From 41d5b5b12a87764b00bbe3266005996a4620ca94 Mon Sep 17 00:00:00 2001
From: Chirantan Ekbote <chirantan@chromium.org>
Date: Wed, 23 Aug 2017 11:20:36 -0700
Subject: Put seccomp policy files in a common directory

We will almost certainly require different seccomp policy files for
different architectures.  Move all the existing secommp policy files
into a common directory grouped by architecture.

This will make it easier to install them via the ebuild later.

BUG=none
TEST=none

Change-Id: I0495789cd4143dc374ee6ebe083dc20ce724edbb
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/630058
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
---
 seccomp/x86_64/block_device.policy     | 24 +++++++++++++++++++++
 seccomp/x86_64/net_device.policy       | 22 +++++++++++++++++++
 seccomp/x86_64/rng_device.policy       | 23 ++++++++++++++++++++
 seccomp/x86_64/vhost_net_device.policy | 39 ++++++++++++++++++++++++++++++++++
 4 files changed, 108 insertions(+)
 create mode 100644 seccomp/x86_64/block_device.policy
 create mode 100644 seccomp/x86_64/net_device.policy
 create mode 100644 seccomp/x86_64/rng_device.policy
 create mode 100644 seccomp/x86_64/vhost_net_device.policy

(limited to 'seccomp/x86_64')

diff --git a/seccomp/x86_64/block_device.policy b/seccomp/x86_64/block_device.policy
new file mode 100644
index 0000000..67a2786
--- /dev/null
+++ b/seccomp/x86_64/block_device.policy
@@ -0,0 +1,24 @@
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+exit_group: 1
+futex: 1
+lseek: 1
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+read: 1
+recvfrom: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+clone: arg0 & 0x00010000
+write: 1
+eventfd2: 1
+dup: 1
+poll: 1
diff --git a/seccomp/x86_64/net_device.policy b/seccomp/x86_64/net_device.policy
new file mode 100644
index 0000000..61a1753
--- /dev/null
+++ b/seccomp/x86_64/net_device.policy
@@ -0,0 +1,22 @@
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+exit_group: 1
+futex: 1
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+poll: 1
+read: 1
+recvfrom: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+# arg0 is flags. Because kernel.
+clone: arg0 & 0x00010000
+write: 1
diff --git a/seccomp/x86_64/rng_device.policy b/seccomp/x86_64/rng_device.policy
new file mode 100644
index 0000000..cf7ac9b
--- /dev/null
+++ b/seccomp/x86_64/rng_device.policy
@@ -0,0 +1,23 @@
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+exit_group: 1
+futex: 1
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+read: 1
+recvfrom: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+clone: arg0 & 0x00010000
+write: 1
+eventfd2: 1
+dup: 1
+poll: 1
diff --git a/seccomp/x86_64/vhost_net_device.policy b/seccomp/x86_64/vhost_net_device.policy
new file mode 100644
index 0000000..65801fe
--- /dev/null
+++ b/seccomp/x86_64/vhost_net_device.policy
@@ -0,0 +1,39 @@
+# Copyright 2017 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+close: 1
+exit_group: 1
+futex: 1
+# Whitelist vhost_net ioctls only.
+# arg1 == VHOST_GET_FEATURES ||
+# arg1 == VHOST_SET_FEATURES ||
+# arg1 == VHOST_SET_OWNER ||
+# arg1 == VHOST_RESET_OWNER ||
+# arg1 == VHOST_SET_MEM_TABLE ||
+# arg1 == VHOST_SET_LOG_BASE ||
+# arg1 == VHOST_SET_LOG_FD ||
+# arg1 == VHOST_SET_VRING_NUM ||
+# arg1 == VHOST_SET_VRING_ADDR ||
+# arg1 == VHOST_SET_VRING_BASE ||
+# arg1 == VHOST_GET_VRING_BASE ||
+# arg1 == VHOST_SET_VRING_KICK ||
+# arg1 == VHOST_SET_VRING_CALL ||
+# arg1 == VHOST_SET_VRING_ERR ||
+# arg1 == VHOST_NET_SET_BACKEND
+ioctl: arg1 == 0x8008af00 || arg1 == 0x4008af00 || arg1 == 0x0000af01 || arg1 == 0x0000af02 || arg1 == 0x4008af03 || arg1 == 0x4008af04 || arg1 == 0x4004af07 || arg1 == 0x4008af10 || arg1 == 0x4028af11 || arg1 == 0x4008af12 || arg1 == 0xc008af12 || arg1 == 0x4008af20 || arg1 == 0x4008af21 || arg1 == 0x4008af22 || arg1 == 0x4008af30
+# Disallow mmap with PROT_EXEC set.  The syntax here doesn't allow bit
+# negation, thus the manually negated mask constant.
+mmap: arg2 in 0xfffffffb
+mprotect: arg2 in 0xfffffffb
+munmap: 1
+poll: 1
+read: 1
+recvfrom: 1
+sched_getaffinity: 1
+set_robust_list: 1
+sigaltstack: 1
+# Disallow clone's other than new threads.
+# arg0 is flags. Because kernel.
+clone: arg0 & 0x00010000
+write: 1
-- 
cgit 1.4.1