mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2024-11-24 12:34:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
crosvm/seccomp
History
Daniel Verkamp 53cd18e062 p9: use *at() functions for set_attr 
Use fchmodat(), fchownat(), and utimensat() to implement the SET_ATTR
request rather than using the non-'at' variants of these functions.
These can operate on a file descriptor path using the /proc file handle
and "self/fd/N" filename to modify the attributes of a file without
actually opening it, which means we can avoid problems like not being
able to open a read-only file with O_RDWR, which happened previously
with chmod requests.

This means we don't need to open the file at all, except in the case of
a request that needs to set the size, since there is no equivalent
truncateat() function.

BUG=chromium:1369647
TEST=touch /mnt/chromeos/MyFiles/Downloads/hello.txt
TEST=chmod -w /mnt/chromeos/MyFiles/Downloads/hello.txt
TEST=chmod +w /mnt/chromeos/MyFiles/Downloads/hello.txt
TEST=chmod a-r /mnt/chromeos/MyFiles/Downloads/hello.txt
TEST=chmod a+r /mnt/chromeos/MyFiles/Downloads/hello.txt
TEST=chown $USER /mnt/chromeos/MyFiles/Downloads/hello.txt
TEST=truncate -s1 /mnt/chromeos/MyFiles/Downloads/hello.txt

Change-Id: I0461ed231cc78b26bcc37ede1a364af984c87f8b
Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/3935537
Reviewed-by: Alexandre Courbot <acourbot@chromium.org>
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
2022-10-10 17:50:07 +00:00
..
aarch64 p9: use *at() functions for set_attr 2022-10-10 17:50:07 +00:00
arm p9: use *at() functions for set_attr 2022-10-10 17:50:07 +00:00
x86_64 p9: use *at() functions for set_attr 2022-10-10 17:50:07 +00:00
README.md seccomp: define naming rules for policy files 2022-06-17 04:35:09 +00:00

README.md

Policy files for crosvm

This folder holds the seccomp policies for crosvm devices, organized by architecture.

Each crosvm device can run within its owned jailed process. A jailed process is only able to perform the system calls specified in the seccomp policy file the jail has been created with, which improves security as a rogue process cannot perform any system call it wants.

Each device can run from different contexts, which require a different set of authorized system calls. This file explains how the policy files are named in order to allow these various scenario.

Naming conventions

Since Minijail only allows for one level of policy inclusion, we need to be a little bit creative in order to minimize policy duplication.

  • common_device.policy contains a set of syscalls that are common to all devices, and is never loaded directly - only included from other policy files.
  • foo.policy contains the set of syscalls that device foo is susceptible to use, regardless of the underlying virtio transport. This policy is also never loaded directly.
  • foo_device.policy is the policy that is loaded when device foo is used as an in-VMM (i.e. regular virtio) device. It will generally simply include common_device.policy as well as foo.policy.

When using vhost-user, the virtio protocol needs to be sent over a different medium, e.g. a Unix socket. Supporting this transport requires some extra system calls after the device is jailed, and thus dedicated policies:

  • vhost_user.policy contains the set of syscalls required by the regular (i.e. socket-based) vhost-user listener. It is never loaded directly.
  • vvu.policy contains the set of syscalls required by the VFIO-based vhost-user (aka Virtio-Vhost-User) listener. It is also never loaded directly.
  • foo_device_vhost_user.policy is the policy that is loaded when device foo is used as a regular vhost-user device. It will generally include common_device.policy, vhost_user.policy and foo.policy.
  • foo_device_vvu.policy is the policy that is loaded when device foo is used as a VVU device. It will generally include common_device.policy, vvu.policy and foo.policy.