security/chromiumos/third_party_whitelists.h - third_party/kernel - Git at Google

 /*
  * Linux Security Module for Chromium OS
  *
  * Copyright 2018 Google LLC. All Rights Reserved
  *
  * Authors:
  *      Micah Morton <mortonm@chromium.org>
  *
  * This software is licensed under the terms of the GNU General Public
  * License version 2, as published by the Free Software Foundation, and
  * may be copied, distributed, and modified under those terms.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  */

 #ifndef THIRD_PARTY_WHITELISTS_H
 #define THIRD_PARTY_WHITELISTS_H

 /*
  * NOTE: the purpose of this header is only to pull out the definition of this
  * array from alt-syscall.c for the purposes of readability. It should not be
  * included in other .c files.
  */

 #include "alt-syscall.h"

 static struct syscall_whitelist_entry third_party_whitelist[] = {
 	SYSCALL_ENTRY(accept),
 	SYSCALL_ENTRY(bind),
 	SYSCALL_ENTRY(brk),
 	SYSCALL_ENTRY(chdir),
 	SYSCALL_ENTRY(clock_gettime),
 	SYSCALL_ENTRY(clone),
 	SYSCALL_ENTRY(close),
 	SYSCALL_ENTRY(connect),
 	SYSCALL_ENTRY(dup),
 	SYSCALL_ENTRY(execve),
 	SYSCALL_ENTRY(exit),
 	SYSCALL_ENTRY(exit_group),
 	SYSCALL_ENTRY(fcntl),
 	SYSCALL_ENTRY(fstat),
 	SYSCALL_ENTRY(futex),
 	SYSCALL_ENTRY(getcwd),
 	SYSCALL_ENTRY(getdents64),
 	SYSCALL_ENTRY(getpid),
 	SYSCALL_ENTRY(getpgid),
 	SYSCALL_ENTRY(getppid),
 	SYSCALL_ENTRY(getpriority),
 	SYSCALL_ENTRY(getsid),
 	SYSCALL_ENTRY(gettimeofday),
 	SYSCALL_ENTRY(ioctl),
 	SYSCALL_ENTRY(listen),
 	SYSCALL_ENTRY(lseek),
 	SYSCALL_ENTRY(madvise),
         SYSCALL_ENTRY(memfd_create),
 	SYSCALL_ENTRY(mprotect),
 	SYSCALL_ENTRY(munmap),
 	SYSCALL_ENTRY(nanosleep),
 	SYSCALL_ENTRY(openat),
 	SYSCALL_ENTRY(prlimit64),
 	SYSCALL_ENTRY(read),
 	SYSCALL_ENTRY(recvfrom),
 	SYSCALL_ENTRY(recvmsg),
 	SYSCALL_ENTRY(rt_sigaction),
 	SYSCALL_ENTRY(rt_sigprocmask),
 	SYSCALL_ENTRY(rt_sigreturn),
 	SYSCALL_ENTRY(sendfile),
 	SYSCALL_ENTRY(sendmsg),
 	SYSCALL_ENTRY(sendto),
 	SYSCALL_ENTRY(set_robust_list),
 	SYSCALL_ENTRY(set_tid_address),
 	SYSCALL_ENTRY(setpgid),
 	SYSCALL_ENTRY(setpriority),
 	SYSCALL_ENTRY(setsid),
 	SYSCALL_ENTRY(setsockopt),
 	SYSCALL_ENTRY(socket),
 	SYSCALL_ENTRY(socketpair),
 	SYSCALL_ENTRY(syslog),
 	SYSCALL_ENTRY(statfs),
 	SYSCALL_ENTRY(umask),
 	SYSCALL_ENTRY(uname),
 	SYSCALL_ENTRY(wait4),
 	SYSCALL_ENTRY(write),
 	SYSCALL_ENTRY(writev),

