authpolicy: Merge seccomp policies for 'kinit', 'smbclient' and 'net ads'.
This is enabling the missing 'sysinfo' syscall discovered
on the customer setup, plus even more syscalls so
'kinit', 'smbclient' and 'net ads' are using the same seccomp policies.
The rationale is that krb5 locator plugin is used now in 'kinit'
and 'smbclient', which may use the same syscalls as 'net ads' command.
It is for quick-fix build purposes only and should not be merged
to master.
BUG=chromium:1126010
TEST=emerge-${BOARD} authpolicy && test_that -b ${BOARD} ${IP_OF_DUT} enterprise_AuthPolicyDaemonServer.auth
Change-Id: I0d78f42196548ebd450191620f8994ed68e536e9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2429030
Reviewed-by: Gianluca Storto <gianluca@google.com>
Reviewed-by: Tomasz Dobrowolski <tomdobro@chromium.org>
Auto-Submit: Tomasz Dobrowolski <tomdobro@chromium.org>
Commit-Queue: Tomasz Dobrowolski <tomdobro@chromium.org>
Tested-by: Tomasz Dobrowolski <tomdobro@chromium.org>
diff --git a/authpolicy/seccomp_filters/kinit-seccomp.policy b/authpolicy/seccomp_filters/kinit-seccomp.policy
index 453286a..146c4da 100644
--- a/authpolicy/seccomp_filters/kinit-seccomp.policy
+++ b/authpolicy/seccomp_filters/kinit-seccomp.policy
@@ -7,6 +7,7 @@
arch_prctl: 1
bind: 1
brk: 1
+chdir: 1
clock_gettime: 1
clone: 1
close: 1
@@ -26,6 +27,7 @@
fsync: 1
ftruncate: 1
futex: 1
+getcwd: 1
getdents: 1
getegid: 1
geteuid: 1
@@ -35,10 +37,9 @@
getrlimit: 1
getsockname: 1
getsockopt: 1
+gettimeofday: 1
getuid: 1
-# ioctl: arg1 == SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS ||
-# arg1 == SNDCTL_TMR_START or SNDRV_TIMER_IOCTL_TREAD or TCSETS ||
-# arg1 == SNDCTL_TMR_CONTINUE or SNDRV_TIMER_IOCTL_GPARAMS or TCSETSF ||
+# ioctl: arg1 == TCGETS || arg1 == TCSETS || arg1 == TCSETSF ||
# arg1 == FIONREAD || arg1 == FIONBIO ||
# arg1 == SIOCGIFINDEX || arg1 == SIOCETHTOOL
ioctl: arg1 == 0x5401 || arg1 == 0x5402 || arg1 == 0x5404 || arg1 == 0x541b || arg1 == 0x5421 || arg1 == 0x8933 || arg1 == 0x8946
@@ -57,6 +58,7 @@
poll: 1
pread64: 1
preadv: 1
+prlimit64: arg2 == 0 && arg3 != 0
pwrite64: 1
pwritev: 1
read: 1
@@ -88,7 +90,3 @@
wait4: 1
write: 1
writev: 1
-
-getpid: 1
-prlimit64: arg2 == 0 && arg3 != 0
-gettimeofday: 1
diff --git a/authpolicy/seccomp_filters/net_ads-seccomp.policy b/authpolicy/seccomp_filters/net_ads-seccomp.policy
index a6ab704..146c4da 100644
--- a/authpolicy/seccomp_filters/net_ads-seccomp.policy
+++ b/authpolicy/seccomp_filters/net_ads-seccomp.policy
@@ -7,10 +7,12 @@
arch_prctl: 1
bind: 1
brk: 1
+chdir: 1
clock_gettime: 1
clone: 1
close: 1
connect: 1
+dup: 1
epoll_create: 1
epoll_ctl: 1
epoll_wait: 1
@@ -25,18 +27,19 @@
fsync: 1
ftruncate: 1
futex: 1
+getcwd: 1
getdents: 1
getegid: 1
geteuid: 1
getpeername: 1
+getpid: 1
getrandom: 1
getrlimit: 1
getsockname: 1
getsockopt: 1
