diff options
-rw-r--r-- | seccomp/x86_64/9p_device.policy | 1 | ||||
-rw-r--r-- | seccomp/x86_64/balloon_device.policy | 3 | ||||
-rw-r--r-- | seccomp/x86_64/block_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/common_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/cras_audio_device.policy | 4 | ||||
-rw-r--r-- | seccomp/x86_64/fs_device.policy | 4 | ||||
-rw-r--r-- | seccomp/x86_64/input_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/net_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/null_audio_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/pmem_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/rng_device.policy | 3 | ||||
-rw-r--r-- | seccomp/x86_64/serial.policy | 3 | ||||
-rw-r--r-- | seccomp/x86_64/tpm_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/vfio_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/vhost_net_device.policy | 2 | ||||
-rw-r--r-- | seccomp/x86_64/vhost_vsock_device.policy | 3 | ||||
-rw-r--r-- | seccomp/x86_64/wl_device.policy | 5 | ||||
-rw-r--r-- | seccomp/x86_64/xhci.policy | 7 |
18 files changed, 33 insertions, 18 deletions
diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy index 498ce6c..114ea11 100644 --- a/seccomp/x86_64/9p_device.policy +++ b/seccomp/x86_64/9p_device.policy @@ -7,7 +7,6 @@ openat: 1 @include /usr/share/policy/crosvm/common_device.policy -writev: 1 pwrite64: 1 stat: 1 statx: 1 diff --git a/seccomp/x86_64/balloon_device.policy b/seccomp/x86_64/balloon_device.policy index 72ecd5a..c668163 100644 --- a/seccomp/x86_64/balloon_device.policy +++ b/seccomp/x86_64/balloon_device.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy index 66d7d0d..fefd719 100644 --- a/seccomp/x86_64/block_device.policy +++ b/seccomp/x86_64/block_device.policy @@ -10,6 +10,8 @@ fstat: 1 fsync: 1 ftruncate: 1 lseek: 1 +open: return ENOENT +openat: return ENOENT pread64: 1 preadv: 1 pwrite64: 1 diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy index ad9ed38..8464c4b 100644 --- a/seccomp/x86_64/common_device.policy +++ b/seccomp/x86_64/common_device.policy @@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -open: return ENOENT -openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/x86_64/cras_audio_device.policy b/seccomp/x86_64/cras_audio_device.policy index ef9b5ed..505208b 100644 --- a/seccomp/x86_64/cras_audio_device.policy +++ b/seccomp/x86_64/cras_audio_device.policy @@ -5,10 +5,10 @@ @include /usr/share/policy/crosvm/common_device.policy madvise: 1 +open: return ENOENT +openat: return ENOENT prlimit64: 1 setrlimit: 1 -recvmsg: 1 sched_setscheduler: 1 -sendmsg: 1 socketpair: arg0 == AF_UNIX clock_gettime: 1 diff --git a/seccomp/x86_64/fs_device.policy b/seccomp/x86_64/fs_device.policy index 8fbb556..32e7477 100644 --- a/seccomp/x86_64/fs_device.policy +++ b/seccomp/x86_64/fs_device.policy @@ -2,8 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -openat: 1 - @include /usr/share/policy/crosvm/common_device.policy fchmodat: 1 @@ -21,6 +19,8 @@ lseek: 1 mkdirat: 1 mknodat: 1 newfstatat: 1 +open: return ENOENT +openat: 1 preadv: 1 pwritev: 1 readlinkat: 1 diff --git a/seccomp/x86_64/input_device.policy b/seccomp/x86_64/input_device.policy index f26998e..d32c312 100644 --- a/seccomp/x86_64/input_device.policy +++ b/seccomp/x86_64/input_device.policy @@ -7,3 +7,5 @@ ioctl: 1 fcntl: 1 getsockname: 1 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy index c7f17d9..5d6535a 100644 --- a/seccomp/x86_64/net_device.policy +++ b/seccomp/x86_64/net_device.policy @@ -6,3 +6,5 @@ # TUNSETOFFLOAD ioctl: arg1 == 0x400454d0 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/null_audio_device.policy b/seccomp/x86_64/null_audio_device.policy index 9ea7015..f118d88 100644 --- a/seccomp/x86_64/null_audio_device.policy +++ b/seccomp/x86_64/null_audio_device.policy @@ -5,5 +5,7 @@ @include /usr/share/policy/crosvm/common_device.policy madvise: 1 +open: return ENOENT +openat: return ENOENT prlimit64: 1 setrlimit: 1 diff --git a/seccomp/x86_64/pmem_device.policy b/seccomp/x86_64/pmem_device.policy index b3cd64d..12a3b04 100644 --- a/seccomp/x86_64/pmem_device.policy +++ b/seccomp/x86_64/pmem_device.policy @@ -6,3 +6,5 @@ fdatasync: 1 fsync: 1 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy index 72ecd5a..c668163 100644 --- a/seccomp/x86_64/rng_device.policy +++ b/seccomp/x86_64/rng_device.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/serial.policy b/seccomp/x86_64/serial.policy index f9e98f0..6b33c51 100644 --- a/seccomp/x86_64/serial.policy +++ b/seccomp/x86_64/serial.policy @@ -3,3 +3,6 @@ # found in the LICENSE file. @include /usr/share/policy/crosvm/common_device.policy + +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy index 7e6d8c9..33c64f5 100644 --- a/seccomp/x86_64/tpm_device.policy +++ b/seccomp/x86_64/tpm_device.policy @@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC mremap: 1 munmap: 1 nanosleep: 1 -#open: return ENOENT -#openat: return ENOENT pipe2: 1 poll: 1 ppoll: 1 diff --git a/seccomp/x86_64/vfio_device.policy b/seccomp/x86_64/vfio_device.policy index 8dd5961..aa28d1a 100644 --- a/seccomp/x86_64/vfio_device.policy +++ b/seccomp/x86_64/vfio_device.policy @@ -5,6 +5,8 @@ # VFIO_DEVICE_SET_IRQS, VFIO_IOMMU_MAP/UNMAP_DMA ioctl: arg1 == 0x3B6E || arg1 == 0x3B71 || arg1 == 0x3B72 +open: return ENOENT +openat: return ENOENT readlink: 1 pread64: 1 pwrite64: 1 diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy index 306328b..c9182e6 100644 --- a/seccomp/x86_64/vhost_net_device.policy +++ b/seccomp/x86_64/vhost_net_device.policy @@ -21,3 +21,5 @@ # arg1 == VHOST_SET_VRING_ERR || # arg1 == VHOST_NET_SET_BACKEND ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/vhost_vsock_device.policy b/seccomp/x86_64/vhost_vsock_device.policy index 9c2274c..69fca47 100644 --- a/seccomp/x86_64/vhost_vsock_device.policy +++ b/seccomp/x86_64/vhost_vsock_device.policy @@ -23,4 +23,5 @@ # arg1 == VHOST_VSOCK_SET_RUNNING ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61 connect: 1 -sendto: 1 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy index 2ca7ed9..f79b08a 100644 --- a/seccomp/x86_64/wl_device.policy +++ b/seccomp/x86_64/wl_device.policy @@ -9,9 +9,6 @@ socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC ioctl: arg1 == 0x5421 || arg1 == 0x40086200 connect: 1 -# Used to communicate with wayland -recvmsg: 1 -sendmsg: 1 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING memfd_create: arg1 == 3 # Used to set of size new memfd @@ -20,3 +17,5 @@ ftruncate: 1 lseek: 1 # Allow F_GETFL only fcntl: arg1 == 3 +open: return ENOENT +openat: return ENOENT diff --git a/seccomp/x86_64/xhci.policy b/seccomp/x86_64/xhci.policy index df4acef..4b4fc3d 100644 --- a/seccomp/x86_64/xhci.policy +++ b/seccomp/x86_64/xhci.policy @@ -2,8 +2,6 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -# xhci need "openat" to enumerate device. "openat" is disabled in comman_device policy. -openat: 1 @include /usr/share/policy/crosvm/common_device.policy lstat: 1 @@ -12,12 +10,13 @@ readlinkat: 1 timerfd_create: 1 name_to_handle_at: 1 access: 1 -timerfd_create: 1 getsockname: 1 pipe: 1 setsockopt: 1 bind: 1 fcntl: 1 +open: return ENOENT +openat: 1 socket: arg0 == AF_NETLINK stat: 1 uname: 1 @@ -37,8 +36,6 @@ uname: 1 # 0x80185520 == USBDEVFS_CONNINFO_EX ioctl: arg1 == 0xc0185500 || arg1 == 0x41045508 || arg1 == 0x8004550f || arg1 == 0x4008550d || arg1 == 0x8004551a || arg1 == 0x550b || arg1 == 0x80045510 || arg1 == 0x8038550a || arg1 == 0x5514 || arg1 == 0x80045505 || arg1 == 0x8108551b || arg1 == 0x40085511 || arg1 == 0x80185520 fstat: 1 -sigaltstack: 1 -recvmsg: 1 getrandom: 1 getdents: 1 lseek: 1 |