 	/*
 	 * Deprecated syscalls which are not wired up on new architectures
 	 * such as ARM64.
 	 */
 #ifndef CONFIG_ARM64
 	SYSCALL_ENTRY(access),
 	SYSCALL_ENTRY(creat),
 	SYSCALL_ENTRY(dup2),
 	SYSCALL_ENTRY(getdents),
 	SYSCALL_ENTRY(getpgrp),
 	SYSCALL_ENTRY(lstat),
 	SYSCALL_ENTRY(mkdir),
 	SYSCALL_ENTRY(open),
 	SYSCALL_ENTRY(pipe),
 	SYSCALL_ENTRY(poll),
 	SYSCALL_ENTRY(readlink),
 	SYSCALL_ENTRY(stat),
 	SYSCALL_ENTRY(unlink),
 #endif

 	/* ARM32 only syscalls. */
 #if defined(CONFIG_ARM)
 	SYSCALL_ENTRY(fcntl64),
 	SYSCALL_ENTRY(fstat64),
 	SYSCALL_ENTRY(geteuid32),
 	SYSCALL_ENTRY(getuid32),
 	SYSCALL_ENTRY(_llseek),
 	SYSCALL_ENTRY(lstat64),
 	SYSCALL_ENTRY(_newselect),
 	SYSCALL_ENTRY(mmap2),
 	SYSCALL_ENTRY(stat64),
 	SYSCALL_ENTRY(ugetrlimit),
 #endif

 	/* 64-bit only syscalls. */
 #if defined(CONFIG_X86_64) || defined(CONFIG_ARM64)
 	SYSCALL_ENTRY(getegid),
 	SYSCALL_ENTRY(geteuid),
 	SYSCALL_ENTRY(getgid),
 	SYSCALL_ENTRY(getrlimit),
 	SYSCALL_ENTRY(getuid),
 	SYSCALL_ENTRY(mmap),
 	SYSCALL_ENTRY(setgid),
 	SYSCALL_ENTRY(setuid),
 	/*
 	 * chown(2), lchown(2), and select(2) are deprecated and not wired up
 	 * on ARM64.
 	 */
 #ifndef CONFIG_ARM64
 	SYSCALL_ENTRY(select),
 #endif
 #endif

 	/* X86_64-specific syscalls. */
 #ifdef CONFIG_X86_64
 	SYSCALL_ENTRY(arch_prctl),
 #endif
 }; /* end third_party_whitelist */

