Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / c973d334baac3f77b8bb6c13d582629d12b193ec^! / .
commitc973d334baac3f77b8bb6c13d582629d12b193ec[log] [tgz]
authorPrashant Malani <pmalani@chromium.org>Tue Dec 15 13:54:46 2020 -0800
committerCommit Bot <commit-bot@chromium.org>Thu Dec 17 03:23:21 2020 +0000
tree0917578ac2e921329b54f969c8b10ce998a9492c
parent917f1aeb1ad42df665f3a8a46beea13fac8b4f66 [diff]
typecd: Add seccomp policy for ectool inventory

The 'ectool inventory' command gets used by debugd while handling the
org.chromium.debugd.EcGetInventory method call. Add the corresponding
seccomp policy that debugd needs to create the appropriate sandbox to
execute the aforementioned command.

BUG=b:171725237
TEST=Build and deploy an image to volteer. Execute the D-Bus method via
     command line and make sure that it return the right output. The
     D-Bus command is:
     dbus-send --system --dest=org.chromium.debugd --print-reply
     /org/chromium/debugd org.chromium.debugd.EcGetInventory

Change-Id: I786ca10bcd242403b65bb1e943485f9ef071c8ed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2594270
Reviewed-by: Allen Webb <allenwebb@google.com>
Tested-by: Prashant Malani <pmalani@chromium.org>
Commit-Queue: Prashant Malani <pmalani@chromium.org>

diff --git a/typecd/seccomp/ectool_inventory-seccomp-amd64.policy b/typecd/seccomp/ectool_inventory-seccomp-amd64.policy
new file mode 100644
index 0000000..7dc817c
--- /dev/null
+++ b/typecd/seccomp/ectool_inventory-seccomp-amd64.policy

@@ -0,0 +1,52 @@
+# Copyright 2020 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# This seccomp policy is used by debugd while creating the sandbox to run the
+# following command:
+# ectool inventory
+#
+# This policy file was created using the following:
+# - Following the instructions listed in:
+# https://chromium.googlesource.com/chromiumos/docs/+/HEAD/
+# sandboxing.md#detailed-instructions-for-generating-a-seccomp-policy
+#
+# - Modifications to the ioctl settings based on similar usage in:
+# src/platform2/diagnostics/cros_healthd/seccomp/
+# ectool_i2cread-seccomp-amd64.policy
+openat: 1
+write: 1
+mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+stat: 1
+mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+fstat: 1
+close: 1
+read: 1
+# ioctl:
+# arg1 == _IOC(_IOC_READ|_IOC_WRITE, 0xec, 0x1, 0x108) (0xc108ec01) ||
+# arg1 == _IOC(_IOC_READ|_IOC_WRITE, 0xec, 0, 0x14) (0xc014ec00) ||
+# arg1 == _IOC(_IOC_READ|_IOC_WRITE, 0x3a, 0, 0x28) (0xc0283a00)
+#
+# Driver type 0x3a (":") = CROS_EC_DEV_IOC
+# (Old iotcl format, used by ChromeOS 3.18 and older)
+#
+# Driver type 0xec = CROS_EC_DEV_IOC_V2
+# (New ioctl format, used by ChromeOS 4.4 or later as well as upstream 4.0+)
+# Please refer to src/platform/ec/util/cros_ec_dev.h for more info.
+ioctl: arg1 == 0xc108ec01 || arg1 == 0xc014ec00 || arg1 == 0xc0283a00
+brk: 1
+rt_sigaction: 1
+access: 1
+arch_prctl: 1
+munmap: 1
+set_tid_address: 1
+set_robust_list: 1
+rt_sigprocmask: 1
+prlimit64: 1
+uname: 1
+exit_group: 1
+restart_syscall: 1
+exit: 1
+rt_sigreturn: 1
+connect: 1
+lseek: 1