From a70445aa3b7bfef71b7ee888eaf614c83ded3c59 Mon Sep 17 00:00:00 2001 From: Yunlian Jiang Date: Fri, 19 Oct 2018 12:04:45 -0700 Subject: [PATCH] crosvm: add openat to seccomp This adds openat to a seccomp policy file if open is already there. We need this because glibc 2.25 changed it system call for open(). BUG=chromium:894614 TEST=None Change-Id: Ie5b45d858e8d9ea081fd7bfda81709bda048d965 Reviewed-on: https://chromium-review.googlesource.com/1292129 Commit-Ready: Yunlian Jiang Tested-by: Yunlian Jiang Reviewed-by: Manoj Gupta --- seccomp/arm/9p_device.policy | 1 + seccomp/arm/9s.policy | 1 + seccomp/x86_64/9p_device.policy | 1 + seccomp/x86_64/9s.policy | 1 + seccomp/x86_64/gpu_device.policy | 1 + tests/plugin.policy | 1 + 6 files changed, 6 insertions(+) diff --git a/seccomp/arm/9p_device.policy b/seccomp/arm/9p_device.policy index 52df2f0fc5..feff21d802 100644 --- a/seccomp/arm/9p_device.policy +++ b/seccomp/arm/9p_device.policy @@ -13,6 +13,7 @@ stat64: 1 close: 1 prctl: arg0 == PR_SET_NAME open: 1 +openat: 1 fstat64: 1 # ioctl(fd, FIOCLEX, 0) is equivalent to fcntl(fd, F_SETFD, FD_CLOEXEC). ioctl: arg1 == FIOCLEX diff --git a/seccomp/arm/9s.policy b/seccomp/arm/9s.policy index 494e68323e..153cf93d0b 100644 --- a/seccomp/arm/9s.policy +++ b/seccomp/arm/9s.policy @@ -6,6 +6,7 @@ read: 1 write: 1 stat64: 1 open: 1 +openat: 1 close: 1 fstat64: 1 lstat64: 1 diff --git a/seccomp/x86_64/9p_device.policy b/seccomp/x86_64/9p_device.policy index 6a9d64af15..f86d7b3930 100644 --- a/seccomp/x86_64/9p_device.policy +++ b/seccomp/x86_64/9p_device.policy @@ -12,6 +12,7 @@ stat: 1 lstat: 1 close: 1 open: 1 +openat: 1 fstat: 1 # ioctl(fd, FIOCLEX, 0) is equivalent to fcntl(fd, F_SETFD, FD_CLOEXEC). ioctl: arg1 == FIOCLEX diff --git a/seccomp/x86_64/9s.policy b/seccomp/x86_64/9s.policy index 22600bf2b1..400cca38b9 100644 --- a/seccomp/x86_64/9s.policy +++ b/seccomp/x86_64/9s.policy @@ -7,6 +7,7 @@ write: 1 lstat: 1 stat: 1 open: 1 +openat: 1 close: 1 fstat: 1 getdents: 1 diff --git a/seccomp/x86_64/gpu_device.policy b/seccomp/x86_64/gpu_device.policy index de16d39453..691060a07b 100644 --- a/seccomp/x86_64/gpu_device.policy +++ b/seccomp/x86_64/gpu_device.policy @@ -3,6 +3,7 @@ # found in the LICENSE file. open: 1 +openat: 1 close: 1 sigaltstack: 1 munmap: 1 diff --git a/tests/plugin.policy b/tests/plugin.policy index 773ea24bfe..460515dac9 100644 --- a/tests/plugin.policy +++ b/tests/plugin.policy @@ -39,6 +39,7 @@ madvise: 1 memfd_create: 1 mmap: 1 open: 1 +openat: 1 recvmsg: 1 restart_syscall: 1 rt_sigaction: 1