attestation: Add seccomp policies
BUG=chromium:357290
TEST=On each supported platform (x86, x86_64, arm), make sure that
/usr/bin/attestation returns some uptime number.
CQ-DEPEND=CL:195622
Change-Id: Ibf2f5f79cb7d96ac749c682a6feb01b8b23d5eff
Reviewed-on: https://chromium-review.googlesource.com/195595
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Nam Nguyen <namnguyen@chromium.org>
Tested-by: Nam Nguyen <namnguyen@chromium.org>
diff --git a/attestation/server/attestationd-seccomp-amd64.policy b/attestation/server/attestationd-seccomp-amd64.policy
new file mode 100644
index 0000000..3fa6aec
--- /dev/null
+++ b/attestation/server/attestationd-seccomp-amd64.policy
@@ -0,0 +1,49 @@
+# Tested on wolf board
+gettid: 1
+getuid: 1
+geteuid: 1
+getgid: 1
+getegid: 1
+getresuid: 1
+getresgid: 1
+
+clock_getres: 1
+clock_gettime: 1
+gettimeofday: 1
+time: 1
+
+# Allow socket(domain==PF_LOCAL) or socket(domain==PF_NETLINK)
+socket: arg0 == 0x1 || arg0 == 0x10
+socketpair: 1
+connect: 1
+getsockname: 1
+pipe: 1
+sendmsg: 1
+sendto: 1
+recvmsg: 1
+
+epoll_create: 1
+epoll_wait: 1
+epoll_ctl: 1
+poll: 1
+
+open: 1
+read: 1
+write: 1
+close: 1
+
+fstat: 1
+stat: 1
+lseek: 1
+fcntl: 1
+
+futex: 1
+
+restart_syscall: 1
+exit: 1
+exit_group: 1
+rt_sigreturn: 1
+
+brk: 1
+mmap: 1
+munmap: 1
diff --git a/attestation/server/attestationd-seccomp-arm.policy b/attestation/server/attestationd-seccomp-arm.policy
new file mode 100644
index 0000000..358723b
--- /dev/null
+++ b/attestation/server/attestationd-seccomp-arm.policy
@@ -0,0 +1,48 @@
+# Tested on daisy_spring board
+gettid: 1
+getuid32: 1
+geteuid32: 1
+getgid32: 1
+getegid32: 1
+getresuid32: 1
+getresgid32: 1
+
+clock_getres: 1
+clock_gettime: 1
+gettimeofday: 1
+
+# Allow socket(domain==PF_LOCAL) or socket(domain==PF_NETLINK)
+socket: arg0 == 0x1 || arg0 == 0x10
+socketpair: 1
+connect: 1
+getsockname: 1
+pipe: 1
+send: 1
+sendmsg: 1
+recvmsg: 1
+
+epoll_create: 1
+epoll_wait: 1
+epoll_ctl: 1
+poll: 1
+
+open: 1
+read: 1
+write: 1
+close: 1
+
+fstat64: 1
+stat64: 1
+_llseek: 1
+fcntl64: 1
+
+futex: 1
+
+restart_syscall: 1
+exit: 1
+exit_group: 1
+rt_sigreturn: 1
+
+brk: 1
+mmap2: 1
+munmap: 1
diff --git a/attestation/server/attestationd-seccomp-x86.policy b/attestation/server/attestationd-seccomp-x86.policy
new file mode 100644
index 0000000..1aa8af0
--- /dev/null
+++ b/attestation/server/attestationd-seccomp-x86.policy
@@ -0,0 +1,43 @@
+# Tested on alex board
+gettid: 1
+geteuid32: 1
+getegid32: 1
+getuid32: 1
+getgid32: 1
+getresuid32: 1
+getresgid32: 1
+
+clock_getres: 1
+clock_gettime: 1
+gettimeofday: 1
+time: 1
+
+# TODO(namnguyen): filter socket system calls.
+socketcall: 1
+pipe: 1
+
+open: 1
+read: 1
+write: 1
+close: 1
+
+brk: 1
+mmap2: 1
+munmap: 1
+
+fstat64: 1
+stat64: 1
+_llseek: 1
+fcntl64: 1
+
+futex: 1
+
+restart_syscall: 1
+exit: 1
+exit_group: 1
+rt_sigreturn: 1
+
+epoll_create: 1
+epoll_wait: 1
+epoll_ctl: 1
+poll: 1
diff --git a/attestation/server/attestationd.conf b/attestation/server/attestationd.conf
index 45b24be..c5fb435 100644
--- a/attestation/server/attestationd.conf
+++ b/attestation/server/attestationd.conf
@@ -10,5 +10,6 @@
expect fork
respawn
-# TODO(namnguyen): further restrict privileges, see crbug.com/357290.
-exec minijail0 -i -n -u attestation -g attestation /usr/sbin/attestationd
+exec minijail0 -i -n -u attestation -g attestation \
+ -S /usr/share/policy/attestationd-seccomp.policy \
+ /usr/sbin/attestationd
