diff options
| author | Jorge Lucangeli Obes <jorgelo@chromium.org> | 2012-12-12 10:21:01 -0800 |
|---|---|---|
| committer | Jorge Lucangeli Obes <jorgelo@chromium.org> | 2013-01-04 10:27:51 -0800 |
| commit | f5d7bf80f755aa66810eb6bea4d4737ddb405909 (patch) | |
| tree | 43d0384f0f25a0204a38eebce2822387c7a40081 /tlsdate-seccomp-amd64.policy | |
| parent | c87e900c98a292c6e616957c9df101d28fb8eed3 (diff) | |
| download | tlsdate-f5d7bf80f755aa66810eb6bea4d4737ddb405909.tar.gz | |
Add Seccomp-BPF policies to the repo.
These policies can be used with the Minijail tool
(http://git.chromium.org/gitweb/?p=chromiumos/platform/minijail.git)
to achieve kernel attack surface reduction.
(Also fix some trailing whitespace.)
BUG=chromium-os:36653
TEST=None
Change-Id: I35dd74702f7dfd701c86e1b25b0831d3925fbf96
Signed-off-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Diffstat (limited to 'tlsdate-seccomp-amd64.policy')
| -rw-r--r-- | tlsdate-seccomp-amd64.policy | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/tlsdate-seccomp-amd64.policy b/tlsdate-seccomp-amd64.policy new file mode 100644 index 0000000..d22afdc --- /dev/null +++ b/tlsdate-seccomp-amd64.policy @@ -0,0 +1,48 @@ +mmap: 1 +open: 1 +read: 1 +close: 1 +fstat: 1 +mprotect: 1 +munmap: 1 +stat: 1 +write: 1 +lseek: 1 +brk: 1 +fcntl: 1 +execve: 1 +sendto: 1 +# Allow domain == PF_FILE || domain == PF_INET || domain == PF_NETLINK +socket: arg0 == 1 || arg0 == 2 || arg0 == 16 +connect: 1 +poll: 1 +access: 1 +arch_prctl: 1 +wait4: 1 +rt_sigaction: 1 +exit_group: 1 +rt_sigprocmask: 1 +clone: 1 +# Allow request == RTC_SET_TIME || request == FIONREAD +ioctl: arg1 == 0x4024700a || arg1 == 0x541b +getuid: 1 +exit: 1 +rt_sigreturn: 1 +rename: 1 +select: 1 +setgid: 1 +settimeofday: 1 +restart_syscall: 1 +setresgid: 1 +setgroups: 1 +setsockopt: 1 +bind: 1 +recvfrom: 1 +setresuid: 1 +nanosleep: 1 +clock_gettime: 1 +clock_settime: 1 +futex: 1 +getrlimit: 1 +set_robust_list: 1 +set_tid_address: 1 |