From bae43dd4c98182736ea601b313e03620a72ccf83 Mon Sep 17 00:00:00 2001 From: Zach Reizner Date: Thu, 31 Jan 2019 16:55:59 -0800 Subject: seccomp: refactor policy into common_device.policy CQ-DEPEND=CL:1449895 BUG=None TEST=vmc start termina Change-Id: Ia3edaafc1d2958bd40e6b1adc89dd5e29b679b06 Reviewed-on: https://chromium-review.googlesource.com/1448292 Commit-Ready: Zach Reizner Tested-by: kokoro Tested-by: Zach Reizner Reviewed-by: Daniel Verkamp --- seccomp/arm/9p_device.policy | 32 ++---------------- seccomp/arm/9s.policy | 64 ----------------------------------- seccomp/arm/balloon_device.policy | 29 +--------------- seccomp/arm/block_device.policy | 36 ++------------------ seccomp/arm/common_device.policy | 41 ++++++++++++++++++++++ seccomp/arm/cras_audio_device.policy | 40 ++-------------------- seccomp/arm/input_device.policy | 32 ++---------------- seccomp/arm/net_device.policy | 30 +--------------- seccomp/arm/null_audio_device.policy | 33 ++---------------- seccomp/arm/rng_device.policy | 30 +--------------- seccomp/arm/tpm_device.policy | 30 +--------------- seccomp/arm/vhost_net_device.policy | 31 ++--------------- seccomp/arm/vhost_vsock_device.policy | 33 ++---------------- seccomp/arm/wl_device.policy | 35 ++----------------- 14 files changed, 61 insertions(+), 435 deletions(-) delete mode 100644 seccomp/arm/9s.policy create mode 100644 seccomp/arm/common_device.policy (limited to 'seccomp/arm') diff --git a/seccomp/arm/9p_device.policy b/seccomp/arm/9p_device.policy index c1c3aea..b3167b9 100644 --- a/seccomp/arm/9p_device.policy +++ b/seccomp/arm/9p_device.policy @@ -2,56 +2,28 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -write: 1 -recv: 1 -read: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy + pread64: 1 pwrite64: 1 lstat64: 1 stat64: 1 -close: 1 -prctl: arg0 == PR_SET_NAME open: 1 openat: 1 fstat64: 1 -# ioctl(fd, FIOCLEX, 0) is equivalent to fcntl(fd, F_SETFD, FD_CLOEXEC). ioctl: arg1 == FIOCLEX getdents64: 1 fdatasync: 1 fsync: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -sigaltstack: 1 -munmap: 1 mkdir: 1 rmdir: 1 -epoll_ctl: 1 rename: 1 writev: 1 link: 1 unlink: 1 -restart_syscall: 1 -exit: 1 -rt_sigreturn: 1 -epoll_create1: 1 -sched_getaffinity: 1 -dup: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -set_robust_list: 1 -exit_group: 1 socket: arg0 == AF_UNIX -futex: 1 -eventfd2: 1 -mremap: 1 -# Allow MADV_DONTDUMP and MADV_DONTNEED only. -madvise: arg2 == 0x00000010 || arg2 == 0x00000004 utimensat: 1 ftruncate64: 1 fchown: arg1 == 0xffffffff && arg2 == 0xffffffff statfs64: 1 fstatat64: 1 -getpid: 1 diff --git a/seccomp/arm/9s.policy b/seccomp/arm/9s.policy deleted file mode 100644 index 5e96803..0000000 --- a/seccomp/arm/9s.policy +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright 2018 The Chromium OS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -read: 1 -write: 1 -stat64: 1 -open: 1 -openat: 1 -close: 1 -fstat64: 1 -lstat64: 1 -getdents64: 1 -ioctl: arg1 == FIOCLEX -pread64: 1 -pwrite64: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -rt_sigaction: 1 -sigaltstack: 1 -munmap: 1 -utimensat: 1 -brk: 1 -uname: 1 -accept4: 1 -mkdir: 1 -sched_getaffinity: 1 -getpid: 1 -ugetrlimit: 1 -set_robust_list: 1 -fcntl64: 1 -socket: arg0 == AF_UNIX || arg0 == AF_VSOCK -gettimeofday: 1 -restart_syscall: 1 -exit_group: 1 -rt_sigreturn: 1 -rename: 1 -ftruncate64: 1 -connect: 1 -madvise: 1 -rt_sigprocmask: 1 -access: 1 -ARM_set_tls: 1 -_llseek: 1 -exit: 1 -fdatasync: 1 -set_tid_address: 1 -listen: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -statfs64: 1 -link: 1 -unlink: 1 -fsync: 1 -futex: 1 -bind: 1 -rmdir: 1 -# Calling fchown with -1 as the uid/gid will change the ctime but do nothing else. -fchown: arg1 == 0xffffffff && arg2 == 0xffffffff -mremap: 1 -fstatat64: 1 -prlimit64: arg2 == 0 && arg3 != 0 diff --git a/seccomp/arm/balloon_device.policy b/seccomp/arm/balloon_device.policy index 42e5a09..4f7aafd 100644 --- a/seccomp/arm/balloon_device.policy +++ b/seccomp/arm/balloon_device.policy @@ -2,31 +2,4 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -exit_group: 1 -futex: 1 -gettimeofday: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED || arg2 == MADV_REMOVE -munmap: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -dup: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy diff --git a/seccomp/arm/block_device.policy b/seccomp/arm/block_device.policy index 44ee9c3..62f4ee7 100644 --- a/seccomp/arm/block_device.policy +++ b/seccomp/arm/block_device.policy @@ -2,46 +2,14 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 +@include /usr/share/policy/crosvm/common_device.policy + fallocate: 1 fdatasync: 1 fstat64: 1 fsync: 1 ftruncate64: 1 -futex: 1 -gettimeofday: 1 _llseek: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -madvise: arg2 == MADV_DONTDUMP || arg2 == MADV_DONTNEED -mremap: 1 -munmap: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 timerfd_create: 1 timerfd_gettime: 1 timerfd_settime: 1 -# libc free() attempts to open /proc/sys/vm/overcommit_memory -open: return ENOENT -openat: return ENOENT diff --git a/seccomp/arm/common_device.policy b/seccomp/arm/common_device.policy new file mode 100644 index 0000000..25db5af --- /dev/null +++ b/seccomp/arm/common_device.policy @@ -0,0 +1,41 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +brk: 1 +clone: arg0 & CLONE_THREAD +close: 1 +dup2: 1 +dup: 1 +epoll_create1: 1 +epoll_ctl: 1 +epoll_wait: 1 +eventfd2: 1 +exit: 1 +exit_group: 1 +futex: 1 +getpid: 1 +gettimeofday: 1 +kill: 1 +mmap2: arg2 in ~PROT_EXEC +madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE +mprotect: arg2 in ~PROT_EXEC +munmap: 1 +nanosleep: 1 +open: return ENOENT +openat: return ENOENT +pipe2: 1 +poll: 1 +ppoll: 1 +prctl: arg0 == PR_SET_NAME +read: 1 +recv: 1 +recvfrom: 1 +restart_syscall: 1 +rt_sigaction: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 +sched_getaffinity: 1 +set_robust_list: 1 +sigaltstack: 1 +write: 1 diff --git a/seccomp/arm/cras_audio_device.policy b/seccomp/arm/cras_audio_device.policy index 829381e..06d63d1 100644 --- a/seccomp/arm/cras_audio_device.policy +++ b/seccomp/arm/cras_audio_device.policy @@ -2,47 +2,11 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit: 1 -exit_group: 1 -futex: 1 -gettimeofday: 1 +@include /usr/share/policy/crosvm/common_device.policy + madvise: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -munmap: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -nanosleep: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 prlimit64: 1 -restart_syscall: 1 setrlimit: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 -# Kill child thread when it fails -tgkill: 1 -# Real time priority -rt_sigprocmask: 1 -rt_sigaction: 1 -rt_sigreturn: 1 -# Sockets recvmsg: 1 sendmsg: 1 socketpair: arg0 == AF_UNIX diff --git a/seccomp/arm/input_device.policy b/seccomp/arm/input_device.policy index 877f80e..f26998e 100644 --- a/seccomp/arm/input_device.policy +++ b/seccomp/arm/input_device.policy @@ -2,36 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -read: 1 -recvfrom: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy + ioctl: 1 fcntl: 1 getsockname: 1 diff --git a/seccomp/arm/net_device.policy b/seccomp/arm/net_device.policy index 5f50c87..4f7aafd 100644 --- a/seccomp/arm/net_device.policy +++ b/seccomp/arm/net_device.policy @@ -2,32 +2,4 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -gettimeofday: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -munmap: 1 -poll: 1 -ppoll: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -write: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy diff --git a/seccomp/arm/null_audio_device.policy b/seccomp/arm/null_audio_device.policy index dd895ea..089d1bd 100644 --- a/seccomp/arm/null_audio_device.policy +++ b/seccomp/arm/null_audio_device.policy @@ -2,38 +2,9 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit: 1 -exit_group: 1 -futex: 1 -gettimeofday: 1 +@include /usr/share/policy/crosvm/common_device.policy + madvise: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -munmap: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -nanosleep: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 prlimit64: 1 -restart_syscall: 1 setrlimit: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 clock_gettime: 1 diff --git a/seccomp/arm/rng_device.policy b/seccomp/arm/rng_device.policy index 7d2df8f..4f7aafd 100644 --- a/seccomp/arm/rng_device.policy +++ b/seccomp/arm/rng_device.policy @@ -2,32 +2,4 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -gettimeofday: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -munmap: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy diff --git a/seccomp/arm/tpm_device.policy b/seccomp/arm/tpm_device.policy index 7d2df8f..4f7aafd 100644 --- a/seccomp/arm/tpm_device.policy +++ b/seccomp/arm/tpm_device.policy @@ -2,32 +2,4 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -gettimeofday: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -munmap: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 -poll: 1 -ppoll: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy diff --git a/seccomp/arm/vhost_net_device.policy b/seccomp/arm/vhost_net_device.policy index 815aa34..58fc7ef 100644 --- a/seccomp/arm/vhost_net_device.policy +++ b/seccomp/arm/vhost_net_device.policy @@ -2,12 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -gettimeofday: 1 +@include /usr/share/policy/crosvm/common_device.policy + # Whitelist vhost_net ioctls only. # arg1 == VHOST_GET_FEATURES || # arg1 == VHOST_SET_FEATURES || @@ -25,26 +21,3 @@ gettimeofday: 1 # arg1 == VHOST_SET_VRING_ERR || # arg1 == VHOST_NET_SET_BACKEND ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -munmap: 1 -poll: 1 -ppoll: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -write: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 diff --git a/seccomp/arm/vhost_vsock_device.policy b/seccomp/arm/vhost_vsock_device.policy index c6efaee..9d9ca59 100644 --- a/seccomp/arm/vhost_vsock_device.policy +++ b/seccomp/arm/vhost_vsock_device.policy @@ -2,12 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -exit_group: 1 -futex: 1 -gettimeofday: 1 +@include /usr/share/policy/crosvm/common_device.policy + # Whitelist vhost_vsock ioctls only. # arg1 == VHOST_GET_FEATURES || # arg1 == VHOST_SET_FEATURES || @@ -26,28 +22,3 @@ gettimeofday: 1 # arg1 == VHOST_VSOCK_SET_GUEST_CID || # arg1 == VHOST_VSOCK_SET_RUNNING ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af60 || arg1 == 0x4004af61 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -munmap: 1 -poll: 1 -ppoll: 1 -read: 1 -connect: 1 -sendto: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -write: 1 -getpid: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 diff --git a/seccomp/arm/wl_device.policy b/seccomp/arm/wl_device.policy index 5f05ad9..1104fba 100644 --- a/seccomp/arm/wl_device.policy +++ b/seccomp/arm/wl_device.policy @@ -2,32 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -close: 1 -dup: 1 -dup2: 1 -getpid: 1 -gettimeofday: 1 -exit_group: 1 -futex: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -# Allow MADV_DONTDUMP only. -madvise: arg2 == 0x00000010 -munmap: 1 -poll: 1 -ppoll: 1 -read: 1 -recv: 1 -sched_getaffinity: 1 -set_robust_list: 1 -sigaltstack: 1 -# Disallow clone's other than new threads. -# arg0 is flags. Because kernel. -clone: arg0 & 0x00010000 -write: 1 -eventfd2: 1 +@include /usr/share/policy/crosvm/common_device.policy + # Used to connect to wayland. arg0 == AF_UNIX && arg1 == SOCK_STREAM|SOCK_CLOEXEC socket: arg0 == 1 && arg1 == 0x80001 && arg2 == 0 # arg1 == FIONBIO || arg1 == DMA_BUF_IOCTL_SYNC @@ -42,12 +18,5 @@ memfd_create: arg1 == 3 ftruncate64: 1 # Used to determine shm size after recvmsg with fd _llseek: 1 -# Allow PR_SET_NAME only. -prctl: arg0 == 15 -restart_syscall: 1 # Allow F_GETFL only fcntl64: arg1 == 3 -pipe2: 1 -epoll_create1: 1 -epoll_ctl: 1 -epoll_wait: 1 -- cgit 1.4.1