|
Name |
|
Date |
Size |
#Lines |
LOC |
| .. | | - | - |
| aarch64/ | H | 25-Apr-2025 | - | 3,057 | 2,939 |
| arm/ | H | 25-Apr-2025 | - | 3,169 | 3,067 |
| riscv64/ | H | 25-Apr-2025 | - | 2,548 | 2,499 |
| x86_64/ | H | 25-Apr-2025 | - | 3,474 | 3,319 |
| Android.bp | H A D | 25-Apr-2025 | 39.7 KiB | 1,569 | 1,424 |
| README.md | H A D | 25-Apr-2025 | 1.8 KiB | 34 | 25 |
| crosvm_seccomp_policy_product_packages.mk | H A D | 25-Apr-2025 | 3.5 KiB | 85 | 64 |
| detect_duplication.py | H A D | 25-Apr-2025 | 1 KiB | 30 | 10 |
| gen_android.sh | H A D | 25-Apr-2025 | 7.9 KiB | 260 | 224 |
| generate_constants.sh | H A D | 25-Apr-2025 | 1.7 KiB | 61 | 41 |
| policy-inliner.sh | H A D | 25-Apr-2025 | 2.2 KiB | 61 | 41 |
README.md
1# Policy files for crosvm
2
3This folder holds the seccomp policies for crosvm devices, organized by architecture.
4
5Each crosvm device can run within its owned jailed process. A jailed process is only able to perform
6the system calls specified in the seccomp policy file the jail has been created with, which improves
7security as a rogue process cannot perform any system call it wants.
8
9Each device can run from different contexts, which require a different set of authorized system
10calls. This file explains how the policy files are named in order to allow these various scenario.
11
12## Naming conventions
13
14Since Minijail only allows for one level of policy inclusion, we need to be a little bit creative in
15order to minimize policy duplication.
16
17- `common_device.policy` contains a set of syscalls that are common to all devices, and is never
18 loaded directly - only included from other policy files.
19- `foo.policy` contains the set of syscalls that device `foo` is susceptible to use, regardless of
20 the underlying virtio transport. This policy is also never loaded directly.
21- `foo_device.policy` is the policy that is loaded when device `foo` is used as an in-VMM (i.e.
22 regular virtio) device. It will generally simply include `common_device.policy` as well as
23 `foo.policy`.
24
25When using vhost-user, the virtio protocol needs to be sent over a different medium, e.g. a Unix
26socket. Supporting this transport requires some extra system calls after the device is jailed, and
27thus dedicated policies:
28
29- `vhost_user.policy` contains the set of syscalls required by the regular (i.e. socket-based)
30 vhost-user listener. It is never loaded directly.
31- `foo_device_vhost_user.policy` is the policy that is loaded when device `foo` is used as a regular
32 vhost-user device. It will generally include `common_device.policy`, `vhost_user.policy` and
33 `foo.policy`.
34