mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2024-11-24 20:48:55 +00:00
85a4efdbad
The monitor process uses the `jail` crate which devices use to create sandbox. The syscalls listed in the seccomp filter policy file is originally generated from a profile by strace. Also there are additional syscalls from common_device.policy: * another variant of syscalls in the profile * clone, dup, readlinkat * the basic set which will be added by minijail compiler anyway. * restart_syscall, exit, exit_group, rt_sigreturn * syscalls appears only on DUT (not workstation). * set_robust_list, sigaltstack, rseq Used `common_device.policy` as a reference for syscalls which require detailed conditions (e.g. clone, mmap, openat, etc). This adds seccomp filter policy only for x86_64. The policy files for other architectures will be added later. BUG=b:258351526 TEST=manually tested Change-Id: I3e584449ed9330a57ae1d2bd6c56a7554b6584ef Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4253073 Reviewed-by: Dennis Kempin <denniskempin@google.com> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-by: David Stevens <stevensd@chromium.org> Commit-Queue: Shin Kawamura <kawasin@google.com> |
||
|---|---|---|
| .. | ||
| src | ||
| tests | ||
| Cargo.toml | ||