1# Copyright 2023 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5# Rules for jail_warden, which is union of the rules for the devices it creates, 6# rules for creating devices, and rules for jailing devices. 7 8# Copyright 2019 The ChromiumOS Authors 9# Use of this source code is governed by a BSD-style license that can be 10# found in the LICENSE file. 11 12# This is an allow list of syscalls for most of crosvm devices. 13# 14# Note that some device policy files don't depend on this policy file 15# because of some conflicts such as gpu_common.policy. 16# If you want to modify policies for all the devices, please modify 17# not only this file but also other *_common.policy files. 18 19brk: 1 20clock_gettime: 1 21# ANDROID: modified to 1 because of duplicate error with jail_warden 22clone: 1 23clone3: 1 24close: 1 25dup2: 1 26dup: 1 27epoll_create1: 1 28epoll_ctl: 1 29epoll_pwait: 1 30epoll_wait: 1 31eventfd2: 1 32exit: 1 33exit_group: 1 34ftruncate: 1 35futex: 1 36getcwd: 1 37getpid: 1 38gettid: 1 39gettimeofday: 1 40io_uring_setup: 1 41io_uring_register: 1 42io_uring_enter: 1 43kill: 1 44lseek: 1 45# ANDROID: modified to 1 because of duplicate error with jail_warden 46madvise: 1 47membarrier: 1 48memfd_create: 1 49# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 50mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 51# ANDROID: added PROT_WRITE because of duplicate error with jail_warden 52mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 53mremap: 1 54munmap: 1 55nanosleep: 1 56clock_nanosleep: 1 57pipe2: 1 58poll: 1 59ppoll: 1 60read: 1 61readlink: 1 62readlinkat: 1 63readv: 1 64recvfrom: 1 65recvmsg: 1 66restart_syscall: 1 67rseq: 1 68rt_sigaction: 1 69rt_sigprocmask: 1 70rt_sigreturn: 1 71sched_getaffinity: 1 72sched_yield: 1 73sendmsg: 1 74sendto: 1 75set_robust_list: 1 76sigaltstack: 1 77# arg2 == SIGABRT -- ANDROID(b/270404912): modified to 1 - duplicate error. 78tgkill: 1 79write: 1 80writev: 1 81fcntl: 1 82uname: 1 83 84# ANDROID(b/271625758): disabled to fix duplicate syscall error. 85# ## Rules for vmm-swap 86# userfaultfd: 1 87# # 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW 88# ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 89 90capget: 1 91capset: 1 92chdir: 1 93chroot: 1 94# ANDROID: merged with entry in common_device.policy 95# clone: 1 96fchdir: 1 97getdents64: 1 98#ioctl: FIONBIO, SIOCGIFMTU, SIOCSIFFLAGS, SIOCGIFFLAGS, TCGETS, TUNSETIFF 99# TUNSETVNETHDRSZ, TUNSETOFFLOAD, UFFDIO_API, USERFAULTFD_IOC_NEW 100ioctl: arg1 == 0x5421 || \ 101arg1 == 0x8921 || \ 102arg1 == 0x8914 || \ 103arg1 == 0x8913 || \ 104arg1 == 0x5401 || \ 105arg1 == 0x400454ca || \ 106arg1 == 0x400454d8 || \ 107arg1 == 0x400454d0 || \ 108arg1 == 0xc018aa3f || \ 109arg1 == 0xaa00 110# ANDROID: merged with entry in common_device.policy 111# madvise: 1 112# ANDROID: merged with entry in common_device.policy 113# mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 114mount: 1 115# ANDROID: merged with entry in common_device.policy 116# mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE 117newfstatat: 1 118openat: 1 119pivot_root: 1 120prctl: arg0 == PR_SET_NO_NEW_PRIVS || \ 121arg0 == PR_SET_SECUREBITS || \ 122arg0 == PR_SET_SECCOMP || \ 123arg0 == PR_CAPBSET_DROP || \ 124arg0 == PR_SET_NAME 125prlimit64: 1 126setsid: 1 127setsockopt: 1 128socket: arg0 == AF_INET || arg0 == AF_UNIX 129socketpair: 1 130statx: 1 131# ANDROID: already exists in common_device.policy 132# tgkill: 1 133umount2: 1 # Create jail 134unshare: 1 135