kerberos: Add seccomp filters
Adds seccomp filters for amd64, arm and arm64.
BUG=chromium:952241
TEST=Tested on device that things don't explode
Cq-Depend: chromium:1692985
Change-Id: I5b5efce9f85e881fbe1c515c42b3ae2ddaf55104
Reviewed-on: https://chromium-review.googlesource.com/1692505
Tested-by: Lutz Justen <ljusten@chromium.org>
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
diff --git a/kerberos/init/kerberosd.conf b/kerberos/init/kerberosd.conf
index a1e6602..b6c1be8 100644
--- a/kerberos/init/kerberosd.conf
+++ b/kerberos/init/kerberosd.conf
@@ -37,6 +37,12 @@
# Prevent that execve gains privileges, required for seccomp filters.
args="${args} -n"
+ # Apply seccomp policy.
+ args="${args} -S /usr/share/policy/kerberosd-seccomp.policy"
+
+ # Enable seccomp logging (for test images only).
+ args="${args} -L"
+
# Use a minimalistic mount namespace.
args="${args} --profile minimalistic-mountns"
diff --git a/kerberos/seccomp/kerberosd-seccomp-amd64.policy b/kerberos/seccomp/kerberosd-seccomp-amd64.policy
new file mode 100644
index 0000000..0ed36b1
--- /dev/null
+++ b/kerberos/seccomp/kerberosd-seccomp-amd64.policy
@@ -0,0 +1,76 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+gettimeofday: 1
+close: 1
+poll: 1
+read: 1
+openat: 1
+sendto: 1
+send: 1
+fstat: 1
+socket: arg0 == AF_INET || arg0 == AF_NETLINK
+recvfrom: 1
+connect: 1
+fcntl: 1
+stat: 1
+mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+ioctl: arg1 == FIONBIO || arg1 == FIONREAD || arg1 == TCGETS || arg1 == TCSETS
+mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+recvmsg: 1
+futex: 1
+getpid: 1
+write: 1
+munmap: 1
+brk: 1
+bind: 1
+getsockname: 1
+getrandom: 1
+getdents: 1
+rt_sigaction: 1
+getuid: 1
+lseek: 1
+dup: 1
+setsockopt: 1
+getsockopt: 1
+writev: 1
+unlink: 1
+fchmod: 1
+exit_group: 1
+restart_syscall: 1
+exit: 1
+rt_sigreturn: 1
+geteuid: 1
+getgid: 1
+getegid: 1
+epoll_create1: 1
+pipe2: 1
+epoll_ctl: 1
+gettid: 1
+rt_sigprocmask: 1
+signalfd4: 1
+clock_getres: 1
+getresuid: 1
+getresgid: 1
+sendmsg: 1
+access: 1
+epoll_wait: 1
+clone: 1
+set_robust_list: 1
+setsid: 1
+wait4: 1
+nanosleep: 1
+setresuid: 1
+creat: 1
+lstat: 1
+chmod: 1
+mkdir: 1
+rmdir: 1
+clock_gettime: 1
+request_key: 1
+keyctl: 1
+mlock: 1
+madvise: 1
+munlock: 1
+uname: 1
\ No newline at end of file
diff --git a/kerberos/seccomp/kerberosd-seccomp-arm.policy b/kerberos/seccomp/kerberosd-seccomp-arm.policy
new file mode 100644
index 0000000..5b3a6e3
--- /dev/null
+++ b/kerberos/seccomp/kerberosd-seccomp-arm.policy
@@ -0,0 +1,79 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+gettimeofday: 1
+close: 1
+poll: 1
+read: 1
+openat: 1
+sendto: 1
+send: 1
+fstat64: 1
+socket: arg0 == AF_INET || arg0 == AF_NETLINK
+recvfrom: 1
+connect: 1
+fcntl64: 1
+stat64: 1
+mmap2: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+ioctl: arg1 == FIONBIO || arg1 == FIONREAD || arg1 == TCGETS || arg1 == TCSETS
+mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+recvmsg: 1
+futex: 1
+getpid: 1
+write: 1
+munmap: 1
+brk: 1
+bind: 1
+getsockname: 1
+getrandom: 1
+getdents: 1
+getdents64: 1
+rt_sigaction: 1
+getuid32: 1
+recv: 1
+_llseek: 1
+dup: 1
+setsockopt: 1
+getsockopt: 1
+writev: 1
+unlink: 1
+fchmod: 1
+exit_group: 1
+restart_syscall: 1
+exit: 1
+rt_sigreturn: 1
+geteuid32: 1
+getgid32: 1
+getegid32: 1
+epoll_create1: 1
+pipe2: 1
+epoll_ctl: 1
+gettid: 1
+rt_sigprocmask: 1
+signalfd4: 1
+clock_getres: 1
+getresuid32: 1
+getresgid32: 1
+sendmsg: 1
+access: 1
+epoll_wait: 1
+clone: 1
+set_robust_list: 1
+setsid: 1
+wait4: 1
+nanosleep: 1
+setresuid32: 1
+creat: 1
+lstat: 1
+lstat64: 1
+chmod: 1
+mkdir: 1
+rmdir: 1
+clock_gettime: 1
+request_key: 1
+keyctl: 1
+mlock: 1
+madvise: 1
+munlock: 1
+uname: 1
\ No newline at end of file
diff --git a/kerberos/seccomp/kerberosd-seccomp-arm64.policy b/kerberos/seccomp/kerberosd-seccomp-arm64.policy
new file mode 100644
index 0000000..5b3a6e3
--- /dev/null
+++ b/kerberos/seccomp/kerberosd-seccomp-arm64.policy
@@ -0,0 +1,79 @@
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+gettimeofday: 1
+close: 1
+poll: 1
+read: 1
+openat: 1
+sendto: 1
+send: 1
+fstat64: 1
+socket: arg0 == AF_INET || arg0 == AF_NETLINK
+recvfrom: 1
+connect: 1
+fcntl64: 1
+stat64: 1
+mmap2: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+ioctl: arg1 == FIONBIO || arg1 == FIONREAD || arg1 == TCGETS || arg1 == TCSETS
+mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+recvmsg: 1
+futex: 1
+getpid: 1
+write: 1
+munmap: 1
+brk: 1
+bind: 1
+getsockname: 1
+getrandom: 1
+getdents: 1
+getdents64: 1
+rt_sigaction: 1
+getuid32: 1
+recv: 1
+_llseek: 1
+dup: 1
+setsockopt: 1
+getsockopt: 1
+writev: 1
+unlink: 1
+fchmod: 1
+exit_group: 1
+restart_syscall: 1
+exit: 1
+rt_sigreturn: 1
+geteuid32: 1
+getgid32: 1
+getegid32: 1
+epoll_create1: 1
+pipe2: 1
+epoll_ctl: 1
+gettid: 1
+rt_sigprocmask: 1
+signalfd4: 1
+clock_getres: 1
+getresuid32: 1
+getresgid32: 1
+sendmsg: 1
+access: 1
+epoll_wait: 1
+clone: 1
+set_robust_list: 1
+setsid: 1
+wait4: 1
+nanosleep: 1
+setresuid32: 1
+creat: 1
+lstat: 1
+lstat64: 1
+chmod: 1
+mkdir: 1
+rmdir: 1
+clock_gettime: 1
+request_key: 1
+keyctl: 1
+mlock: 1
+madvise: 1
+munlock: 1
+uname: 1
\ No newline at end of file
