 # Used to connect to wayland. arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO |