18 files changed, 33 insertions, 18 deletions

diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy
index 498ce6c..114ea11 100644
--- a/seccomp/x86_64/9p_device.policy
+++ b/seccomp/x86_64/9p_device.policy
@@ -7,7 +7,6 @@ openat: 1
 
 @include /usr/share/policy/crosvm/common_device.policy
 
-writev: 1
 pwrite64: 1
 stat: 1
 statx: 1
diff --git a/seccomp/x86_64/balloon_device.policy b/seccomp/x86_64/balloon_device.policy
index 72ecd5a..c668163 100644
--- a/seccomp/x86_64/balloon_device.policy
+++ b/seccomp/x86_64/balloon_device.policy
@@ -3,3 +3,6 @@
 # found in the LICENSE file.
 
 @include /usr/share/policy/crosvm/common_device.policy
+
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy
index 66d7d0d..fefd719 100644
--- a/seccomp/x86_64/block_device.policy
+++ b/seccomp/x86_64/block_device.policy
@@ -10,6 +10,8 @@ fstat: 1
 fsync: 1
 ftruncate: 1
 lseek: 1
+open: return ENOENT
+openat: return ENOENT
 pread64: 1
 preadv: 1
 pwrite64: 1
diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy
index ad9ed38..8464c4b 100644
--- a/seccomp/x86_64/common_device.policy
+++ b/seccomp/x86_64/common_device.policy
@@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC
 mremap: 1
 munmap: 1
 nanosleep: 1
-open: return ENOENT
-openat: return ENOENT
 pipe2: 1
 poll: 1
 ppoll: 1
diff --git a/seccomp/x86_64/cras_audio_device.policy b/seccomp/x86_64/cras_audio_device.policy
index ef9b5ed..505208b 100644
--- a/seccomp/x86_64/cras_audio_device.policy
+++ b/seccomp/x86_64/cras_audio_device.policy
@@ -5,10 +5,10 @@
 @include /usr/share/policy/crosvm/common_device.policy
 
 madvise: 1
+open: return ENOENT
+openat: return ENOENT
 prlimit64: 1
 setrlimit: 1
-recvmsg: 1
 sched_setscheduler: 1
-sendmsg: 1
 socketpair: arg0 == AF_UNIX
 clock_gettime: 1
diff --git a/seccomp/x86_64/fs_device.policy b/seccomp/x86_64/fs_device.policy
index 8fbb556..32e7477 100644
--- a/seccomp/x86_64/fs_device.policy
+++ b/seccomp/x86_64/fs_device.policy
@@ -2,8 +2,6 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-openat: 1
-
 @include /usr/share/policy/crosvm/common_device.policy
 
 fchmodat: 1
@@ -21,6 +19,8 @@ lseek: 1
 mkdirat: 1
 mknodat: 1
 newfstatat: 1
+open: return ENOENT
+openat: 1
 preadv: 1
 pwritev: 1
 readlinkat: 1
diff --git a/seccomp/x86_64/input_device.policy b/seccomp/x86_64/input_device.policy
index f26998e..d32c312 100644
--- a/seccomp/x86_64/input_device.policy
+++ b/seccomp/x86_64/input_device.policy
@@ -7,3 +7,5 @@
 ioctl: 1
 fcntl: 1
 getsockname: 1
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy
index c7f17d9..5d6535a 100644
--- a/seccomp/x86_64/net_device.policy
+++ b/seccomp/x86_64/net_device.policy
@@ -6,3 +6,5 @@
 
 # TUNSETOFFLOAD
 ioctl: arg1 == 0x400454d0
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/null_audio_device.policy b/seccomp/x86_64/null_audio_device.policy
index 9ea7015..f118d88 100644
--- a/seccomp/x86_64/null_audio_device.policy
+++ b/seccomp/x86_64/null_audio_device.policy
@@ -5,5 +5,7 @@
 @include /usr/share/policy/crosvm/common_device.policy
 
 madvise: 1
+open: return ENOENT
+openat: return ENOENT
 prlimit64: 1
 setrlimit: 1
diff --git a/seccomp/x86_64/pmem_device.policy b/seccomp/x86_64/pmem_device.policy
index b3cd64d..12a3b04 100644
--- a/seccomp/x86_64/pmem_device.policy
+++ b/seccomp/x86_64/pmem_device.policy
@@ -6,3 +6,5 @@
 
 fdatasync: 1
 fsync: 1
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy
index 72ecd5a..c668163 100644
--- a/seccomp/x86_64/rng_device.policy
+++ b/seccomp/x86_64/rng_device.policy
@@ -3,3 +3,6 @@
 # found in the LICENSE file.
 
