Google Git
Sign in
chromium/chromiumos/platform/touch_updater/97e19f6c183413affb7dbef8b4265234b78f6365^!/.
commit
97e19f6c183413affb7dbef8b4265234b78f6365
[log] [tgz]
author
Jordan R Abrahams <ajordanr@google.com>
Tue Aug 24 20:48:08 2021
committer
Commit Bot <commit-bot@chromium.org>
Fri Aug 27 06:43:36 2021
tree
ae6d62666b0716092808f3332869a952b86f715e
parent
ccd2cea9eab1c3e8604235e89af42f3708f2277c [diff]
Add fstatfs(64) syscalls to seccomp policies

Due to a local security hardening patch in glibc, we're now
calling fstatfs and fstatfs64 during dlopen. This is crashing
dash and kmod at present, which we _suspect_ some of those
crashes may be due to uncaught errors in touch_updater policies,

Crashes were identified via crash.corp
dash: http://shortn/_eLdGeNd8sp
kmod: http://shortn/_IheitZgfkV

BUG=chromium:1182687
TEST=Check CQ for dash seccomp failures during HW tests

Change-Id: Ie2ac28ca6ba84b94139ec65ae52dd8e3e73a9b7f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/touch_updater/+/3116692
Tested-by: Jordan R Abrahams <ajordanr@google.com>
Commit-Queue: Jordan R Abrahams <ajordanr@google.com>
Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
Reviewed-by: Harry Cutts <hcutts@chromium.org>

diff --git a/etphidiap/policies/amd64/etphidiap.query.policy b/etphidiap/policies/amd64/etphidiap.query.policy
index 9c69733..fa7bcfe 100644
--- a/etphidiap/policies/amd64/etphidiap.query.policy
+++ b/etphidiap/policies/amd64/etphidiap.query.policy

@@ -24,3 +24,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/etphidiap/policies/amd64/etphidiap.update.policy b/etphidiap/policies/amd64/etphidiap.update.policy
index ae0bc47..2b92ef8 100644
--- a/etphidiap/policies/amd64/etphidiap.update.policy
+++ b/etphidiap/policies/amd64/etphidiap.update.policy

@@ -26,3 +26,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/amd64/elani2chid.query.policy b/policies/amd64/elani2chid.query.policy
index f3ff5a8..340a5c9 100644
--- a/policies/amd64/elani2chid.query.policy
+++ b/policies/amd64/elani2chid.query.policy

@@ -87,4 +87,5 @@
 getpid: 1
 geteuid: 1
 getppid: 1
-futex: 1
\ No newline at end of file
+futex: 1
+fstatfs: 1

diff --git a/policies/amd64/elani2chid.update.policy b/policies/amd64/elani2chid.update.policy
index b1b2773..33c7d8a 100644
--- a/policies/amd64/elani2chid.update.policy
+++ b/policies/amd64/elani2chid.update.policy

@@ -45,3 +45,4 @@
 dup2: 1
 futex: 1
 mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+fstatfs: 1

diff --git a/policies/amd64/emrightupdate.query.policy b/policies/amd64/emrightupdate.query.policy
index 0a6f4b4..c75695a 100644
--- a/policies/amd64/emrightupdate.query.policy
+++ b/policies/amd64/emrightupdate.query.policy

@@ -53,3 +53,4 @@
 getpid: 1
 geteuid: 1
 getppid: 1
+fstatfs: 1

diff --git a/policies/amd64/emrightupdate.update.policy b/policies/amd64/emrightupdate.update.policy
index 3b2a932..33d662b 100644
--- a/policies/amd64/emrightupdate.update.policy
+++ b/policies/amd64/emrightupdate.update.policy

@@ -39,3 +39,4 @@
 gettimeofday: 1
 openat: 1
 dup2: 1
+fstatfs: 1

diff --git a/policies/amd64/eps2pstiap.query.policy b/policies/amd64/eps2pstiap.query.policy
index 23a8a07..d821b1d 100644
--- a/policies/amd64/eps2pstiap.query.policy
+++ b/policies/amd64/eps2pstiap.query.policy

@@ -26,3 +26,4 @@
 rt_sigreturn: 1
 lseek: 1
 nanosleep: 1
+fstatfs: 1

diff --git a/policies/amd64/eps2pstiap.update.policy b/policies/amd64/eps2pstiap.update.policy
index 77270d8..6838d74 100644
--- a/policies/amd64/eps2pstiap.update.policy
+++ b/policies/amd64/eps2pstiap.update.policy

@@ -27,3 +27,4 @@
 lseek: 1
 nanosleep: 1
 clock_nanosleep: 1
+fstatfs: 1

diff --git a/policies/amd64/g2touch.query.policy b/policies/amd64/g2touch.query.policy
index 57b7527..59d95f8 100644
--- a/policies/amd64/g2touch.query.policy
+++ b/policies/amd64/g2touch.query.policy