 #ifdef CONFIG_COMPAT
 static struct syscall_whitelist_entry third_party_compat_whitelist[] = {
 	COMPAT_SYSCALL_ENTRY(access),
 	COMPAT_SYSCALL_ENTRY(brk),
 	COMPAT_SYSCALL_ENTRY(chdir),
 	COMPAT_SYSCALL_ENTRY(clock_gettime),
 	COMPAT_SYSCALL_ENTRY(clone),
 	COMPAT_SYSCALL_ENTRY(close),
 	COMPAT_SYSCALL_ENTRY(creat),
 	COMPAT_SYSCALL_ENTRY(dup),
 	COMPAT_SYSCALL_ENTRY(dup2),
 	COMPAT_SYSCALL_ENTRY(execve),
 	COMPAT_SYSCALL_ENTRY(exit),
 	COMPAT_SYSCALL_ENTRY(exit_group),
 	COMPAT_SYSCALL_ENTRY(fcntl),
 	COMPAT_SYSCALL_ENTRY(fcntl64),
 	COMPAT_SYSCALL_ENTRY(fstat),
 	COMPAT_SYSCALL_ENTRY(fstat64),
 	COMPAT_SYSCALL_ENTRY(futex),
 	COMPAT_SYSCALL_ENTRY(getcwd),
 	COMPAT_SYSCALL_ENTRY(getdents),
 	COMPAT_SYSCALL_ENTRY(getdents64),
 	COMPAT_SYSCALL_ENTRY(getegid),
 	COMPAT_SYSCALL_ENTRY(geteuid),
 	COMPAT_SYSCALL_ENTRY(geteuid32),
 	COMPAT_SYSCALL_ENTRY(getgid),
 	COMPAT_SYSCALL_ENTRY(getpgid),
 	COMPAT_SYSCALL_ENTRY(getpgrp),
 	COMPAT_SYSCALL_ENTRY(getpid),
 	COMPAT_SYSCALL_ENTRY(getpriority),
 	COMPAT_SYSCALL_ENTRY(getppid),
 	COMPAT_SYSCALL_ENTRY(getsid),
 	COMPAT_SYSCALL_ENTRY(gettimeofday),
 	COMPAT_SYSCALL_ENTRY(getuid),
 	COMPAT_SYSCALL_ENTRY(getuid32),
 	COMPAT_SYSCALL_ENTRY(ioctl),
 	COMPAT_SYSCALL_ENTRY(_llseek),
 	COMPAT_SYSCALL_ENTRY(lseek),
 	COMPAT_SYSCALL_ENTRY(lstat),
 	COMPAT_SYSCALL_ENTRY(lstat64),
 	COMPAT_SYSCALL_ENTRY(madvise),
         COMPAT_SYSCALL_ENTRY(memfd_create),
 	COMPAT_SYSCALL_ENTRY(mkdir),
 	COMPAT_SYSCALL_ENTRY(mmap2),
 	COMPAT_SYSCALL_ENTRY(mprotect),
 	COMPAT_SYSCALL_ENTRY(munmap),
 	COMPAT_SYSCALL_ENTRY(nanosleep),
 	COMPAT_SYSCALL_ENTRY(_newselect),
 	COMPAT_SYSCALL_ENTRY(open),
 	COMPAT_SYSCALL_ENTRY(openat),
 	COMPAT_SYSCALL_ENTRY(pipe),
 	COMPAT_SYSCALL_ENTRY(poll),
 	COMPAT_SYSCALL_ENTRY(prlimit64),
 	COMPAT_SYSCALL_ENTRY(read),
 	COMPAT_SYSCALL_ENTRY(readlink),
 	COMPAT_SYSCALL_ENTRY(rt_sigaction),
 	COMPAT_SYSCALL_ENTRY(rt_sigprocmask),
 	COMPAT_SYSCALL_ENTRY(rt_sigreturn),
 	COMPAT_SYSCALL_ENTRY(sendfile),
 	COMPAT_SYSCALL_ENTRY(set_robust_list),
 	COMPAT_SYSCALL_ENTRY(set_tid_address),
 	COMPAT_SYSCALL_ENTRY(setgid32),
 	COMPAT_SYSCALL_ENTRY(setuid32),
 	COMPAT_SYSCALL_ENTRY(setpgid),
 	COMPAT_SYSCALL_ENTRY(setpriority),
 	COMPAT_SYSCALL_ENTRY(setsid),
 	COMPAT_SYSCALL_ENTRY(stat),
 	COMPAT_SYSCALL_ENTRY(stat64),
 	COMPAT_SYSCALL_ENTRY(statfs),
 	COMPAT_SYSCALL_ENTRY(syslog),
 	COMPAT_SYSCALL_ENTRY(ugetrlimit),
 	COMPAT_SYSCALL_ENTRY(umask),
 	COMPAT_SYSCALL_ENTRY(uname),
 	COMPAT_SYSCALL_ENTRY(unlink),
 	COMPAT_SYSCALL_ENTRY(wait4),
 	COMPAT_SYSCALL_ENTRY(write),
 	COMPAT_SYSCALL_ENTRY(writev),

 	/* IA32 uses the common socketcall(2) entrypoint for socket calls. */
 #ifdef CONFIG_X86_64
 	COMPAT_SYSCALL_ENTRY(socketcall),
 #endif

 #ifdef CONFIG_ARM64
 	COMPAT_SYSCALL_ENTRY(accept),
 	COMPAT_SYSCALL_ENTRY(bind),
 	COMPAT_SYSCALL_ENTRY(connect),
 	COMPAT_SYSCALL_ENTRY(listen),
 	COMPAT_SYSCALL_ENTRY(recvfrom),
 	COMPAT_SYSCALL_ENTRY(recvmsg),
 	COMPAT_SYSCALL_ENTRY(sendmsg),
 	COMPAT_SYSCALL_ENTRY(sendto),
 	COMPAT_SYSCALL_ENTRY(setsockopt),
 	COMPAT_SYSCALL_ENTRY(socket),
 	COMPAT_SYSCALL_ENTRY(socketpair),
 #endif

 	/*
 	 * getrlimit(2) is deprecated and not wired in the ARM compat table
 	 * on ARM64.
 	 */
 #ifndef CONFIG_ARM64
 	COMPAT_SYSCALL_ENTRY(getrlimit),
 #endif

