Issue 897477 link

Starred by 3 users

Issue metadata

Status:	Verified
Owner:	█ yunlian@chromium.org Last visit > 30 days ago
Closed:	Oct 24
Cc:	briannorris@chromium.org vapier@chromium.org
Components:	Tools>ChromeOS-Toolchain
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	3
Type:	Bug

Build-Toolchain

allow openat, getpid and prlimit64 to seccomp

Project Member Reported by yunlian@chromium.org, Oct 21

Issue description

glibc 2.27 changed some internal system calls to a certain function.
To make sure programs does not crash because of these glibc internal changes,
we want to make the changes fo policy files as follows

- getpid: add it to all policy files, this should be safe.
- openat only add it to the policy file if there is already an "open" in the file
- prlimit64, add it in read-only mode if getrlimit is in the file
  added in write mode if setrlimit is there.
  Otherwise dont add it.

The script to make such changes are

for i in `find . -name "*.policy"`; do
	if ! grep -q 'getpid' $i; then
		echo $i >> ~/modified
		echo 'getpid: 1' >> $i
	fi
	if ! grep -q 'prlimit64' $i; then
		if grep -q 'setrlimit:' $i; then
			echo 'prlimit64: 1' >> $i
			echo  $i >> ~/modified
		elif grep -q 'getrlimit:' $i; then
			echo 'prlimit64: arg2 == 0 && arg3 != 0' >> $i
			echo $i >> ~/modified
		fi
	fi
	if grep -q 'open:' $i; then
		if ! grep -q 'openat:' $i; then
			echo $i >> ~/modified
			sed '/open: 1/a openat: 1' -i $i
		fi
	fi
done

Comment 1 by yunlian@chromium.org, Oct 21

Owner: yunlian@chromium.org

Project Member

Comment 2 by bugdroid1@chromium.org, Oct 22

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/2ca1482d8791b2d15946ff193b838d07fe8b4fc6

commit 2ca1482d8791b2d15946ff193b838d07fe8b4fc6
Author: Yunlian Jiang <yunlian@google.com>
Date: Mon Oct 22 13:16:38 2018

nfs-ganesha: add getpid and prlimit64 to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: Iae711fa3223d06b38ac1aebe98fcef47b2e04cca
Reviewed-on: https://chromium-review.googlesource.com/1292998
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Luis Lozano <llozano@chromium.org>

[modify] https://crrev.com/2ca1482d8791b2d15946ff193b838d07fe8b4fc6/net-fs/nfs-ganesha/files/nfs-ganesha-seccomp-arm.policy
[modify] https://crrev.com/2ca1482d8791b2d15946ff193b838d07fe8b4fc6/net-fs/nfs-ganesha/files/nfs-ganesha-seccomp-amd64.policy
[rename] https://crrev.com/2ca1482d8791b2d15946ff193b838d07fe8b4fc6/net-fs/nfs-ganesha/nfs-ganesha-0.0.1-r12.ebuild

Project Member

Comment 3 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/ap-daemons/+/f7fb52d7a137f52cdd22d24c36bcee2c6f3af988

commit f7fb52d7a137f52cdd22d24c36bcee2c6f3af988
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 00:38:08 2018

Project Member

Comment 4 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/logitech-updater/+/658d14909e3231dddedebbd769db36d7a9f6d784

commit 658d14909e3231dddedebbd769db36d7a9f6d784
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 00:38:07 2018

logitech-updater: add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: I0b4877a349c5b3c787e09c06e324f038829ea482
Reviewed-on: https://chromium-review.googlesource.com/1292997
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/658d14909e3231dddedebbd769db36d7a9f6d784/seccomp/logitech-updater-seccomp-amd64.policy
[modify] https://crrev.com/658d14909e3231dddedebbd769db36d7a9f6d784/seccomp/logitech-updater-seccomp-x86_64.policy

