From b0ac00745a2780b841d5c6590d8dbb0e8b65ba0a Mon Sep 17 00:00:00 2001
From: Chirantan Ekbote <chirantan@chromium.org>
Date: Thu, 14 Nov 2019 18:45:56 +0900
Subject: Enable seccomp for virtio-fs

Add x86_64 and arm seccomp policy files for the virtio-fs device.

BUG=b:136128319
TEST=Run a vm with a sandboxed virtio-fs device

Change-Id: I8ea7c5d3e90696077f0c2b1f942cb286a0b36cf4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1916559
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
---
 seccomp/arm/fs_device.policy    | 32 ++++++++++++++++++++++++++++++++
 seccomp/x86_64/fs_device.policy | 32 ++++++++++++++++++++++++++++++++
 src/linux.rs                    | 17 ++++++++---------
 3 files changed, 72 insertions(+), 9 deletions(-)
 create mode 100644 seccomp/arm/fs_device.policy
 create mode 100644 seccomp/x86_64/fs_device.policy

diff --git a/seccomp/arm/fs_device.policy b/seccomp/arm/fs_device.policy
new file mode 100644
index 0000000..2d90307
--- /dev/null
+++ b/seccomp/arm/fs_device.policy
@@ -0,0 +1,32 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+openat: 1
+
+@include /usr/share/policy/crosvm/common_device.policy
+
+fchmodat: 1
+fchownat: 1
+fgetxattr: 1
+fsetxattr: 1
+fstatat64: 1
+fstatfs64: 1
+ftruncate64: 1
+getdents64: 1
+getegid: 1
+geteuid: 1
+linkat: 1
+_llseek: 1
+mkdirat: 1
+mknodat: 1
+preadv: 1
+pwritev: 1
+readlinkat: 1
+renameat2: 1
+setresgid: 1
+setresuid: 1
+symlinkat: 1
+umask: 1
+unlinkat: 1
+utimensat: 1
\ No newline at end of file
diff --git a/seccomp/x86_64/fs_device.policy b/seccomp/x86_64/fs_device.policy
new file mode 100644
index 0000000..cbf0288
--- /dev/null
+++ b/seccomp/x86_64/fs_device.policy
@@ -0,0 +1,32 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+openat: 1
+
+@include /usr/share/policy/crosvm/common_device.policy
+
+fchmodat: 1
+fchownat: 1
+fgetxattr: 1
+fsetxattr: 1
+fstatfs: 1
+ftruncate: 1
+getdents64: 1
+getegid: 1
+geteuid: 1
+linkat: 1
+lseek: 1
+mkdirat: 1
+mknodat: 1
+newfstatat: 1
+preadv: 1
+pwritev: 1
+readlinkat: 1
+renameat2: 1
+setresgid: 1
+setresuid: 1
+symlinkat: 1
+umask: 1
+unlinkat: 1
+utimensat: 1
\ No newline at end of file
diff --git a/src/linux.rs b/src/linux.rs
index fc4c63e..bd6ee5c 100644
--- a/src/linux.rs
+++ b/src/linux.rs
@@ -761,17 +761,16 @@ fn create_fs_device(
 
         j.no_new_privs();
 
-        // TODO(chirantan): Enable seccomp
         // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill
         // the entire device process if a worker thread commits a seccomp violation.
-        // let seccomp_policy = cfg.seccomp_policy_dir.join("9p_device.policy");
-        // j.set_seccomp_filter_tsync();
-        // if cfg.seccomp_log_failures {
-        //     j.log_seccomp_filter_failures();
-        // }
-        // j.parse_seccomp_filters(&seccomp_policy)
-        //     .map_err(Error::DeviceJail)?;
-        // j.use_seccomp_filter();
+        let seccomp_policy = cfg.seccomp_policy_dir.join("fs_device.policy");
+        j.set_seccomp_filter_tsync();
+        if cfg.seccomp_log_failures {
+            j.log_seccomp_filter_failures();
+        }
+        j.parse_seccomp_filters(&seccomp_policy)
+            .map_err(Error::DeviceJail)?;
+        j.use_seccomp_filter();
 
         // Don't do init setup.
         j.run_as_init();
-- 
cgit 1.4.1