Enable seccomp for virtio-fs

Add x86_64 and arm seccomp policy files for the virtio-fs device.

BUG=b:136128319
TEST=Run a vm with a sandboxed virtio-fs device

Change-Id: I8ea7c5d3e90696077f0c2b1f942cb286a0b36cf4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1916559
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>

seccomp/arm/fs_device.policy

@@ -0,0 +1,32 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+openat: 1
+
+@include /usr/share/policy/crosvm/common_device.policy
+
+fchmodat: 1
+fchownat: 1
+fgetxattr: 1
+fsetxattr: 1
+fstatat64: 1
+fstatfs64: 1
+ftruncate64: 1
+getdents64: 1
+getegid: 1
+geteuid: 1
+linkat: 1
+_llseek: 1
+mkdirat: 1
+mknodat: 1
+preadv: 1
+pwritev: 1
+readlinkat: 1
+renameat2: 1
+setresgid: 1
+setresuid: 1
+symlinkat: 1
+umask: 1
+unlinkat: 1
+utimensat: 1

seccomp/x86_64/fs_device.policy

@@ -0,0 +1,32 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+openat: 1
+
+@include /usr/share/policy/crosvm/common_device.policy
+
+fchmodat: 1
+fchownat: 1
+fgetxattr: 1
+fsetxattr: 1
+fstatfs: 1
+ftruncate: 1
+getdents64: 1
+getegid: 1
+geteuid: 1
+linkat: 1
+lseek: 1
+mkdirat: 1
+mknodat: 1
+newfstatat: 1
+preadv: 1
+pwritev: 1
+readlinkat: 1
+renameat2: 1
+setresgid: 1
+setresuid: 1
+symlinkat: 1
+umask: 1
+unlinkat: 1
+utimensat: 1

src/linux.rs

@@ -761,17 +761,16 @@ fn create_fs_device(
 
         j.no_new_privs();
 
-        // TODO(chirantan): Enable seccomp
         // Use TSYNC only for the side effect of it using SECCOMP_RET_TRAP, which will correctly kill
         // the entire device process if a worker thread commits a seccomp violation.
-        // let seccomp_policy = cfg.seccomp_policy_dir.join("9p_device.policy");
+        let seccomp_policy = cfg.seccomp_policy_dir.join("fs_device.policy");
-        // j.set_seccomp_filter_tsync();
+        j.set_seccomp_filter_tsync();
-        // if cfg.seccomp_log_failures {
+        if cfg.seccomp_log_failures {
-        //     j.log_seccomp_filter_failures();
+            j.log_seccomp_filter_failures();
-        // }
+        }
-        // j.parse_seccomp_filters(&seccomp_policy)
+        j.parse_seccomp_filters(&seccomp_policy)
-        //     .map_err(Error::DeviceJail)?;
+            .map_err(Error::DeviceJail)?;
-        // j.use_seccomp_filter();
+        j.use_seccomp_filter();
 
         // Don't do init setup.
         j.run_as_init();