 @include /usr/share/policy/crosvm/common_device.policy
+
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/serial.policy b/seccomp/x86_64/serial.policy
index f9e98f0..6b33c51 100644
--- a/seccomp/x86_64/serial.policy
+++ b/seccomp/x86_64/serial.policy
@@ -3,3 +3,6 @@
 # found in the LICENSE file.
 
 @include /usr/share/policy/crosvm/common_device.policy
+
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/tpm_device.policy b/seccomp/x86_64/tpm_device.policy
index 7e6d8c9..33c64f5 100644
--- a/seccomp/x86_64/tpm_device.policy
+++ b/seccomp/x86_64/tpm_device.policy
@@ -24,8 +24,6 @@ mprotect: arg2 in ~PROT_EXEC
 mremap: 1
 munmap: 1
 nanosleep: 1
-#open: return ENOENT
-#openat: return ENOENT
 pipe2: 1
 poll: 1
 ppoll: 1
diff --git a/seccomp/x86_64/vfio_device.policy b/seccomp/x86_64/vfio_device.policy
index 8dd5961..aa28d1a 100644
--- a/seccomp/x86_64/vfio_device.policy
+++ b/seccomp/x86_64/vfio_device.policy
@@ -5,6 +5,8 @@
 
 # VFIO_DEVICE_SET_IRQS, VFIO_IOMMU_MAP/UNMAP_DMA
 ioctl: arg1 == 0x3B6E || arg1 == 0x3B71 || arg1 == 0x3B72
+open: return ENOENT
+openat: return ENOENT
 readlink: 1
 pread64: 1
 pwrite64: 1
diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy
index 306328b..c9182e6 100644
--- a/seccomp/x86_64/vhost_net_device.policy
+++ b/seccomp/x86_64/vhost_net_device.policy
@@ -21,3 +21,5 @@
 # arg1 == VHOST_SET_VRING_ERR ||
 # arg1 == VHOST_NET_SET_BACKEND
 ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/vhost_vsock_device.policy b/seccomp/x86_64/vhost_vsock_device.policy
index 9c2274c..69fca47 100644
--- a/seccomp/x86_64/vhost_vsock_device.policy
+++ b/seccomp/x86_64/vhost_vsock_device.policy
@@ -23,4 +23,5 @@
 # arg1 == VHOST_VSOCK_SET_RUNNING
 ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61
 connect: 1
-sendto: 1
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/wl_device.policy b/seccomp/x86_64/wl_device.policy
index 2ca7ed9..f79b08a 100644
--- a/seccomp/x86_64/wl_device.policy
+++ b/seccomp/x86_64/wl_device.policy
@@ -9,9 +9,6 @@ socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0
 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC
 ioctl: arg1 == 0x5421 || arg1 == 0x40086200
 connect: 1
-# Used to communicate with wayland
-recvmsg: 1
-sendmsg: 1
 # Used for sharing memory with wayland. arg1 == MFD_CLOEXEC|MFD_ALLOW_SEALING
 memfd_create: arg1 == 3
 # Used to set of size new memfd
@@ -20,3 +17,5 @@ ftruncate: 1
 lseek: 1
 # Allow F_GETFL only
 fcntl: arg1 == 3
+open: return ENOENT
+openat: return ENOENT
diff --git a/seccomp/x86_64/xhci.policy b/seccomp/x86_64/xhci.policy
index df4acef..4b4fc3d 100644
--- a/seccomp/x86_64/xhci.policy
+++ b/seccomp/x86_64/xhci.policy
@@ -2,8 +2,6 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-# xhci need "openat" to enumerate device. "openat" is disabled in comman_device policy.
-openat: 1
 @include /usr/share/policy/crosvm/common_device.policy
 
 lstat: 1
@@ -12,12 +10,13 @@ readlinkat: 1
 timerfd_create: 1
 name_to_handle_at: 1
 access: 1
-timerfd_create: 1
 getsockname: 1
 pipe: 1
 setsockopt: 1
 bind: 1
 fcntl: 1
+open: return ENOENT
+openat: 1
 socket: arg0 == AF_NETLINK
 stat: 1
 uname: 1
@@ -37,8 +36,6 @@ uname: 1
 # 0x80185520 == USBDEVFS_CONNINFO_EX
 ioctl: arg1 == 0xc0185500 || arg1 == 0x41045508 || arg1 == 0x8004550f || arg1 == 0x4008550d || arg1 == 0x8004551a || arg1 == 0x550b || arg1 == 0x80045510 || arg1 == 0x8038550a || arg1 == 0x5514 || arg1 == 0x80045505 || arg1 == 0x8108551b || arg1 == 0x40085511 || arg1 == 0x80185520
 fstat: 1
-sigaltstack: 1
-recvmsg: 1
 getrandom: 1
 getdents: 1
 lseek: 1