@@ -28,3 +28,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/amd64/g2touch.update.policy b/policies/amd64/g2touch.update.policy
index 8e9bd82..b99de0a 100644
--- a/policies/amd64/g2touch.update.policy
+++ b/policies/amd64/g2touch.update.policy

@@ -31,3 +31,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/amd64/gdixupdate.query.policy b/policies/amd64/gdixupdate.query.policy
index 6d7d721..268940c 100644
--- a/policies/amd64/gdixupdate.query.policy
+++ b/policies/amd64/gdixupdate.query.policy

@@ -32,3 +32,4 @@
 getpid: 1
 nanosleep: 1
 clock_nanosleep: 1
+fstatfs: 1

diff --git a/policies/amd64/gdixupdate.update.policy b/policies/amd64/gdixupdate.update.policy
index 8adc708..fe73c65 100644
--- a/policies/amd64/gdixupdate.update.policy
+++ b/policies/amd64/gdixupdate.update.policy

@@ -33,3 +33,4 @@
 access: 1
 munmap: 1
 getpid: 1
+fstatfs: 1

diff --git a/policies/amd64/mfsupdate.query.policy b/policies/amd64/mfsupdate.query.policy
index 116edce..9c6eb0d 100644
--- a/policies/amd64/mfsupdate.query.policy
+++ b/policies/amd64/mfsupdate.query.policy

@@ -51,3 +51,4 @@
 set_tid_address: 1
 getsockname: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/amd64/mfsupdate.update.policy b/policies/amd64/mfsupdate.update.policy
index 9080a6e..f2c3b5a 100644
--- a/policies/amd64/mfsupdate.update.policy
+++ b/policies/amd64/mfsupdate.update.policy

@@ -57,3 +57,4 @@
 prlimit64: 1
 set_tid_address: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/amd64/pixtpfwup.query.policy b/policies/amd64/pixtpfwup.query.policy
index 1249fad..2440e2f 100644
--- a/policies/amd64/pixtpfwup.query.policy
+++ b/policies/amd64/pixtpfwup.query.policy

@@ -25,4 +25,4 @@
 arch_prctl: 1
 access: 1
 munmap: 1
-
+fstatfs: 1

diff --git a/policies/amd64/pixtpfwup.update.policy b/policies/amd64/pixtpfwup.update.policy
index 45af7af..ace040e 100644
--- a/policies/amd64/pixtpfwup.update.policy
+++ b/policies/amd64/pixtpfwup.update.policy

@@ -28,3 +28,4 @@
 access: 1
 munmap: 1
 openat: 1
+fstatfs: 1

diff --git a/policies/amd64/rmi4update.query.policy b/policies/amd64/rmi4update.query.policy
index 7da0172..9fc802b 100644
--- a/policies/amd64/rmi4update.query.policy
+++ b/policies/amd64/rmi4update.query.policy

@@ -39,3 +39,4 @@
 getrlimit: 1
 getpid: 1
 prlimit64: arg2 == 0 && arg3 != 0
+fstatfs: 1

diff --git a/policies/amd64/rmi4update.update.policy b/policies/amd64/rmi4update.update.policy
index 8d3e710..ad60d57 100644
--- a/policies/amd64/rmi4update.update.policy
+++ b/policies/amd64/rmi4update.update.policy

@@ -47,3 +47,4 @@
 getrlimit: 1
 getpid: 1
 prlimit64: arg2 == 0 && arg3 != 0
+fstatfs: 1

diff --git a/policies/amd64/sisupdate.query.policy b/policies/amd64/sisupdate.query.policy
index baec2eb..47f530c 100644
--- a/policies/amd64/sisupdate.query.policy
+++ b/policies/amd64/sisupdate.query.policy

@@ -36,3 +36,4 @@
 prlimit64: arg2 == 0 && arg3 != 0
 gettid: 1
 mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+fstatfs: 1

diff --git a/policies/amd64/sisupdate.update.policy b/policies/amd64/sisupdate.update.policy
index e4981c6..4eadcd1 100644
--- a/policies/amd64/sisupdate.update.policy
+++ b/policies/amd64/sisupdate.update.policy

@@ -40,3 +40,4 @@
 prlimit64: arg2 == 0 && arg3 != 0
 gettid: 1
 mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+fstatfs: 1

diff --git a/policies/amd64/wacom_flash.query.policy b/policies/amd64/wacom_flash.query.policy
index c391a87..e908fdc 100644
--- a/policies/amd64/wacom_flash.query.policy
+++ b/policies/amd64/wacom_flash.query.policy

