swap: Add seccomp of swap_monitor for arm and aarch64

This CL add seccomp for arm and aarch64, based on the seccomp policy on x86-64. BUG=b:296146977 TEST=manually confirm arm & arm64 crosvm can launch with --swap parameter TEST=manually confirm the vmm swap work on corsola and kukui board Change-Id: I503c9f1d8b1010ef78b085b6784a97a7dbe6e406 Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4792841 Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Commit-Queue: Shengsong Tan <sstan@chromium.org>
2024-11-25 05:03:05 +00:00 · 2023-08-18 12:25:44 +09:00 · 2023-08-18 12:25:44 +09:00 · 5b12ca8f02
commit 5b12ca8f02
parent 943afc20bc
2 changed files with 126 additions and 0 deletions
--- a/jail/seccomp/aarch64/swap_monitor.policy
+++ b/jail/seccomp/aarch64/swap_monitor.policy
@ -0,0 +1,62 @@
+# Copyright 2023 The ChromiumOS Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+brk: 1
+chdir: 1
+clone: arg0 & CLONE_THREAD
+clone3: 1
+close: 1
+dup3: 1
+dup: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_pwait: 1
+eventfd2: 1
+exit: 1
+exit_group: 1
+fallocate: 1
+fchdir: 1
+fcntl: 1
+ftruncate: 1
+futex: 1
+getcwd: 1
+getdents64: 1
+getpid: 1
+gettid: 1
+# 0xc020aa00 = UFFDIO_REGISTER, 0x8010aa01 == UFFDIO_UNREGISTER, 0x8010aa02 == UFFDIO_WAKE, 0xc028aa03 == UFFDIO_COPY, 0xc020aa04 == UFFDIO_ZEROPAGE
+ioctl: arg1 == 0xc020aa00 || arg1 == 0x8010aa01 || arg1 == 0x8010aa02 || arg1 == 0xc028aa03 || arg1 == 0xc020aa04
+lseek: 1
+madvise: arg2 == MADV_DONTNEED || arg2 == MADV_WILLNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_MERGEABLE || arg2 == MADV_REMOVE
+memfd_create: 1
+mlock2: 1
+mmap: arg2 in ~PROT_EXEC
+mprotect: arg2 in ~PROT_EXEC
+munlock: 1
+munmap: 1
+newfstatat: 1
+openat: return ENOENT
+pipe2: 1
+ppoll: 1
+prctl: arg0 == PR_SET_NAME
+pwrite64: 1
+read: 1
+readlinkat: 1
+recvfrom: 1
+recvmsg: 1
+restart_syscall: 1
+rseq: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+rt_sigreturn: 1
+sched_getaffinity: 1
+sendmsg: 1
+set_robust_list: 1
+sigaltstack: 1
+socket: 1
+statx: 1
+timerfd_create: 1
+timerfd_settime: 1
+timerfd_gettime: 1
+tgkill: arg2 == SIGABRT
+write: 1
--- a/jail/seccomp/arm/swap_monitor.policy
+++ b/jail/seccomp/arm/swap_monitor.policy
@ -0,0 +1,64 @@
+# Copyright 2023 The ChromiumOS Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+brk: 1
+chdir: 1
+clock_gettime64: 1
+clone: arg0 & CLONE_THREAD
+clone3: 1
+close: 1
+dup3: 1
+dup2: 1
+dup: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1
+eventfd2: 1
+exit: 1
+exit_group: 1
+fallocate: 1
+fchdir: 1
+fcntl: 1
+fstatat64: 1
+ftruncate64: 1
+futex: 1
+getcwd: 1
+getdents64: 1
+getpid: 1
+gettid: 1
+# 0xc020aa00 = UFFDIO_REGISTER, 0x8010aa01 == UFFDIO_UNREGISTER, 0x8010aa02 == UFFDIO_WAKE, 0xc028aa03 == UFFDIO_COPY, 0xc020aa04 == UFFDIO_ZEROPAGE
+ioctl: arg1 == 0xc020aa00 || arg1 == 0x8010aa01 || arg1 == 0x8010aa02 || arg1 == 0xc028aa03 || arg1 == 0xc020aa04
+_llseek: 1
+madvise: arg2 == MADV_DONTNEED || arg2 == MADV_WILLNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_MERGEABLE || arg2 == MADV_REMOVE
+memfd_create: 1
+mlock2: 1
+mmap2: 1
+mprotect: arg2 in ~PROT_EXEC
+munlock: 1
+munmap: 1
+openat: return ENOENT
+pipe2: 1
+ppoll: 1
+prctl: arg0 == PR_SET_NAME
+pwrite64: 1
+read: 1
+readlinkat: 1
+recvfrom: 1
+recvmsg: 1
+restart_syscall: 1
+rseq: 1
+rt_sigaction: 1
+rt_sigprocmask: 1
+rt_sigreturn: 1
+sched_getaffinity: 1
+sendmsg: 1
+set_robust_list: 1
+sigaltstack: 1
+socket: 1
+statx: 1
+timerfd_create: 1
+timerfd_settime: 1
+timerfd_gettime: 1
+tgkill: arg2 == SIGABRT
+write: 1