Project Member

Comment 5 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/a0d81f9571651987e15473cc8e8fa02731e03876

commit a0d81f9571651987e15473cc8e8fa02731e03876
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 03:53:18 2018

rpcbind: add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: I1773f936c9908518123a54a9303b9c164ed374dd
Reviewed-on: https://chromium-review.googlesource.com/1292999
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/a0d81f9571651987e15473cc8e8fa02731e03876/net-nds/rpcbind/files/seccomp-amd64.policy
[modify] https://crrev.com/a0d81f9571651987e15473cc8e8fa02731e03876/net-nds/rpcbind/files/seccomp-arm.policy
[rename] https://crrev.com/a0d81f9571651987e15473cc8e8fa02731e03876/net-nds/rpcbind/rpcbind-0.2.4-r6.ebuild

Project Member

Comment 6 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/crosvm/+/31c20fdcce2055a09580429e9522ca4bb1c5abb9

commit 31c20fdcce2055a09580429e9522ca4bb1c5abb9
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 09:55:29 2018

crosvm: add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: I101aa07bffd8db2b449be1a697dafcd7d6f1cb58
Reviewed-on: https://chromium-review.googlesource.com/1294729
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/31c20fdcce2055a09580429e9522ca4bb1c5abb9/seccomp/arm/9s.policy
[modify] https://crrev.com/31c20fdcce2055a09580429e9522ca4bb1c5abb9/seccomp/arm/9p_device.policy
[modify] https://crrev.com/31c20fdcce2055a09580429e9522ca4bb1c5abb9/tests/plugin.policy
[modify] https://crrev.com/31c20fdcce2055a09580429e9522ca4bb1c5abb9/io_jail/src/test_filter.policy
[modify] https://crrev.com/31c20fdcce2055a09580429e9522ca4bb1c5abb9/seccomp/x86_64/9s.policy

Project Member

Comment 7 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/mosys/+/11f0f31363361632ff4d9a7dde4dcaee8d88c0f9

commit 11f0f31363361632ff4d9a7dde4dcaee8d88c0f9
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 09:55:31 2018

mosys: add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: I829e072a90293d7c29d0385d30efa1d4147e9977
Reviewed-on: https://chromium-review.googlesource.com/1294110
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/11f0f31363361632ff4d9a7dde4dcaee8d88c0f9/seccomp/mosys-seccomp-arm.policy
[modify] https://crrev.com/11f0f31363361632ff4d9a7dde4dcaee8d88c0f9/io_jail/src/test_filter.policy

Project Member

Comment 8 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/e450c65a9ae9ab7ab2b13b3e1dd4c4d3edfc85b9

commit e450c65a9ae9ab7ab2b13b3e1dd4c4d3edfc85b9
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 09:55:30 2018

ippusbxd: add getpid and prlimit64 to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: I46a1c8179ba52adaf7439f9f3e7bc8cc930ea571
Reviewed-on: https://chromium-review.googlesource.com/1293000
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Luis Lozano <llozano@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/e450c65a9ae9ab7ab2b13b3e1dd4c4d3edfc85b9/net-print/ippusbxd/files/ippusbxd-seccomp-arm.policy
[rename] https://crrev.com/e450c65a9ae9ab7ab2b13b3e1dd4c4d3edfc85b9/net-print/ippusbxd/ippusbxd-1.32-r8.ebuild
[modify] https://crrev.com/e450c65a9ae9ab7ab2b13b3e1dd4c4d3edfc85b9/net-print/ippusbxd/files/ippusbxd-seccomp-amd64.policy
[modify] https://crrev.com/e450c65a9ae9ab7ab2b13b3e1dd4c4d3edfc85b9/net-print/ippusbxd/files/ippusbxd-seccomp-arm64.policy

