adhd: Update arm64 seccomp policy

Previous filter was not compiling. Updated the filter with required
syscalls, removed nonexistent ones, and sorted them based on frequency
of use.

BUG=chromium:878565
TEST=cras service starts, audio works as expected

Change-Id: I7f399ff0daa5922e19dbe30328d26221444c0d2e
Reviewed-on: https://chromium-review.googlesource.com/1230874
Commit-Ready: Daniel Batyai <dbatyai@inf.u-szeged.hu>
Tested-by: Daniel Batyai <dbatyai@inf.u-szeged.hu>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

1 files changed, 58 insertions, 64 deletions

diff --git a/seccomp/cras-seccomp-arm64.policy b/seccomp/cras-seccomp-arm64.policy
index 0b499622..1b2de454 100644
--- a/seccomp/cras-seccomp-arm64.policy
+++ b/seccomp/cras-seccomp-arm64.policy
@@ -3,85 +3,79 @@
 # found in the LICENSE file.
 
 clock_gettime: 1
-poll: 1
-read: 1
+# Allow ioctl command of type 'A' and 'U' for SNDRV_PCM_IOCTL_* and
+# SNDRV_CTL_IOCTL_*, and EVIOCGSW(8), EVIOCGNAME(256), EVIOCGBIT(0x05, 8),
+# HCIGETDEVINFO
+ioctl: arg1 in 0xffff41ff && arg1 & 0x00004100 || arg1 in 0xffff55ff && arg1 & 0x00005500 || arg1 == 0x8008451b || arg1 == 0x81004506 || arg1 == 0x80084525 || arg1 == 0x800448d3
 ppoll: 1
+read: 1
 write: 1
-recv: 1
-send: 1
-recvmsg: 1
-lstat64: 1
-fstat64: 1
-open: 1
+newfstatat: 1
+fstat: 1
+openat: 1
 close: 1
-fcntl64: 1
 readlinkat: 1
-sendmsg: 1
-access: 1
 getrandom: 1
-mmap2: 1
-epoll_wait: 1
-getsockopt: 1
-accept: 1
-stat64: 1
-mprotect: 1
-gettimeofday: 1
+faccessat: 1
+# Don't allow mmap or mprotect with both PROT_WRITE and PROT_EXEC
+mmap: arg2 in 0xfffffffb || arg2 in 0xfffffffd
+mprotect: arg2 in 0xfffffffb || arg2 in 0xfffffffd
+sendmsg: 1
+rt_sigaction: 1
+lseek: 1
+recvmsg: 1
+fcntl: 1
 getdents64: 1
+sendto: 1
 brk: 1
-statfs: 1
-readlink: 1
 munmap: 1
-rt_sigaction: 1
-lgetxattr: 1
-unlink: 1
-lsetxattr: 1
-rt_sigprocmask: 1
-ftruncate: 1
-futex: 1
-execve: 1
-set_robust_list: 1
 socket: arg0 == AF_UNIX || arg0 == AF_BLUETOOTH || arg0 == AF_NETLINK
-clone: 1
-setsockopt: 1
-geteuid: 1
-ugetrlimit: 1
-uname: 1
+statfs: 1
+getsockopt: 1
+accept: 1
+pipe2: 1
+prctl: arg0 == PR_SET_NAME
+futex: 1
+ftruncate: 1
 connect: 1
 bind: 1
-_llseek: 1
-getuid: 1
-getgid: 1
-getegid: 1
-pipe: 1
-flock: 1
-set_tid_address: 1
-exit_group: 1
-getsockname: 1
-getdents: 1
-nanosleep: 1
-epoll_ctl: 1
-sched_setscheduler: 1
-restart_syscall: 1
-rt_sigreturn: 1
-getresuid: 1
-exit: 1
-prctl: arg0 == PR_SET_NAME
 clock_getres: 1
+clone: 1
 epoll_create1: 1
+epoll_ctl: 1
+epoll_pwait: 1
+execve: 1
+exit: 1
+exit_group: 1
 fchmod: 1
-setrlimit: 1
-listen: 1
+fchmodat: 1
+flock: 1
+flock: 1
+getegid: 1
+geteuid: 1
+getgid: 1
+getresgid: 1
+getresuid: 1
+getrlimit: 1
+getsockname: 1
 gettid: 1
-sched_get_priority_min: 1
-chmod: 1
+gettimeofday: 1
+getuid: 1
+lgetxattr: 1
+listen: 1
+lsetxattr: 1
 madvise: 1
-getresgid: 1
-pipe2: 1
+nanosleep: 1
+restart_syscall: 1
+rt_sigprocmask: 1
+rt_sigreturn: 1
 sched_get_priority_max: 1
+sched_get_priority_min: 1
+sched_setscheduler: 1
+setrlimit: 1
+set_robust_list: 1
+setsockopt: 1
+set_tid_address: 1
 sysinfo: 1
-flock: 1
-
-# Allow ioctl command of type 'A' and 'U' for SNDRV_PCM_IOCTL_* and
-# SNDRV_CTL_IOCTL_*, and EVIOCGSW(8), EVIOCGNAME(256), EVIOCGBIT(0x05, 8),
-# HCIGETDEVINFO
-ioctl: arg1 in 0xffff41ff && arg1 & 0x00004100 || arg1 in 0xffff55ff && arg1 & 0x00005500 || arg1 == 0x8008451b || arg1 == 0x81004506 || arg1 == 0x80084525 || arg1 == 0x800448d3
+uname: 1
+unlinkat: 1