From 1617c21918c30479ab705f45d4ef3c21ccc0d4fa Mon Sep 17 00:00:00 2001 From: Yusuke Sato Date: Fri, 10 Jan 2020 16:01:11 -0800 Subject: seccomp: Allow 9p device to use open/openat This allows us to use export a directory to a VM with the '--shared-dir tag:/dir' crosvm command line flag without relying on seneschal. The fs device's policy already does the same. BUG=b:123309049 TEST=Start tot ARCVM, run 'mkdir /var/run/arc/arcvm && mount -t 9p -o "trans=virtio,version=9p2000.L,cache=none,access=any" host_generated /var/run/arc/arcvm && ls /var/run/arc/arcvm', verify ls prints files. Change-Id: I8f8b265fc8a7de159508afbee5114b6a3f084d01 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1995319 Tested-by: Yusuke Sato Tested-by: kokoro Reviewed-by: Lepton Wu Reviewed-by: Chirantan Ekbote Commit-Queue: Yusuke Sato --- seccomp/aarch64/9p_device.policy | 4 +++- seccomp/arm/9p_device.policy | 5 +++-- seccomp/x86_64/9p_device.policy | 5 +++-- 3 files changed, 9 insertions(+), 5 deletions(-) (limited to 'seccomp') diff --git a/seccomp/aarch64/9p_device.policy b/seccomp/aarch64/9p_device.policy index f52e971..ff6a734 100644 --- a/seccomp/aarch64/9p_device.policy +++ b/seccomp/aarch64/9p_device.policy @@ -2,12 +2,14 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +open: 1 +openat: 1 + @include /usr/share/policy/crosvm/common_device.policy pread64: 1 pwrite64: 1 statx: 1 -openat: 1 fstat: 1 ioctl: arg1 == FIOCLEX getdents64: 1 diff --git a/seccomp/arm/9p_device.policy b/seccomp/arm/9p_device.policy index b3167b9..dc369e3 100644 --- a/seccomp/arm/9p_device.policy +++ b/seccomp/arm/9p_device.policy @@ -2,14 +2,15 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +open: 1 +openat: 1 + @include /usr/share/policy/crosvm/common_device.policy pread64: 1 pwrite64: 1 lstat64: 1 stat64: 1 -open: 1 -openat: 1 fstat64: 1 ioctl: arg1 == FIOCLEX getdents64: 1 diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy index ddd7417..e1bddde 100644 --- a/seccomp/x86_64/9p_device.policy +++ b/seccomp/x86_64/9p_device.policy @@ -2,14 +2,15 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +open: 1 +openat: 1 + @include /usr/share/policy/crosvm/common_device.policy writev: 1 pwrite64: 1 stat: 1 lstat: 1 -open: 1 -openat: 1 fstat: 1 ioctl: arg1 == FIOCLEX link: 1 -- cgit 1.4.1