 }; /* end third_party_compat_whitelist */
 #endif /* CONFIG_COMPAT */

 #endif /* THIRD_PARTY_WHITELISTS_H */
	/*
	* Linux Security Module for Chromium OS
	*
	* Copyright 2018 Google LLC. All Rights Reserved
	*
	* Authors:
	* Micah Morton <mortonm@chromium.org>
	*
	* This software is licensed under the terms of the GNU General Public
	* License version 2, as published by the Free Software Foundation, and
	* may be copied, distributed, and modified under those terms.
	*
	* This program is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU General Public License for more details.
	*/

	#ifndef THIRD_PARTY_WHITELISTS_H
	#define THIRD_PARTY_WHITELISTS_H

	/*
	* NOTE: the purpose of this header is only to pull out the definition of this
	* array from alt-syscall.c for the purposes of readability. It should not be
	* included in other .c files.
	*/

	#include "alt-syscall.h"

	static struct syscall_whitelist_entry third_party_whitelist[] = {
	SYSCALL_ENTRY(accept),
	SYSCALL_ENTRY(bind),
	SYSCALL_ENTRY(brk),
	SYSCALL_ENTRY(chdir),
	SYSCALL_ENTRY(clock_gettime),
	SYSCALL_ENTRY(clone),
	SYSCALL_ENTRY(close),
	SYSCALL_ENTRY(connect),
	SYSCALL_ENTRY(dup),
	SYSCALL_ENTRY(execve),
	SYSCALL_ENTRY(exit),
	SYSCALL_ENTRY(exit_group),
	SYSCALL_ENTRY(fcntl),
	SYSCALL_ENTRY(fstat),
	SYSCALL_ENTRY(futex),
	SYSCALL_ENTRY(getcwd),
	SYSCALL_ENTRY(getdents64),
	SYSCALL_ENTRY(getpid),
	SYSCALL_ENTRY(getpgid),
	SYSCALL_ENTRY(getppid),
	SYSCALL_ENTRY(getpriority),
	SYSCALL_ENTRY(getsid),
	SYSCALL_ENTRY(gettimeofday),
	SYSCALL_ENTRY(ioctl),
	SYSCALL_ENTRY(listen),
	SYSCALL_ENTRY(lseek),
	SYSCALL_ENTRY(madvise),
	SYSCALL_ENTRY(memfd_create),
	SYSCALL_ENTRY(mprotect),
	SYSCALL_ENTRY(munmap),
	SYSCALL_ENTRY(nanosleep),
	SYSCALL_ENTRY(openat),
	SYSCALL_ENTRY(prlimit64),
	SYSCALL_ENTRY(read),
	SYSCALL_ENTRY(recvfrom),
	SYSCALL_ENTRY(recvmsg),
	SYSCALL_ENTRY(rt_sigaction),
	SYSCALL_ENTRY(rt_sigprocmask),
	SYSCALL_ENTRY(rt_sigreturn),
	SYSCALL_ENTRY(sendfile),
	SYSCALL_ENTRY(sendmsg),
	SYSCALL_ENTRY(sendto),
	SYSCALL_ENTRY(set_robust_list),
	SYSCALL_ENTRY(set_tid_address),
	SYSCALL_ENTRY(setpgid),
	SYSCALL_ENTRY(setpriority),
	SYSCALL_ENTRY(setsid),
	SYSCALL_ENTRY(setsockopt),
	SYSCALL_ENTRY(socket),
	SYSCALL_ENTRY(socketpair),
	SYSCALL_ENTRY(syslog),
	SYSCALL_ENTRY(statfs),
	SYSCALL_ENTRY(umask),
	SYSCALL_ENTRY(uname),
	SYSCALL_ENTRY(wait4),
	SYSCALL_ENTRY(write),
	SYSCALL_ENTRY(writev),

