Add minijail seccomp policies for rmi4update
We've worked up seccomp policies for the wacom updater here, so
this patch adds minijail to the calls to the synaptics touch FW
updater, rmi4update. This CL adds in policies for use in the two
situations rmi4update is called: to query the active FW on the
touch controller, and to issue a FW update. The FW updating
scripts are also modified to invoke the updater utility through
minijail only. The policies were generated on a Lulu, by using
strace's output on similar uses.
BUG=chromium:641147
TEST=manually tested on a Lulu
Change-Id: I978ba3c13cbb3b8a85990f5e3c39cc4c56bab143
Signed-off-by: Charlie Mooney <charliemooney@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/376160
Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/policies/rmi4update.query.policy b/policies/rmi4update.query.policy
new file mode 100644
index 0000000..d525c36
--- /dev/null
+++ b/policies/rmi4update.query.policy
@@ -0,0 +1,26 @@
+# Copyright 2016 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# These seccomp rules specify the syscalls used by the Synaptics touch FW
+# updater tool rmi4update when querying a device to see what its current
+# FW version is. To actually perform an update, more syscalls are needed
+# and are supplied in a different policy file.
+
+write: 1
+read: 1
+select: 1
+ioctl: 1
+brk: 1
+restart_syscall: 1
+exit: 1
+rt_sigreturn: 1
+exit_group: 1
+mmap: 1
+arch_prctl: 1
+uname: 1
+readlink: 1
+close: 1
+open: 1
+fstat: 1
+execve: 1
diff --git a/policies/rmi4update.update.policy b/policies/rmi4update.update.policy
new file mode 100644
index 0000000..7d6034c
--- /dev/null
+++ b/policies/rmi4update.update.policy
@@ -0,0 +1,35 @@
+# Copyright 2016 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# These seccomp rules specify the syscalls used by the Synaptics touch FW
+# updater tool rmi4update when flashing a new firmware onto a device. The
+# same tool is used to query the FW version, but that requires less
+# syscalls which are specified in a different policy file.
+
+write: 1
+read: 1
+select: 1
+getdents: 1
+close: 1
+openat: 1
+readlinkat: 1
+ioctl: 1
+open: 1
+clock_gettime: 1
+brk: 1
+lseek: 1
+readlink: 1
+inotify_init: 1
+nanosleep: 1
+inotify_add_watch: 1
+restart_syscall: 1
+exit: 1
+rt_sigreturn: 1
+uname: 1
+mmap: 1
+arch_prctl: 1
+fstat: 1
+fcntl: 1
+execve: 1
+exit_group: 1
diff --git a/scripts/chromeos-synaptics-touch-firmware-update.sh b/scripts/chromeos-synaptics-touch-firmware-update.sh
index 81b68df..d88679a 100644
--- a/scripts/chromeos-synaptics-touch-firmware-update.sh
+++ b/scripts/chromeos-synaptics-touch-firmware-update.sh
@@ -23,7 +23,8 @@
local ret
for i in $(seq 5); do
- ${RMI4UPDATE} -f -d "$1" "$2"
+ minijail0 -S /opt/google/touch/policies/rmi4update.update.policy \
+ ${RMI4UPDATE} -f -d "$1" "$2"
ret=$?
if [ ${ret} -eq 0 ]; then
@@ -36,7 +37,8 @@
get_active_firmware_version() {
local touch_device_path="$1"
- ${RMI4UPDATE} -p -d "${touch_device_path}"
+ minijail0 -S /opt/google/touch/policies/rmi4update.query.policy \
+ ${RMI4UPDATE} -p -d "${touch_device_path}"
}
find_fw_path() {
