mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2025-02-06 18:38:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
2877 commits 607 branches 2 tags 236 MiB
Commit graph

7 commits

Author SHA1 Message Date
Daniel Verkamp
f20c1cd1e8 wl: update seccomp policies for SYNC_IOC_FILE_INFO on arm 
Fixes https://crrev.com/c/3199298, which only added the new ioctl
argument to the seccomp syscall filters on x86.

BUG=b:169908659
TEST=tast.crostini.SecureCopyPaste.* on scarlet

Change-Id: Ifd44c7b403f862d5528d8cc3655f0cd2c71c6e13
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3276675
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Tested-by: Dennis Kempin <denniskempin@google.com>
 2021-11-11 19:31:37 +00:00
Jorge E. Moreira
c8cff01c36 Specify prctl's policy only once per device 
The libminijail version in AOSP complains when there are multiple entries for
the same system call, which was the case for virtio-fs's policy.

BUG=b/185811304

Change-Id: I389c07c86e7d79f16e4f47a893abad598033352a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2837307
Commit-Queue: Jorge Moreira Broche <jemoreira@google.com>
Tested-by: Jorge Moreira Broche <jemoreira@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
 2021-04-20 22:50:20 +00:00
Chirantan Ekbote
a00991cd84 Replace dup with fcntl(F_DUPFD_CLOEXEC) 
Fds created via dup don't share file descriptor flags with the original
fd, which means that they don't have the FD_CLOEXEC flag set.  Use
fcntl(F_DUPFD_CLOEXEC) so that this flag gets set for the duplicated fds
as well.

BUG=none
TEST=unit tests

Change-Id: Ib471cf40acac1eacf72969ba45247f50b349ed58
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2809687
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
 2021-04-15 10:34:04 +00:00
Matt Delco
8488a0bbbb seccomp: remove redundant unconditional arm/arm64 rules 
Minijail's policy compiler complains when there's multiple
unconditional rules for a syscall.  In most cases the rules
are redundant to common_device.policy.

BUG=None
TEST=Ran compile_seccomp_policy.py until it stopped
complaining.

Change-Id: Ic43d1fd13f9c012641d71e526942229eb8b08ed4
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2034024
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
 2020-02-04 23:27:21 +00:00
Zach Reizner
bae43dd4c9 seccomp: refactor policy into common_device.policy 
CQ-DEPEND=CL:1449895
BUG=None
TEST=vmc start termina

Change-Id: Ia3edaafc1d2958bd40e6b1adc89dd5e29b679b06
Reviewed-on: https://chromium-review.googlesource.com/1448292
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
 2019-02-07 03:02:12 -08:00
Daniel Verkamp
a0408258e0 seccomp: whitelist connect for wl_device 
The path to the wayland socket changed, so the previous whitelist based
on the connect() arg2 sockaddr_un size now fails.

BUG=None
TEST=Verify that release build of crosvm starts again on chromebook

Change-Id: I3c30977e7c1487b937d69e1dbce4b7fd87136978
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1234827
Reviewed-by: David Riley <davidriley@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
 2018-09-20 15:00:24 -07:00
Sonny Rao
b847858e66 seccomp: rename aarch64 -> arm 
These policies are not for aarch64 but use the 32-bit system calls.
We call it aarch64 support because that's what we're targetting for
the guest kernel, but it doesn't really make any sense to call the
seccomp policies aarch64 when we're building a 32-bit binary.
We can add real aarch64 seccomp policies when we start building a
aarch64 crosvm binary.

BUG=chromium:866197
TEST=emerge-kevin crosvm, run vm_CrosVmStart
CQ-DEPEND=CL:1145903

Change-Id: I7c5e70fbc127e4209ed392cfcf10ea36a6dd4b2c
Reviewed-on: https://chromium-review.googlesource.com/1145909
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
 2018-07-23 21:04:38 -07:00
Renamed from seccomp/aarch64/wl_device.policy (Browse further)