Project Member

Comment 9 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/f327ef619855b43ed3b340cf58a8c53b00224671

commit f327ef619855b43ed3b340cf58a8c53b00224671
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 09:55:30 2018

usbguard: add getpid and prlimit64 to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: I3a12efd7ff89876acf9f6e3fb021d5aff3fa365e
Reviewed-on: https://chromium-review.googlesource.com/1293002
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[rename] https://crrev.com/f327ef619855b43ed3b340cf58a8c53b00224671/sys-apps/usbguard/usbguard-20180726-r13.ebuild
[modify] https://crrev.com/f327ef619855b43ed3b340cf58a8c53b00224671/sys-apps/usbguard/files/usbguard-daemon-seccomp-amd64.policy
[modify] https://crrev.com/f327ef619855b43ed3b340cf58a8c53b00224671/sys-apps/usbguard/files/usbguard-daemon-seccomp-arm.policy
[modify] https://crrev.com/f327ef619855b43ed3b340cf58a8c53b00224671/sys-apps/usbguard/files/usbguard-daemon-seccomp-arm64.policy

Project Member

Comment 10 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/touch_updater/+/90aafb0f829938423359aa7ad7ece8a3cdfae1f7

commit 90aafb0f829938423359aa7ad7ece8a3cdfae1f7
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 20:01:58 2018

touch_updater: add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: Ib05208b814f58d72fb9af5ee8390c999ca284a22
Reviewed-on: https://chromium-review.googlesource.com/1294369
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/sisupdate.query.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/rmi4update.update.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/wdt_util.update.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/wdt_util.query.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/rmi4update.query.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/sisupdate.update.policy

Project Member

Comment 11 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/touch_updater/+/90aafb0f829938423359aa7ad7ece8a3cdfae1f7

commit 90aafb0f829938423359aa7ad7ece8a3cdfae1f7
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 20:01:58 2018

touch_updater: add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: Ib05208b814f58d72fb9af5ee8390c999ca284a22
Reviewed-on: https://chromium-review.googlesource.com/1294369
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/sisupdate.query.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/rmi4update.update.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/wdt_util.update.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/wdt_util.query.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/rmi4update.query.policy
[modify] https://crrev.com/90aafb0f829938423359aa7ad7ece8a3cdfae1f7/policies/amd64/sisupdate.update.policy

Project Member

Comment 12 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/c8438bc7ffa368677226eb67c7f981da40986160

commit c8438bc7ffa368677226eb67c7f981da40986160
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 20:01:54 2018

cups: add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: Id717dec40d1a899b3cdfee1467dd54b033d3656e
Reviewed-on: https://chromium-review.googlesource.com/1293001
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/c8438bc7ffa368677226eb67c7f981da40986160/net-print/cups/files/cupstestppd-seccomp-arm.policy
[rename] https://crrev.com/c8438bc7ffa368677226eb67c7f981da40986160/net-print/cups/cups-2.1.4-r18.ebuild
[modify] https://crrev.com/c8438bc7ffa368677226eb67c7f981da40986160/net-print/cups/files/lpadmin-seccomp-arm64.policy
[modify] https://crrev.com/c8438bc7ffa368677226eb67c7f981da40986160/net-print/cups/files/cupstestppd-seccomp-amd64.policy
[modify] https://crrev.com/c8438bc7ffa368677226eb67c7f981da40986160/net-print/cups/files/cupstestppd-seccomp-arm64.policy
[modify] https://crrev.com/c8438bc7ffa368677226eb67c7f981da40986160/net-print/cups/files/cupstestppd-seccomp-x86.policy

Project Member

Comment 13 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/vendor/fibocom-firmware/+/1b5fb79074ef069424666a0d0b7d0ad473a8c389

commit 1b5fb79074ef069424666a0d0b7d0ad473a8c389
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 23:22:26 2018

Project Member

Comment 14 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/vendor/intel-wifi-fw-dump/+/022d08d2a559ba28eeb38b83a7537b0c482d21de

commit 022d08d2a559ba28eeb38b83a7537b0c482d21de
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 23 23:22:24 2018

Project Member

Comment 15 by bugdroid1@chromium.org, Oct 24

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/a14582f5b2ae17da4bbc7b5d887d601dbb407a26

commit a14582f5b2ae17da4bbc7b5d887d601dbb407a26
Author: Yunlian Jiang <yunlian@google.com>
Date: Wed Oct 24 02:22:02 2018

add prlimit64 to seccomp when needed.

