typecd: Add seccomp policy for amd64
BUG=b:152251292
TEST=Run the following and ensure typecd doesn't crash:
minijail -S <typecd_policy_file> -- /usr/bin/typecd
Change-Id: I55ee347ba0b5eb4a1db6ea1bf34edae05c58d68c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2333355
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Prashant Malani <pmalani@chromium.org>
Tested-by: Prashant Malani <pmalani@chromium.org>
Auto-Submit: Prashant Malani <pmalani@chromium.org>
diff --git a/typecd/init/typecd.conf b/typecd/init/typecd.conf
index 47619f0..78f3139 100644
--- a/typecd/init/typecd.conf
+++ b/typecd/init/typecd.conf
@@ -35,6 +35,7 @@
# - Inherit supplementary groups from from user typecd.
# - Grant no caps.
# - No new privileges (no_new_privs).
+# - Use the typecd seccomp policy.
# - Execute the daemon.
#
# NOTE: We don't add "-e" since we want to receive udev events.
@@ -53,4 +54,5 @@
-G \
-c 0 \
-n \
+ -S /usr/share/policy/typecd-seccomp.policy \
-- /usr/bin/typecd \
diff --git a/typecd/seccomp/typecd-seccomp-amd64.policy b/typecd/seccomp/typecd-seccomp-amd64.policy
new file mode 100644
index 0000000..f226f6d
--- /dev/null
+++ b/typecd/seccomp/typecd-seccomp-amd64.policy
@@ -0,0 +1,36 @@
+# Copyright 2020 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+gettid: 1
+read: 1
+epoll_wait: 1
+lstat: 1
+write: 1
+epoll_ctl: 1
+fstat: 1
+openat: 1
+close: 1
+getrandom: 1
+recvmsg: 1
+getdents: 1
+readlinkat: 1
+stat: 1
+access: 1
+getuid: 1
+geteuid: 1
+getgid: 1
+getegid: 1
+pipe2: 1
+brk: 1
+setsockopt: 1
+lseek: 1
+epoll_create1: 1
+getpid: 1
+socket: arg0 == AF_NETLINK
+bind: 1
+getsockname: 1
+restart_syscall: 1
+exit: 1
+exit_group: 1
+rt_sigreturn: 1