@@ -29,3 +29,4 @@
 nanosleep: 1
 clock_nanosleep: 1
 getpid: 1
+fstatfs: 1

diff --git a/policies/amd64/wacom_flash.update.policy b/policies/amd64/wacom_flash.update.policy
index cb59162..95dc58e 100644
--- a/policies/amd64/wacom_flash.update.policy
+++ b/policies/amd64/wacom_flash.update.policy

@@ -30,3 +30,4 @@
 stat: 1
 write: 1
 getpid: 1
+fstatfs: 1

diff --git a/policies/amd64/wdt_util.query.policy b/policies/amd64/wdt_util.query.policy
index d734336..e3da2df 100644
--- a/policies/amd64/wdt_util.query.policy
+++ b/policies/amd64/wdt_util.query.policy

@@ -35,3 +35,4 @@
 
 getpid: 1
 prlimit64: arg2 == 0 && arg3 != 0
+fstatfs: 1

diff --git a/policies/amd64/wdt_util.update.policy b/policies/amd64/wdt_util.update.policy
index e8c5345..2eb0081 100644
--- a/policies/amd64/wdt_util.update.policy
+++ b/policies/amd64/wdt_util.update.policy

@@ -37,3 +37,4 @@
 
 getpid: 1
 prlimit64: arg2 == 0 && arg3 != 0
+fstatfs: 1

diff --git a/policies/amd64/zinitixupdate.query.policy b/policies/amd64/zinitixupdate.query.policy
index 39ae545..525b0e6 100644
--- a/policies/amd64/zinitixupdate.query.policy
+++ b/policies/amd64/zinitixupdate.query.policy

@@ -22,3 +22,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/amd64/zinitixupdate.update.policy b/policies/amd64/zinitixupdate.update.policy
index 023225f..7f1c5e2 100644
--- a/policies/amd64/zinitixupdate.update.policy
+++ b/policies/amd64/zinitixupdate.update.policy

@@ -26,3 +26,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/arm/elani2chid.query.policy b/policies/arm/elani2chid.query.policy
index 9276299..69da625 100644
--- a/policies/arm/elani2chid.query.policy
+++ b/policies/arm/elani2chid.query.policy

@@ -89,3 +89,5 @@
 getppid: 1
 ARM_set_tls: 1
 ugetrlimit: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/elani2chid.update.policy b/policies/arm/elani2chid.update.policy
index 1a7f6d0..e32468f 100644
--- a/policies/arm/elani2chid.update.policy
+++ b/policies/arm/elani2chid.update.policy

@@ -49,4 +49,6 @@
 munmap: 1
 ARM_set_tls: 1
 clock_gettime: 1
-clock_gettime64: 1
\ No newline at end of file
+clock_gettime64: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/g2touch.query.policy b/policies/arm/g2touch.query.policy
index 224933f..5c48055 100644
--- a/policies/arm/g2touch.query.policy
+++ b/policies/arm/g2touch.query.policy

@@ -22,3 +22,5 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/g2touch.update.policy b/policies/arm/g2touch.update.policy
index af5803a..ce1fb7a 100644
--- a/policies/arm/g2touch.update.policy
+++ b/policies/arm/g2touch.update.policy

@@ -28,3 +28,5 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/gdixupdate.query.policy b/policies/arm/gdixupdate.query.policy
index a0ee100..0c2de8b 100644
--- a/policies/arm/gdixupdate.query.policy
+++ b/policies/arm/gdixupdate.query.policy

@@ -23,4 +23,6 @@
 access: 1
 nanosleep: 1
 clock_nanosleep: 1
-clock_nanosleep_time64: 1
\ No newline at end of file
+clock_nanosleep_time64: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/gdixupdate.update.policy b/policies/arm/gdixupdate.update.policy
index 615100d..9ee8336 100644
--- a/policies/arm/gdixupdate.update.policy
+++ b/policies/arm/gdixupdate.update.policy

@@ -25,3 +25,5 @@
 exit: 1
 exit_group: 1
 read: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/pixtpfwup.query.policy b/policies/arm/pixtpfwup.query.policy
index 2d6911b..03a8ae7 100644
--- a/policies/arm/pixtpfwup.query.policy
+++ b/policies/arm/pixtpfwup.query.policy

@@ -32,3 +32,5 @@
 set_robust_list: 1
 rt_sigprocmask: 1
 exit: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/pixtpfwup.update.policy b/policies/arm/pixtpfwup.update.policy
index 74b087e..79a5e79 100644
--- a/policies/arm/pixtpfwup.update.policy
+++ b/policies/arm/pixtpfwup.update.policy

