mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2024-10-23 20:59:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
crosvm/seccomp/aarch64/fs_device.policy
Daniel Verkamp 6a7fdb4510 seccomp: add getcwd and readlink to common policy for panic 
The panic handler uses getcwd and readlink to print out the executable
name in the backtrace. Allow these for all devices so that panics
actually work instead of crashing the process.

BUG=None
TEST=intentionally panic crosvm on kevin and check /var/log/messages

Change-Id: If64a752a6f0b1f2f6bdd6663ce77078305f38171
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3309201
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
2021-12-02 23:18:03 +00:00

59 lines
1.2 KiB
Text
Raw Blame History

# Copyright 2019 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
@include /usr/share/policy/crosvm/common_device.policy
copy_file_range: 1
fallocate: 1
fchdir: 1
fchmod: 1
fchmodat: 1
fchown: 1
fchownat: 1
fdatasync: 1
fgetxattr: 1
getxattr: 1
fsetxattr: 1
setxattr: 1
flistxattr: 1
listxattr: 1
fremovexattr: 1
removexattr: 1
fsync: 1
newfstatat: 1
fstatfs: 1
ftruncate: 1
getdents64: 1
getegid: 1
geteuid: 1
getrandom: 1
# Use constants for verity ioctls since minijail doesn't understand them yet.
# 0x40806685 = FS_IOC_ENABLE_VERITY
# 0xc0046686 = FS_IOC_MEASURE_VERITY
ioctl: arg1 == FS_IOC_FSGETXATTR || \
arg1 == FS_IOC_FSSETXATTR || \
arg1 == FS_IOC_GETFLAGS || \
arg1 == FS_IOC_SETFLAGS || \
arg1 == FS_IOC_GET_ENCRYPTION_POLICY_EX || \
arg1 == 0x40806685 || \
arg1 == 0xc0046686
linkat: 1
lseek: 1
mkdirat: 1
mknodat: 1
openat: 1
preadv: 1
pwritev: 1
renameat2: 1
setresgid: 1
setresuid: 1
symlinkat: 1
umask: 1
unlinkat: 1
utimensat: 1
prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_SECUREBITS || arg0 == PR_GET_SECUREBITS
capget: 1
capset: 1
unshare: 1
Reference in a new issue View git blame Copy permalink