+gettimeofday: 1
getuid: 1
-# ioctl: arg1 == SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS ||
-# arg1 == SNDCTL_TMR_START or SNDRV_TIMER_IOCTL_TREAD or TCSETS ||
-# arg1 == SNDCTL_TMR_CONTINUE or SNDRV_TIMER_IOCTL_GPARAMS or TCSETSF ||
+# ioctl: arg1 == TCGETS || arg1 == TCSETS || arg1 == TCSETSF ||
# arg1 == FIONREAD || arg1 == FIONBIO ||
# arg1 == SIOCGIFINDEX || arg1 == SIOCETHTOOL
ioctl: arg1 == 0x5401 || arg1 == 0x5402 || arg1 == 0x5404 || arg1 == 0x541b || arg1 == 0x5421 || arg1 == 0x8933 || arg1 == 0x8946
@@ -49,12 +52,15 @@
mprotect: arg2 in 0xfffffffb || arg2 in 0xfffffffd
msync: 1
munmap: 1
-msync: 1
openat: 1
open: 1
pipe: 1
poll: 1
+pread64: 1
+preadv: 1
+prlimit64: arg2 == 0 && arg3 != 0
pwrite64: 1
+pwritev: 1
read: 1
readv: 1
recvfrom: 1
@@ -82,9 +88,5 @@
unlink: 1
utime: 1
wait4: 1
-writev: 1
write: 1
-
-getpid: 1
-prlimit64: arg2 == 0 && arg3 != 0
-gettimeofday: 1
+writev: 1
diff --git a/authpolicy/seccomp_filters/smbclient-seccomp.policy b/authpolicy/seccomp_filters/smbclient-seccomp.policy
index 78fcf80..146c4da 100644
--- a/authpolicy/seccomp_filters/smbclient-seccomp.policy
+++ b/authpolicy/seccomp_filters/smbclient-seccomp.policy
@@ -3,6 +3,7 @@
# found in the LICENSE file.
access: 1
+alarm: 1
arch_prctl: 1
bind: 1
brk: 1
@@ -11,6 +12,7 @@
clone: 1
close: 1
connect: 1
+dup: 1
epoll_create: 1
epoll_ctl: 1
epoll_wait: 1
@@ -18,9 +20,11 @@
exit: 1
exit_group: 1
fallocate: 1
+fchmod: 1
fcntl: 1
fdatasync: 1
fstat: 1
+fsync: 1
ftruncate: 1
futex: 1
getcwd: 1
@@ -28,15 +32,17 @@
getegid: 1
geteuid: 1
getpeername: 1
+getpid: 1
getrandom: 1
getrlimit: 1
getsockname: 1
getsockopt: 1
+gettimeofday: 1
getuid: 1
-# ioctl: arg1 == TCGETS || arg1 == TCSETSF ||
+# ioctl: arg1 == TCGETS || arg1 == TCSETS || arg1 == TCSETSF ||
# arg1 == FIONREAD || arg1 == FIONBIO ||
# arg1 == SIOCGIFINDEX || arg1 == SIOCETHTOOL
-ioctl: arg1 == 0x5401 || arg1 == 0x5404 || arg1 == 0x541b || arg1 == 0x5421 || arg1 == 0x8933 || arg1 == 0x8946
+ioctl: arg1 == 0x5401 || arg1 == 0x5402 || arg1 == 0x5404 || arg1 == 0x541b || arg1 == 0x5421 || arg1 == 0x8933 || arg1 == 0x8946
lseek: 1
lstat: 1
kill: 1
@@ -50,33 +56,37 @@
open: 1
pipe: 1
poll: 1
+pread64: 1
+preadv: 1
+prlimit64: arg2 == 0 && arg3 != 0
pwrite64: 1
+pwritev: 1
read: 1
readv: 1
recvfrom: 1
recvmsg: 1
+rename: 1
restart_syscall: 1
rt_sigaction: 1
rt_sigprocmask: 1
rt_sigreturn: 1
rt_sigsuspend: 1
select: 1
-sendto: 1
+sendmmsg: 1
sendmsg: 1
+sendto: 1
setsockopt: 1
set_robust_list: 1
set_tid_address: 1
+shutdown: 1
# socket: arg0 == PF_INET || arg0 == PF_LOCAL || arg0 == PF_INET6 || arg0 == PF_NETLINK
socket: arg0 == 2 || arg0 == 1 || arg0 == 10 || arg0 == 16
stat: 1
+sysinfo: 1
umask: 1
uname: 1
unlink: 1
utime: 1
wait4: 1
-writev: 1
write: 1
-
-getpid: 1
-prlimit64: arg2 == 0 && arg3 != 0
-gettimeofday: 1
+writev: 1
