crosvm: run plugin process in a jail by default

The plugin process is similar to a virtual device from the perspective
of crosvm. Therefore, the plugin process should be run in a jail,
similar to the other devices in crosvm.

TEST=cargo build --features plugin; ./build_test
BUG=chromium:800626

Change-Id: I881d7b0f8a11e2626f69a5fa0eee0aa59bb6b6be
Reviewed-on: https://chromium-review.googlesource.com/882131
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

1 files changed, 47 insertions, 0 deletions

diff --git a/tests/plugin.policy b/tests/plugin.policy
new file mode 100644
index 0000000..960c8e5
--- /dev/null
+++ b/tests/plugin.policy
@@ -0,0 +1,47 @@
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+dup: 1
+dup2: 1
+execve: 1
+exit_group: 1
+futex: 1
+lseek: 1
+mprotect: 1
+munmap: 1
+read: 1
+recvfrom: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+clone: arg0 & 0x00010000
+write: 1
+eventfd2: 1
+poll: 1
+getpid: 1
+# Allow PR_SET_NAME only.
+prctl: arg0 == 15
+access: 1
+arch_prctl: 1
+brk: 1
+exit: 1
+fcntl: 1
+fstat: 1
+ftruncate: 1
+getcwd: 1
+getrlimit: 1
+madvise: 1
+memfd_create: 1
+mmap: 1
+open: 1
+recvmsg: 1
+restart_syscall: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+sendmsg: 1
+set_tid_address: 1
+stat: 1
+writev: 1