diff options
author | Dániel Bátyai <dbatyai@inf.u-szeged.hu> | 2018-09-18 17:36:36 +0200 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-09-21 10:11:35 -0700 |
commit | d0ada838bb2e9a31d0d3b9368baba27901469587 (patch) | |
tree | 35537daf59bb4addd2514ff6dee91667c7d286ee | |
parent | b688036e050b46e4cfc1d38b04667f5af55beaae (diff) | |
download | adhd-d0ada838bb2e9a31d0d3b9368baba27901469587.tar.gz |
adhd: Update arm64 seccomp policy
Previous filter was not compiling. Updated the filter with required
syscalls, removed nonexistent ones, and sorted them based on frequency
of use.
BUG=chromium:878565
TEST=cras service starts, audio works as expected
Change-Id: I7f399ff0daa5922e19dbe30328d26221444c0d2e
Reviewed-on: https://chromium-review.googlesource.com/1230874
Commit-Ready: Daniel Batyai <dbatyai@inf.u-szeged.hu>
Tested-by: Daniel Batyai <dbatyai@inf.u-szeged.hu>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
-rw-r--r-- | seccomp/cras-seccomp-arm64.policy | 122 |
1 files changed, 58 insertions, 64 deletions
diff --git a/seccomp/cras-seccomp-arm64.policy b/seccomp/cras-seccomp-arm64.policy index 0b499622..1b2de454 100644 --- a/seccomp/cras-seccomp-arm64.policy +++ b/seccomp/cras-seccomp-arm64.policy @@ -3,85 +3,79 @@ # found in the LICENSE file. clock_gettime: 1 -poll: 1 -read: 1 +# Allow ioctl command of type 'A' and 'U' for SNDRV_PCM_IOCTL_* and +# SNDRV_CTL_IOCTL_*, and EVIOCGSW(8), EVIOCGNAME(256), EVIOCGBIT(0x05, 8), +# HCIGETDEVINFO +ioctl: arg1 in 0xffff41ff && arg1 & 0x00004100 || arg1 in 0xffff55ff && arg1 & 0x00005500 || arg1 == 0x8008451b || arg1 == 0x81004506 || arg1 == 0x80084525 || arg1 == 0x800448d3 ppoll: 1 +read: 1 write: 1 -recv: 1 -send: 1 -recvmsg: 1 -lstat64: 1 -fstat64: 1 -open: 1 +newfstatat: 1 +fstat: 1 +openat: 1 close: 1 -fcntl64: 1 readlinkat: 1 -sendmsg: 1 -access: 1 getrandom: 1 -mmap2: 1 -epoll_wait: 1 -getsockopt: 1 -accept: 1 -stat64: 1 -mprotect: 1 -gettimeofday: 1 +faccessat: 1 +# Don't allow mmap or mprotect with both PROT_WRITE and PROT_EXEC +mmap: arg2 in 0xfffffffb || arg2 in 0xfffffffd +mprotect: arg2 in 0xfffffffb || arg2 in 0xfffffffd +sendmsg: 1 +rt_sigaction: 1 +lseek: 1 +recvmsg: 1 +fcntl: 1 getdents64: 1 +sendto: 1 brk: 1 -statfs: 1 -readlink: 1 munmap: 1 -rt_sigaction: 1 -lgetxattr: 1 -unlink: 1 -lsetxattr: 1 -rt_sigprocmask: 1 -ftruncate: 1 -futex: 1 -execve: 1 -set_robust_list: 1 socket: arg0 == AF_UNIX || arg0 == AF_BLUETOOTH || arg0 == AF_NETLINK -clone: 1 -setsockopt: 1 -geteuid: 1 -ugetrlimit: 1 -uname: 1 +statfs: 1 +getsockopt: 1 +accept: 1 +pipe2: 1 +prctl: arg0 == PR_SET_NAME +futex: 1 +ftruncate: 1 connect: 1 bind: 1 -_llseek: 1 -getuid: 1 -getgid: 1 -getegid: 1 -pipe: 1 -flock: 1 -set_tid_address: 1 -exit_group: 1 -getsockname: 1 -getdents: 1 -nanosleep: 1 -epoll_ctl: 1 -sched_setscheduler: 1 -restart_syscall: 1 -rt_sigreturn: 1 -getresuid: 1 -exit: 1 -prctl: arg0 == PR_SET_NAME clock_getres: 1 +clone: 1 epoll_create1: 1 +epoll_ctl: 1 +epoll_pwait: 1 +execve: 1 +exit: 1 +exit_group: 1 fchmod: 1 -setrlimit: 1 -listen: 1 +fchmodat: 1 +flock: 1 +flock: 1 +getegid: 1 +geteuid: 1 +getgid: 1 +getresgid: 1 +getresuid: 1 +getrlimit: 1 +getsockname: 1 gettid: 1 -sched_get_priority_min: 1 -chmod: 1 +gettimeofday: 1 +getuid: 1 +lgetxattr: 1 +listen: 1 +lsetxattr: 1 madvise: 1 -getresgid: 1 -pipe2: 1 +nanosleep: 1 +restart_syscall: 1 +rt_sigprocmask: 1 +rt_sigreturn: 1 sched_get_priority_max: 1 +sched_get_priority_min: 1 +sched_setscheduler: 1 +setrlimit: 1 +set_robust_list: 1 +setsockopt: 1 +set_tid_address: 1 sysinfo: 1 -flock: 1 - -# Allow ioctl command of type 'A' and 'U' for SNDRV_PCM_IOCTL_* and -# SNDRV_CTL_IOCTL_*, and EVIOCGSW(8), EVIOCGNAME(256), EVIOCGBIT(0x05, 8), -# HCIGETDEVINFO -ioctl: arg1 in 0xffff41ff && arg1 & 0x00004100 || arg1 in 0xffff55ff && arg1 & 0x00005500 || arg1 == 0x8008451b || arg1 == 0x81004506 || arg1 == 0x80084525 || arg1 == 0x800448d3 +uname: 1 +unlinkat: 1 |