1# Policy files for crosvm 2 3This folder holds the seccomp policies for crosvm devices, organized by architecture. 4 5Each crosvm device can run within its owned jailed process. A jailed process is only able to perform 6the system calls specified in the seccomp policy file the jail has been created with, which improves 7security as a rogue process cannot perform any system call it wants. 8 9Each device can run from different contexts, which require a different set of authorized system 10calls. This file explains how the policy files are named in order to allow these various scenario. 11 12## Naming conventions 13 14Since Minijail only allows for one level of policy inclusion, we need to be a little bit creative in 15order to minimize policy duplication. 16 17- `common_device.policy` contains a set of syscalls that are common to all devices, and is never 18 loaded directly - only included from other policy files. 19- `foo.policy` contains the set of syscalls that device `foo` is susceptible to use, regardless of 20 the underlying virtio transport. This policy is also never loaded directly. 21- `foo_device.policy` is the policy that is loaded when device `foo` is used as an in-VMM (i.e. 22 regular virtio) device. It will generally simply include `common_device.policy` as well as 23 `foo.policy`. 24 25When using vhost-user, the virtio protocol needs to be sent over a different medium, e.g. a Unix 26socket. Supporting this transport requires some extra system calls after the device is jailed, and 27thus dedicated policies: 28 29- `vhost_user.policy` contains the set of syscalls required by the regular (i.e. socket-based) 30 vhost-user listener. It is never loaded directly. 31- `foo_device_vhost_user.policy` is the policy that is loaded when device `foo` is used as a regular 32 vhost-user device. It will generally include `common_device.policy`, `vhost_user.policy` and 33 `foo.policy`. 34