	/*
	* Deprecated syscalls which are not wired up on new architectures
	* such as ARM64.
	*/
	#ifndef CONFIG_ARM64
	SYSCALL_ENTRY(access),
	SYSCALL_ENTRY(creat),
	SYSCALL_ENTRY(dup2),
	SYSCALL_ENTRY(getdents),
	SYSCALL_ENTRY(getpgrp),
	SYSCALL_ENTRY(lstat),
	SYSCALL_ENTRY(mkdir),
	SYSCALL_ENTRY(open),
	SYSCALL_ENTRY(pipe),
	SYSCALL_ENTRY(poll),
	SYSCALL_ENTRY(readlink),
	SYSCALL_ENTRY(stat),
	SYSCALL_ENTRY(unlink),
	#endif

	/* ARM32 only syscalls. */
	#if defined(CONFIG_ARM)
	SYSCALL_ENTRY(fcntl64),
	SYSCALL_ENTRY(fstat64),
	SYSCALL_ENTRY(geteuid32),
	SYSCALL_ENTRY(getuid32),
	SYSCALL_ENTRY(_llseek),
	SYSCALL_ENTRY(lstat64),
	SYSCALL_ENTRY(_newselect),
	SYSCALL_ENTRY(mmap2),
	SYSCALL_ENTRY(stat64),
	SYSCALL_ENTRY(ugetrlimit),
	#endif

	/* 64-bit only syscalls. */
	#if defined(CONFIG_X86_64) \|\| defined(CONFIG_ARM64)
	SYSCALL_ENTRY(getegid),
	SYSCALL_ENTRY(geteuid),
	SYSCALL_ENTRY(getgid),
	SYSCALL_ENTRY(getrlimit),
	SYSCALL_ENTRY(getuid),
	SYSCALL_ENTRY(mmap),
	SYSCALL_ENTRY(setgid),
	SYSCALL_ENTRY(setuid),
	/*
	* chown(2), lchown(2), and select(2) are deprecated and not wired up
	* on ARM64.
	*/
	#ifndef CONFIG_ARM64
	SYSCALL_ENTRY(select),
	#endif
	#endif

	/* X86_64-specific syscalls. */
	#ifdef CONFIG_X86_64
	SYSCALL_ENTRY(arch_prctl),
	#endif
	}; /* end third_party_whitelist */

