Google Git
Sign in
chromium / chromiumos / platform / mtpd / 36d84953c7104d1950648647d19a973c1275fea6^! / .
commit36d84953c7104d1950648647d19a973c1275fea6[log] [tgz]
authorEric Caruso <[email protected]>Fri Sep 01 17:58:30 2017
committerchrome-bot <[email protected]>Fri Sep 01 23:41:58 2017
tree069486b906d0ce7b41bac0dc3854ab5e36d57684
parent2e3c3ca3b3a6add246f8e4bd314be5a070a85603 [diff]
mtpd: fix seccomp policy

After the refactor it looks like the message loop uses some
different syscalls, and we have a few extra syscalls to get the
uid/gid for the process as well. Prevent seccomp from killing
mtpd when it uses these new syscalls.

BUG=chromium:761247
TEST=deploy to minnie, cyan and successfully connect an
  MTP-supporting android device

Change-Id: I9cef6ec24b2dcae0f3b4e56742688d7297f1a928
Reviewed-on: https://chromium-review.googlesource.com/648077
Commit-Ready: Eric Caruso <[email protected]>
Tested-by: Eric Caruso <[email protected]>
Reviewed-by: Jorge Lucangeli Obes <[email protected]>
Reviewed-by: Ben Chan <[email protected]>

diff --git a/mtpd-seccomp-amd64.policy b/mtpd-seccomp-amd64.policy
index 3da830b..59df6af 100644
--- a/mtpd-seccomp-amd64.policy
+++ b/mtpd-seccomp-amd64.policy

@@ -52,8 +52,10 @@
 rt_sigreturn: 1
 chdir: 1
 pipe2: 1
-eventfd2: 1
+getuid: 1
+getgid: 1
 geteuid: 1
+getegid: 1
 fstat: 1
 uname: 1
 unlink: 1
@@ -68,3 +70,6 @@
 setpriority: 1
 getrandom: 1
 nanosleep: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1

diff --git a/mtpd-seccomp-arm.policy b/mtpd-seccomp-arm.policy
index e63d0af..0711c15 100644
--- a/mtpd-seccomp-arm.policy
+++ b/mtpd-seccomp-arm.policy

@@ -31,7 +31,6 @@
 clock_getres: 1
 sched_get_priority_min: 1
 connect: 1
-eventfd2: 1
 sched_getparam: 1
 rt_sigprocmask: 1
 access: 1
@@ -44,7 +43,10 @@
 setsockopt: 1
 # Allow socket(domain==PF_LOCAL) or socket(domain==PF_NETLINK)
 socket: arg0 == 0x1 || arg0 == 0x10
+getuid32: 1
+getgid32: 1
 geteuid32: 1
+getegid32: 1
 restart_syscall: 1
 exit: 1
 exit_group: 1
@@ -70,3 +72,6 @@
 setpriority: 1
 getrandom: 1
 nanosleep: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1

diff --git a/mtpd-seccomp-x86.policy b/mtpd-seccomp-x86.policy
index fd0e751..5b55d46 100644
--- a/mtpd-seccomp-x86.policy
+++ b/mtpd-seccomp-x86.policy

@@ -35,7 +35,6 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
-eventfd2: 1
 sched_getparam: 1
 rt_sigprocmask: 1
 access: 1
@@ -46,7 +45,10 @@
 set_thread_area: 1
 sigreturn: 1
 exit_group: 1
+getuid32: 1
+getgid32: 1
 geteuid32: 1
+getegid32: 1
 pipe2: 1
 gettimeofday: 1
 time: 1
@@ -64,3 +66,6 @@
 setpriority: 1
 getrandom: 1
 nanosleep: 1
+epoll_create1: 1
+epoll_ctl: 1
+epoll_wait: 1