1*bb4ee6a4SAndroid Build Coastguard Worker# Seccomp 2*bb4ee6a4SAndroid Build Coastguard Worker 3*bb4ee6a4SAndroid Build Coastguard WorkerThe seccomp system is used to filter the syscalls that sandboxed processes can use. The form of 4*bb4ee6a4SAndroid Build Coastguard Workerseccomp used by crosvm (`SECCOMP_SET_MODE_FILTER`) allows for a BPF program to be used. To generate 5*bb4ee6a4SAndroid Build Coastguard Workerthe BPF programs, crosvm uses minijail's policy file format. A policy file is written for each 6*bb4ee6a4SAndroid Build Coastguard Workerdevice per architecture. Each device requires a unique set of syscalls to accomplish their function 7*bb4ee6a4SAndroid Build Coastguard Workerand each architecture has slightly different naming for similar syscalls. The ChromeOS docs have a 8*bb4ee6a4SAndroid Build Coastguard Workeruseful 9*bb4ee6a4SAndroid Build Coastguard Worker[listing of syscalls](https://www.chromium.org/chromium-os/developer-library/reference/linux-constants/syscalls/). 10*bb4ee6a4SAndroid Build Coastguard Worker 11*bb4ee6a4SAndroid Build Coastguard WorkerThe seccomp policies are compiled from `.policy` source files into BPF bytecode by 12*bb4ee6a4SAndroid Build Coastguard Worker[`jail/build.rs`](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/jail/build.rs) 13*bb4ee6a4SAndroid Build Coastguard Workerand embedded in the crosvm executable, so it is not necessary to install the seccomp policy files, 14*bb4ee6a4SAndroid Build Coastguard Workeronly the crosvm binary itself. Be sure to remember to rebuild crosvm after changing a policy file to 15*bb4ee6a4SAndroid Build Coastguard Workerobserve the updated behavior. 16*bb4ee6a4SAndroid Build Coastguard Worker 17*bb4ee6a4SAndroid Build Coastguard Worker## Writing a Policy for crosvm 18*bb4ee6a4SAndroid Build Coastguard Worker 19*bb4ee6a4SAndroid Build Coastguard WorkerThe detailed rules for naming policy files can be found in 20*bb4ee6a4SAndroid Build Coastguard Worker[jail/seccomp/README.md](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/jail/seccomp/README.md) 21*bb4ee6a4SAndroid Build Coastguard Worker 22*bb4ee6a4SAndroid Build Coastguard WorkerMost policy files will include the `common_device.policy` from a given architecture using this 23*bb4ee6a4SAndroid Build Coastguard Workerdirective near the top: 24*bb4ee6a4SAndroid Build Coastguard Worker 25*bb4ee6a4SAndroid Build Coastguard Worker``` 26*bb4ee6a4SAndroid Build Coastguard Worker@include /usr/share/policy/crosvm/common_device.policy 27*bb4ee6a4SAndroid Build Coastguard Worker``` 28*bb4ee6a4SAndroid Build Coastguard Worker 29*bb4ee6a4SAndroid Build Coastguard WorkerThe common device policy for `x86_64` is: 30*bb4ee6a4SAndroid Build Coastguard Worker 31*bb4ee6a4SAndroid Build Coastguard Worker``` 32*bb4ee6a4SAndroid Build Coastguard Worker{{#include ../../../../jail/seccomp/x86_64/common_device.policy:5:}} 33*bb4ee6a4SAndroid Build Coastguard Worker``` 34*bb4ee6a4SAndroid Build Coastguard Worker 35*bb4ee6a4SAndroid Build Coastguard WorkerThe syntax is simple: one syscall per line, followed by a colon `:`, followed by a boolean 36*bb4ee6a4SAndroid Build Coastguard Workerexpression used to constrain the arguments of the syscall. The simplest expression is `1` which 37*bb4ee6a4SAndroid Build Coastguard Workerunconditionally allows the syscall. Only simple expressions work, often to allow or deny specific 38*bb4ee6a4SAndroid Build Coastguard Workerflags. A major limitation is that checking the contents of pointers isn't possible using minijail's 39*bb4ee6a4SAndroid Build Coastguard Workerpolicy format. If a syscall is not listed in a policy file, it is not allowed. 40