	#ifdef CONFIG_COMPAT
	static struct syscall_whitelist_entry third_party_compat_whitelist[] = {
	COMPAT_SYSCALL_ENTRY(access),
	COMPAT_SYSCALL_ENTRY(brk),
	COMPAT_SYSCALL_ENTRY(chdir),
	COMPAT_SYSCALL_ENTRY(clock_gettime),
	COMPAT_SYSCALL_ENTRY(clone),
	COMPAT_SYSCALL_ENTRY(close),
	COMPAT_SYSCALL_ENTRY(creat),
	COMPAT_SYSCALL_ENTRY(dup),
	COMPAT_SYSCALL_ENTRY(dup2),
	COMPAT_SYSCALL_ENTRY(execve),
	COMPAT_SYSCALL_ENTRY(exit),
	COMPAT_SYSCALL_ENTRY(exit_group),
	COMPAT_SYSCALL_ENTRY(fcntl),
	COMPAT_SYSCALL_ENTRY(fcntl64),
	COMPAT_SYSCALL_ENTRY(fstat),
	COMPAT_SYSCALL_ENTRY(fstat64),
	COMPAT_SYSCALL_ENTRY(futex),
	COMPAT_SYSCALL_ENTRY(getcwd),
	COMPAT_SYSCALL_ENTRY(getdents),
	COMPAT_SYSCALL_ENTRY(getdents64),
	COMPAT_SYSCALL_ENTRY(getegid),
	COMPAT_SYSCALL_ENTRY(geteuid),
	COMPAT_SYSCALL_ENTRY(geteuid32),
	COMPAT_SYSCALL_ENTRY(getgid),
	COMPAT_SYSCALL_ENTRY(getpgid),
	COMPAT_SYSCALL_ENTRY(getpgrp),
	COMPAT_SYSCALL_ENTRY(getpid),
	COMPAT_SYSCALL_ENTRY(getpriority),
	COMPAT_SYSCALL_ENTRY(getppid),
	COMPAT_SYSCALL_ENTRY(getsid),
	COMPAT_SYSCALL_ENTRY(gettimeofday),
	COMPAT_SYSCALL_ENTRY(getuid),
	COMPAT_SYSCALL_ENTRY(getuid32),
	COMPAT_SYSCALL_ENTRY(ioctl),
	COMPAT_SYSCALL_ENTRY(_llseek),
	COMPAT_SYSCALL_ENTRY(lseek),
	COMPAT_SYSCALL_ENTRY(lstat),
	COMPAT_SYSCALL_ENTRY(lstat64),
	COMPAT_SYSCALL_ENTRY(madvise),
	COMPAT_SYSCALL_ENTRY(memfd_create),
	COMPAT_SYSCALL_ENTRY(mkdir),
	COMPAT_SYSCALL_ENTRY(mmap2),
	COMPAT_SYSCALL_ENTRY(mprotect),
	COMPAT_SYSCALL_ENTRY(munmap),
	COMPAT_SYSCALL_ENTRY(nanosleep),
	COMPAT_SYSCALL_ENTRY(_newselect),
	COMPAT_SYSCALL_ENTRY(open),
	COMPAT_SYSCALL_ENTRY(openat),
	COMPAT_SYSCALL_ENTRY(pipe),
	COMPAT_SYSCALL_ENTRY(poll),
	COMPAT_SYSCALL_ENTRY(prlimit64),
	COMPAT_SYSCALL_ENTRY(read),
	COMPAT_SYSCALL_ENTRY(readlink),
	COMPAT_SYSCALL_ENTRY(rt_sigaction),
	COMPAT_SYSCALL_ENTRY(rt_sigprocmask),
	COMPAT_SYSCALL_ENTRY(rt_sigreturn),
	COMPAT_SYSCALL_ENTRY(sendfile),
	COMPAT_SYSCALL_ENTRY(set_robust_list),
	COMPAT_SYSCALL_ENTRY(set_tid_address),
	COMPAT_SYSCALL_ENTRY(setgid32),
	COMPAT_SYSCALL_ENTRY(setuid32),
	COMPAT_SYSCALL_ENTRY(setpgid),
	COMPAT_SYSCALL_ENTRY(setpriority),
	COMPAT_SYSCALL_ENTRY(setsid),
	COMPAT_SYSCALL_ENTRY(stat),
	COMPAT_SYSCALL_ENTRY(stat64),
	COMPAT_SYSCALL_ENTRY(statfs),
	COMPAT_SYSCALL_ENTRY(syslog),
	COMPAT_SYSCALL_ENTRY(ugetrlimit),
	COMPAT_SYSCALL_ENTRY(umask),
	COMPAT_SYSCALL_ENTRY(uname),
	COMPAT_SYSCALL_ENTRY(unlink),
	COMPAT_SYSCALL_ENTRY(wait4),
	COMPAT_SYSCALL_ENTRY(write),
	COMPAT_SYSCALL_ENTRY(writev),

	/* IA32 uses the common socketcall(2) entrypoint for socket calls. */
	#ifdef CONFIG_X86_64
	COMPAT_SYSCALL_ENTRY(socketcall),
	#endif

	#ifdef CONFIG_ARM64
	COMPAT_SYSCALL_ENTRY(accept),
	COMPAT_SYSCALL_ENTRY(bind),
	COMPAT_SYSCALL_ENTRY(connect),
	COMPAT_SYSCALL_ENTRY(listen),
	COMPAT_SYSCALL_ENTRY(recvfrom),
	COMPAT_SYSCALL_ENTRY(recvmsg),
	COMPAT_SYSCALL_ENTRY(sendmsg),
	COMPAT_SYSCALL_ENTRY(sendto),
	COMPAT_SYSCALL_ENTRY(setsockopt),
	COMPAT_SYSCALL_ENTRY(socket),
	COMPAT_SYSCALL_ENTRY(socketpair),
	#endif

	/*
	* getrlimit(2) is deprecated and not wired in the ARM compat table
	* on ARM64.
	*/
	#ifndef CONFIG_ARM64
	COMPAT_SYSCALL_ENTRY(getrlimit),
	#endif

	}; /* end third_party_compat_whitelist */
	#endif /* CONFIG_COMPAT */

	#endif /* THIRD_PARTY_WHITELISTS_H */