mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2025-02-06 10:32:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
1372 commits 607 branches 2 tags 236 MiB
Commit graph

5 commits

Author SHA1 Message Date
Chirantan Ekbote
2977573365 seccomp: Add missing syscalls to fs device policy 
BUG=none
TEST=`tast run <dut> vm.Fio.virtiofs`

Change-Id: I937df0be738e0aa302a4ad3e87ed33ff97afb4fc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2089174
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
 2020-03-06 03:48:12 +00:00
Matt Delco
4389dab579 seccomp: remove redundant unconditional rules 
Minijail's policy compiler complains when there's multiple
unconditional rules for a syscall.  In most cases the rules
are redundant to common_device.policy.  I don't know what
to do about the intentionally contradictory rules for open
and openat, other than to remove then from the common device
policy and add it to all the others.

BUG=None
TEST=Ran compile_seccomp_policy.py until it stopped
complaining.

Change-Id: I6813dd1e0b39e975415662bd7de74c25a1be9eb3
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1918607
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
 2020-01-22 17:36:36 +00:00
Daniel Verkamp
5de0604f29 seccomp: allow statx syscall where stat/fstat was allowed 
This is used in Rust 1.40.0's libstd in place of stat/fstat; update the
whitelists to allow the new syscall as well.

BUG=chromium:1042461
TEST=`crosvm disk resize` does not trigger seccomp failure

Change-Id: Ia3f0e49ee009547295c7af7412dfb5eb3ac1efcb
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2003685
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
 2020-01-17 23:04:03 +00:00
Chirantan Ekbote
4f9f5c7479 devices: fs: Support fs crypto ioctls 
Add support for FS_IOC_{GET,SET}_ENCRYPTION_POLICY.  Unfortunately,
since the I/O direction is encoded backwards in the ioctl definitions,
these will only work with on a kernel that's compiled with a patch to
mark them as unrestricted FUSE ioctls.

BUG=b:136127632
TEST=Compile and run the vfs_crypto.c program on a virtio-fs mount
     inside a VM

Change-Id: I124c5a943111b453dd44921a079a2baa1036dfd4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1952570
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
 2019-12-10 03:10:57 +00:00
Chirantan Ekbote
b0ac00745a Enable seccomp for virtio-fs 
Add x86_64 and arm seccomp policy files for the virtio-fs device.

BUG=b:136128319
TEST=Run a vm with a sandboxed virtio-fs device

Change-Id: I8ea7c5d3e90696077f0c2b1f942cb286a0b36cf4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1916559
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
 2019-11-19 17:59:49 +00:00