This adds prlimit64 to seccomp files which contain setrlmit or
getrlimt. This is needed because glibc 2.27 changed some internal
system calls to some functions.

BUG= chromium:897477 
TEST=None

Change-Id: I79314f32c8500aea1ecf36f1a0bef74fc8087062
Reviewed-on: https://chromium-review.googlesource.com/1293732
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Luis Lozano <llozano@chromium.org>

[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/arc/apk-cache/seccomp/apk-cache-cleaner-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/shill/shims/nfqueue-seccomp-mips.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/mtpd/mtpd-seccomp-x86.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/apmanager/init/apmanager-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/vm_tools/init/vm_cicerone-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/apmanager/init/apmanager-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/apmanager/init/apmanager-seccomp-mips.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/diagnostics/init/diagnostics_processor-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/diagnostics/init/diagnosticsd-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/bluetooth/seccomp_filters/btdispatch-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/authpolicy/seccomp_filters/authpolicy_parser-seccomp.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/bluetooth/seccomp_filters/btdispatch-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/authpolicy/seccomp_filters/kinit-seccomp.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/ippusb_manager/seccomp/ippusb-manager-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/crosdns/init/crosdns-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/bluetooth/seccomp_filters/newblued-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/smbprovider/seccomp_filters/smbprovider-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/crosdns/init/crosdns-seccomp-arm64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/imageloader/seccomp/imageloader-helper-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/cros-disks/avfsd-seccomp-x86.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/shill/shims/nfqueue-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/bluetooth/seccomp_filters/newblued-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/cros-disks/avfsd-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/vm_tools/init/vm_cicerone-seccomp-arm64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/vm_tools/init/vm_cicerone-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/apmanager/init/apmanager-seccomp-x86.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/webserver/webservd/usr/share/filters/webservd-seccomp.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/metrics/memd/init/memd-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/shill/shims/nfqueue-seccomp-x86.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/mtpd/mtpd-seccomp-arm64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/touch_keyboard/seccomp/amd64/touch_keyboard_handler.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/cros-disks/avfsd-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/authpolicy/seccomp_filters/smbclient-seccomp.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/crosdns/init/crosdns-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/diagnostics/init/diagnostics_processor-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/mtpd/mtpd-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/shill/shims/nfqueue-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/arc/apk-cache/seccomp/apk-cache-cleaner-seccomp-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/ippusb_manager/seccomp/ippusb-manager-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/attestation/server/attestationd-seccomp-arm.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/authpolicy/seccomp_filters/net_ads-seccomp.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/arc/adbd/seccomp/arc-adbd-amd64.policy
[modify] https://crrev.com/a14582f5b2ae17da4bbc7b5d887d601dbb407a26/diagnostics/init/diagnosticsd-seccomp-arm.policy

Comment 16 by yunlian@chromium.org, Oct 24

Status: Verified (was: Untriaged)

Project Member

Comment 17 by bugdroid1@chromium.org, Oct 25

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/overlays/project-cfm-private/+/ad24c44b71f02c9143eb197c8dfbcf7cf0181321

commit ad24c44b71f02c9143eb197c8dfbcf7cf0181321
Author: Yunlian Jiang <yunlian@google.com>
Date: Thu Oct 25 11:26:51 2018