@@ -37,3 +37,5 @@
 ARM_set_tls: 1
 set_robust_list: 1
 uname: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/rmi4update.query.policy b/policies/arm/rmi4update.query.policy
index 42dce62..c4d8695 100644
--- a/policies/arm/rmi4update.query.policy
+++ b/policies/arm/rmi4update.query.policy

@@ -33,3 +33,5 @@
 getdents: 1
 getdents64: 1
 getpid: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/rmi4update.update.policy b/policies/arm/rmi4update.update.policy
index e6f7dff..eb9b3c7 100644
--- a/policies/arm/rmi4update.update.policy
+++ b/policies/arm/rmi4update.update.policy

@@ -43,3 +43,5 @@
 clock_gettime: 1
 clock_gettime64: 1
 getpid: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/wacom_flash.query.policy b/policies/arm/wacom_flash.query.policy
index 1f9e118..058646b 100644
--- a/policies/arm/wacom_flash.query.policy
+++ b/policies/arm/wacom_flash.query.policy

@@ -33,3 +33,5 @@
 clock_nanosleep: 1
 clock_nanosleep_time64: 1
 getpid: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/wacom_flash.update.policy b/policies/arm/wacom_flash.update.policy
index 15c2fc8..83af25b 100644
--- a/policies/arm/wacom_flash.update.policy
+++ b/policies/arm/wacom_flash.update.policy

@@ -34,3 +34,5 @@
 execve: 1
 _llseek: 1
 getpid: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/wdt_util.query.policy b/policies/arm/wdt_util.query.policy
index 5c026fb..ecdf978 100644
--- a/policies/arm/wdt_util.query.policy
+++ b/policies/arm/wdt_util.query.policy

@@ -31,3 +31,5 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm/wdt_util.update.policy b/policies/arm/wdt_util.update.policy
index d045040..0913434 100644
--- a/policies/arm/wdt_util.update.policy
+++ b/policies/arm/wdt_util.update.policy

@@ -32,3 +32,5 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1
+fstatfs64: 1

diff --git a/policies/arm64/g2touch.query.policy b/policies/arm64/g2touch.query.policy
index e688f47..d64b72f 100644
--- a/policies/arm64/g2touch.query.policy
+++ b/policies/arm64/g2touch.query.policy

@@ -20,3 +20,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/arm64/g2touch.update.policy b/policies/arm64/g2touch.update.policy
index 201b137..2c4ffe8 100644
--- a/policies/arm64/g2touch.update.policy
+++ b/policies/arm64/g2touch.update.policy

@@ -25,3 +25,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/arm64/rmi4update.query.policy b/policies/arm64/rmi4update.query.policy
index 9bc6565..bcae29f 100644
--- a/policies/arm64/rmi4update.query.policy
+++ b/policies/arm64/rmi4update.query.policy

@@ -26,3 +26,4 @@
 faccessat2: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/arm64/rmi4update.update.policy b/policies/arm64/rmi4update.update.policy
index b019e08..08046b8 100644
--- a/policies/arm64/rmi4update.update.policy
+++ b/policies/arm64/rmi4update.update.policy

@@ -26,3 +26,4 @@
 faccessat2: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/arm64/wacom_flash.query.policy b/policies/arm64/wacom_flash.query.policy
index a1b0806..771a7f8 100644
--- a/policies/arm64/wacom_flash.query.policy
+++ b/policies/arm64/wacom_flash.query.policy

@@ -24,3 +24,4 @@
 faccessat2: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/policies/arm64/wacom_flash.update.policy b/policies/arm64/wacom_flash.update.policy
index a1b0806..771a7f8 100644
--- a/policies/arm64/wacom_flash.update.policy
+++ b/policies/arm64/wacom_flash.update.policy

@@ -24,3 +24,4 @@
 faccessat2: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/stupdate/policies/amd64/stupdate.query.policy b/stupdate/policies/amd64/stupdate.query.policy
index 0d1aaff..7645688 100644
--- a/stupdate/policies/amd64/stupdate.query.policy
+++ b/stupdate/policies/amd64/stupdate.query.policy

@@ -25,3 +25,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/stupdate/policies/amd64/stupdate.read.policy b/stupdate/policies/amd64/stupdate.read.policy
index 04210e7..3c31217 100644
--- a/stupdate/policies/amd64/stupdate.read.policy
+++ b/stupdate/policies/amd64/stupdate.read.policy

@@ -23,3 +23,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1

diff --git a/stupdate/policies/amd64/stupdate.update.policy b/stupdate/policies/amd64/stupdate.update.policy
index 6a1a1c5..dd79ed1 100644
--- a/stupdate/policies/amd64/stupdate.update.policy
+++ b/stupdate/policies/amd64/stupdate.update.policy

@@ -27,3 +27,4 @@
 restart_syscall: 1
 exit: 1
 rt_sigreturn: 1
+fstatfs: 1