crosvm/seccomp/README.md

# Policy files for crosvm

This folder holds the seccomp policies for crosvm devices, organized by architecture.

Each crosvm device can run within its owned jailed process. A jailed process is only able to perform
the system calls specified in the seccomp policy file the jail has been created with, which improves
security as a rogue process cannot perform any system call it wants.

Each device can run from different contexts, which require a different set of authorized system
calls. This file explains how the policy files are named in order to allow these various scenario.

## Naming conventions

Since Minijail only allows for one level of policy inclusion, we need to be a little bit creative in
order to minimize policy duplication.

- `common_device.policy` contains a set of syscalls that are common to all devices, and is never
  loaded directly - only included from other policy files.
- `foo.policy` contains the set of syscalls that device `foo` is susceptible to use, regardless of
  the underlying virtio transport. This policy is also never loaded directly.
- `foo_device.policy` is the policy that is loaded when device `foo` is used as an in-VMM (i.e.
  regular virtio) device. It will generally simply include `common_device.policy` as well as
  `foo.policy`.

When using vhost-user, the virtio protocol needs to be sent over a different medium, e.g. a Unix
socket. Supporting this transport requires some extra system calls after the device is jailed, and
thus dedicated policies:

- `vhost_user.policy` contains the set of syscalls required by the regular (i.e. socket-based)
  vhost-user listener. It is never loaded directly.
- `vvu.policy` contains the set of syscalls required by the VFIO-based vhost-user (aka
  Virtio-Vhost-User) listener. It is also never loaded directly.
- `foo_device_vhost_user.policy` is the policy that is loaded when device `foo` is used as a regular
  vhost-user device. It will generally include `common_device.policy`, `vhost_user.policy` and
  `foo.policy`.
- `foo_device_vvu.policy` is the policy that is loaded when device `foo` is used as a VVU device. It
  will generally include `common_device.policy`, `vvu.policy` and `foo.policy`.
seccomp: define naming rules for policy files We are going to use separate policy files per device for the following scenarios: 1) Regular in-VMM virtio device, 2) Virtio device over vhost-user, 3) Virtio device over Vvu. Each of these scenarios require slightly different policies as a jailed device process needs to allow not only the system calls necessary for the device to function, but also those required by the virtio transport in use. This CL adds a README.md file to the seccomp directory that details the naming and policy inclusion rules, and updates the serial, xhci and coiommu policies to follow the naming scheme. Vhost-user and VVU policy files will be added along with support for jailing devices when they are in use. BUG=b:217480043 TEST=serial device works with `crosvm run`. Change-Id: I6d454aa6e05d00691fe3346e822ed1fc7b24aed8 Signed-off-by: Alexandre Courbot <acourbot@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3706490 Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> 2022-06-15 07:58:14 +00:00			`# Policy files for crosvm`

			`This folder holds the seccomp policies for crosvm devices, organized by architecture.`

			`Each crosvm device can run within its owned jailed process. A jailed process is only able to perform`
			`the system calls specified in the seccomp policy file the jail has been created with, which improves`
			`security as a rogue process cannot perform any system call it wants.`

			`Each device can run from different contexts, which require a different set of authorized system`
			`calls. This file explains how the policy files are named in order to allow these various scenario.`

			`## Naming conventions`

			`Since Minijail only allows for one level of policy inclusion, we need to be a little bit creative in`
			`order to minimize policy duplication.`

			- `common_device.policy` contains a set of syscalls that are common to all devices, and is never
			`loaded directly - only included from other policy files.`
			- `foo.policy` contains the set of syscalls that device `foo` is susceptible to use, regardless of
			`the underlying virtio transport. This policy is also never loaded directly.`
			- `foo_device.policy` is the policy that is loaded when device `foo` is used as an in-VMM (i.e.
			regular virtio) device. It will generally simply include `common_device.policy` as well as
			`foo.policy`.

			`When using vhost-user, the virtio protocol needs to be sent over a different medium, e.g. a Unix`
			`socket. Supporting this transport requires some extra system calls after the device is jailed, and`
			`thus dedicated policies:`

			- `vhost_user.policy` contains the set of syscalls required by the regular (i.e. socket-based)
			`vhost-user listener. It is never loaded directly.`
			- `vvu.policy` contains the set of syscalls required by the VFIO-based vhost-user (aka
			`Virtio-Vhost-User) listener. It is also never loaded directly.`
			- `foo_device_vhost_user.policy` is the policy that is loaded when device `foo` is used as a regular
			vhost-user device. It will generally include `common_device.policy`, `vhost_user.policy` and
			`foo.policy`.
			- `foo_device_vvu.policy` is the policy that is loaded when device `foo` is used as a VVU device. It
			will generally include `common_device.policy`, `vvu.policy` and `foo.policy`.