Project Member

Comment 18 by bugdroid1@chromium.org, Oct 25

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/arc-camera/+/34310db2d29eff4cc669e6ab268554f91539370c

commit 34310db2d29eff4cc669e6ab268554f91539370c
Author: Yunlian Jiang <yunlian@google.com>
Date: Thu Oct 25 14:54:16 2018

arc-camera: add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: If93eaa4a8233d1b5c4eb68edbe3ac93e02f14207
Reviewed-on: https://chromium-review.googlesource.com/1298602
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Ricky Liang <jcliang@chromium.org>

[modify] https://crrev.com/34310db2d29eff4cc669e6ab268554f91539370c/hal_adapter/seccomp_filter/cros-camera-arm.policy
[modify] https://crrev.com/34310db2d29eff4cc669e6ab268554f91539370c/hal_adapter/seccomp_filter/cros-camera-amd64.policy

Project Member

Comment 19 by bugdroid1@chromium.org, Oct 26

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/platform/arc-oemcrypto/+/775bd9e519f78a328128c327127be11d99140d4b

commit 775bd9e519f78a328128c327127be11d99140d4b
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 26 19:14:55 2018

Project Member

Comment 20 by bugdroid1@chromium.org, Oct 26

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/tlsdate/+/c8c23b8dab5aaea592005c854d39aa106b58c3d4

commit c8c23b8dab5aaea592005c854d39aa106b58c3d4
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 26 19:14:55 2018

add getpid and prlimit to seccomp

This is needed to make sure seccomp work with glibc 2.27

BUG= chromium:897477 
TEST=None

Change-Id: Ic3ecc9f1abebd8984974f8d2c7955b78b6ef0d25
Reviewed-on: https://chromium-review.googlesource.com/1298659
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/c8c23b8dab5aaea592005c854d39aa106b58c3d4/tlsdate-seccomp-x86.policy
[modify] https://crrev.com/c8c23b8dab5aaea592005c854d39aa106b58c3d4/tlsdate-seccomp-amd64.policy
[modify] https://crrev.com/c8c23b8dab5aaea592005c854d39aa106b58c3d4/tlsdate-seccomp-arm64.policy
[modify] https://crrev.com/c8c23b8dab5aaea592005c854d39aa106b58c3d4/tlsdate-seccomp-arm.policy

Project Member

Comment 21 by bugdroid1@chromium.org, Oct 26

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/platform/drivefs/+/b87db1ecc1ab1dec7193ef986b1ba23773f00596

commit b87db1ecc1ab1dec7193ef986b1ba23773f00596
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 26 19:14:56 2018

►

Issue 897477 link

Issue metadata

allow openat, getpid and prlimit64 to seccomp

Issue description

Comment 1 by yunlian@chromium.org, Oct 21

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Oct 22

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Oct 23

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Oct 23

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Oct 23

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, Oct 23

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Oct 23

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, Oct 23

Comment 8 Deleted

Comment 9 by bugdroid1@chromium.org, Oct 23

Comment 9 Deleted

Comment 10 by bugdroid1@chromium.org, Oct 23

Comment 10 Deleted

Comment 11 by bugdroid1@chromium.org, Oct 23

Comment 11 Deleted

Comment 12 by bugdroid1@chromium.org, Oct 23

Comment 12 Deleted

Comment 13 by bugdroid1@chromium.org, Oct 23

Comment 13 Deleted

Comment 14 by bugdroid1@chromium.org, Oct 23

Comment 14 Deleted

Comment 15 by bugdroid1@chromium.org, Oct 24

Comment 15 Deleted

Comment 16 by yunlian@chromium.org, Oct 24

Comment 16 Deleted

Comment 17 by bugdroid1@chromium.org, Oct 25

Comment 17 Deleted

Comment 18 by bugdroid1@chromium.org, Oct 25

Comment 18 Deleted

Comment 19 by bugdroid1@chromium.org, Oct 26

Comment 19 Deleted

Comment 20 by bugdroid1@chromium.org, Oct 26

Comment 20 Deleted

Comment 21 by bugdroid1@chromium.org, Oct 26

Comment 21 Deleted

Sign in to add a comment