Age | Commit message (Collapse) | Author |
|
This CL whitelists socketpair and setpriority system calls since they
are used by ALSA plugins for IP audio and brillo library.
BUG=b:150684172
TEST=Tested on hardware. Used Endeavour to start a meeting and used
Viking for IP audio.
Change-Id: Ia8a1fc6bf490ae66cbb317e6b47bf4b8a06ddd61
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/2198197
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Rehan Ghori <rehang@chromium.org>
Tested-by: Rehan Ghori <rehang@chromium.org>
|
|
The calling path of _newselect in CRAS:
server/cras_alsa_jack.c: find_gpio_jacks()
-> common/cras_util.c: wait_for_dev_input_access()
-> select()
Note: only x86 and arm support this syscall.
BUG=b:151586398
TEST=reboot && cras_test_client && repeat
Change-Id: I039e43466449068c005cf7371c28e98f9a7a053e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/2116377
Reviewed-by: Tzung-Bi Shih <tzungbi@chromium.org>
Reviewed-by: Chih-Yang Hsia <paulhsia@chromium.org>
Tested-by: Tzung-Bi Shih <tzungbi@chromium.org>
Commit-Queue: Tzung-Bi Shih <tzungbi@chromium.org>
|
|
Using ftruncate dose not gracefully fail if /dev/shm space is not
sufficient. Accessing memory from mmap right after the check will
trigger runtime SIGBUS error.
Add fallocate to seccomp policy files.
BUG=chromium:1025680
BUG=chromium:1031140
BUG=chromium:1031904
TEST=Build
Change-Id: Id35e7069300d08dc696e5379daeca8681b14d915
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/1958346
Tested-by: Chih-Yang Hsia <paulhsia@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Commit-Queue: Chih-Yang Hsia <paulhsia@chromium.org>
|
|
BUG=None
TEST=None
Change-Id: Ibd10c388020ee5934ab3e46c173a367206d18440
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/1965412
Tested-by: Mattias Nissler <mnissler@chromium.org>
Auto-Submit: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Cheng-Yi Chiang <cychiang@chromium.org>
Commit-Queue: Mattias Nissler <mnissler@chromium.org>
|
|
Newer versions of OpenSSL make additional system calls. These are safe
enough, so allow them in the seccomp policy.
BUG=chromium:1033486
TEST=No more seccomp violation reports, chrome audio playback works
Change-Id: I736a6dcc9176ae94f91a36ee3608d56b8e9df671
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/1964151
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Commit-Queue: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>
|
|
BUG=chromium:1030227
TEST=Crash audio thread with "double free or corruption (!prev)"
and see if the main thread will be killed normally.
Change-Id: I43154bfbb4d6203209a8fd481080468b77d2e6b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/1947611
Reviewed-by: Cheng-Yi Chiang <cychiang@chromium.org>
Tested-by: Chih-Yang Hsia <paulhsia@chromium.org>
Commit-Queue: Chih-Yang Hsia <paulhsia@chromium.org>
|
|
Creating a client-provided shm stream calls dup, so add it to the
seccomp policies.
BUG=chromium:968724
TEST=cq
Change-Id: Ieba0842079842d2c6488092eaf79a1a8cb131af3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/1806144
Tested-by: Fletcher Woodruff <fletcherw@chromium.org>
Commit-Queue: Fletcher Woodruff <fletcherw@chromium.org>
Reviewed-by: Chih-Yang Hsia <paulhsia@chromium.org>
|
|
Mremap is used when libdbus call realloc in __dbus_string_compact,
which might happen sometimes.
BUG=chromium:901225
TEST=On a broken DUT
$ restart cras
and check if syscall 25 is blocked by seccomp in dmesg
Change-Id: Iaae7dc3e541305af66175bff39fcb481f636c403
Reviewed-on: https://chromium-review.googlesource.com/1314268
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Chih-Yang Hsia <paulhsia@chromium.org>
Reviewed-by: Cheng-Yi Chiang <cychiang@chromium.org>
|
|
When there is something wrong in CRAS, it will abort and restart. We
need to allow tgkill to let CRAS can abort itself.
BUG=none
TEST=CRAS can exit successfully when it aborts.
Change-Id: I3c1128726e24184ce8e8db54949d0275290ef081
Reviewed-on: https://chromium-review.googlesource.com/1301613
Commit-Ready: Yu-Hsuan Hsu <yuhsuan@chromium.org>
Tested-by: Yu-Hsuan Hsu <yuhsuan@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
Since glibc 2.13, setrlimit and getrlimit are implemented by prlimit,
which calls system call prlimit64.
However, on Cros image built with glibc 2.26,
setrlimit and getrlimit still lead to setrlimit
and getrlimit system call respectively.
On image built with glibc 2.27, setrlimit and getrlimit lead to
prlimit64.
We should remove these calls once we verified they are not needed on
image built with glibc 2.27.
1. setrlimit, getrlimit in amd64 and arm64.
2. setrlimit, ugetrlimit in arm.
BUG=chromium:896372
TEST=Check Youtube playback on image built with glibc 2.27.
Change-Id: I60bd3937c7abc642e62ad644cabe96e1373f1e9d
Reviewed-on: https://chromium-review.googlesource.com/1290613
Commit-Ready: Cheng-Yi Chiang <cychiang@chromium.org>
Tested-by: Cheng-Yi Chiang <cychiang@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
|
|
This allows openat system because glibc 2.26 changed their system call
for open().
BUG=chromium:894614
TEST=None
Change-Id: Icec3086a0e59b506ad31e5d9503232503be20ef1
Reviewed-on: https://chromium-review.googlesource.com/1278091
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
Starting with glibc 2.26, getpid() requires a system call, we need
to add it to seccomp whitelist.
BUG=chromium:894700
TEST=None
Change-Id: I7a1c436c45878fc8e21076d6df16c2db6d8fd473
Reviewed-on: https://chromium-review.googlesource.com/1278100
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
Previous filter was not compiling. Updated the filter with required
syscalls, removed nonexistent ones, and sorted them based on frequency
of use.
BUG=chromium:878565
TEST=cras service starts, audio works as expected
Change-Id: I7f399ff0daa5922e19dbe30328d26221444c0d2e
Reviewed-on: https://chromium-review.googlesource.com/1230874
Commit-Ready: Daniel Batyai <dbatyai@inf.u-szeged.hu>
Tested-by: Daniel Batyai <dbatyai@inf.u-szeged.hu>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
Use arm policy as the base but rename 32-bit versions by 64-bit
ones.
BUG=chromium:878565
TEST=emerge-kevin64 adhd
Change-Id: I8a7b116b8a16c5a3bd5fa0a4120bcb5158994205
Reviewed-on: https://chromium-review.googlesource.com/1200902
Commit-Ready: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
In order to integrate webrtc-apm library in CRAS, we want to
make CRAS run in an environment as close to how Chrome renderer
process is sandboxed.
This change adds seccomp.policy file which will be installed in
ebuild.
BUG=chromium:857378
TEST=Apply whole patch set including ebuild changes
Test on Eve and Kevin that seccomp policy files are installed
and used.
Change-Id: Ieb74924634bd6e970c250f78b54b2d19b6e90f87
Reviewed-on: https://chromium-review.googlesource.com/1136345
Commit-Ready: Hsinyu Chao <hychao@chromium.org>
Tested-by: Hsinyu Chao <hychao@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
|