Tom, do you want to give it a go?

Yes

Don't forget our friends in the biod/tools directory too ! :)

pmalani@ Thanks for the reminder.

The docs for seccomp filters shows how to use it with minijail arguments. We have upstart jobs that run minijail for biod and bio_crypto_init, so those definitely need seccomp filters.

However, the other tools (bio_wash and biod_client_tool) don't have an upstart job running minijail.

It looks like bio_wash is called from "clobber-state": http://cs/chromeos_public/src/platform2/init/clobber_state.cc?l=335-345&rcl=80c7b00e09f0505d39a7848e8e8311a7c6574d85. Should bio_wash have seccomp filter?

biod_client_tool probably only needs to be in the test image (and no seccomp)?

Also, the seccomp policies are architecture-specific. Currently all variants that have FP are amd64, right?

comment #5:
Agreed, bio_wash and biod_client_tool don't really need a seccomp filter. biod_client_tool is only present in the dev and test images, it's installed in /usr/local.

comment #6:
Yep, only amd64 at the moment.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/d42a9fef964b5bd8aeb6438c3a4c6cc2db9d4ab9

commit d42a9fef964b5bd8aeb6438c3a4c6cc2db9d4ab9
Author: Tom Hughes <tomhughes@chromium.org>
Date: Fri Jan 11 21:32:04 2019

biod: install biod seccomp policy

BUG= chromium:919529 
TEST=emerge-nocturne biod
CQ-DEPEND=I061de1deec7ad019ba8591f2e13f8ec969f3bfd0

Change-Id: I76d4f26bec566b91c6fda0c852608fcc518cd295
Reviewed-on: https://chromium-review.googlesource.com/1401255
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/d42a9fef964b5bd8aeb6438c3a4c6cc2db9d4ab9/chromeos-base/biod/biod-9999.ebuild

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/e3bf1fad6527148cbc5a0dd42f394f0736516365

commit e3bf1fad6527148cbc5a0dd42f394f0736516365
Author: Tom Hughes <tomhughes@chromium.org>
Date: Fri Jan 11 21:32:05 2019

biod: install bio_crypto_init seccomp policy

BUG= chromium:919529 
TEST=emerge-nocturne biod
CQ-DEPEND=Id0b426df173e9c10c712a4687cffbc7c85cb28d3

Change-Id: Ib7b8a19ad82b082928e2a6bc99508864f3b02566
Reviewed-on: https://chromium-review.googlesource.com/1404135
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/e3bf1fad6527148cbc5a0dd42f394f0736516365/chromeos-base/biod/biod-9999.ebuild

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/abeb2346c8dfb92efa06c2a1f013346719af3de9

commit abeb2346c8dfb92efa06c2a1f013346719af3de9
Author: Tom Hughes <tomhughes@chromium.org>
Date: Fri Jan 11 21:32:04 2019

biod: seccomp policy for daemon

Also add a helper script (run_biod_strace.sh) to make it easy to capture
the syscall strace output, which can then be processed with
~/chromiumos/src/aosp/external/minijail/tools/generate_seccomp_policy.py

Currently the only devices with fingerprint are amd64, so that is the
only seccomp policy.

BUG= chromium:919529 
TEST=Add fingerprint, verify unlock works
TEST=Delete fingerprint; verify fingerprint deleted on filesystem
CQ-DEPEND=I76d4f26bec566b91c6fda0c852608fcc518cd295

Change-Id: I061de1deec7ad019ba8591f2e13f8ec969f3bfd0
Reviewed-on: https://chromium-review.googlesource.com/1401346
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[add] https://crrev.com/abeb2346c8dfb92efa06c2a1f013346719af3de9/biod/init/seccomp/run_biod_strace.sh
[add] https://crrev.com/abeb2346c8dfb92efa06c2a1f013346719af3de9/biod/init/seccomp/biod-seccomp-amd64.policy
[modify] https://crrev.com/abeb2346c8dfb92efa06c2a1f013346719af3de9/biod/init/biod.conf

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/f3effa386bb84b2f43db55db358a3d5e6e3b848d

commit f3effa386bb84b2f43db55db358a3d5e6e3b848d
Author: Tom Hughes <tomhughes@chromium.org>
Date: Fri Jan 11 21:32:05 2019

biod: seccomp for bio_crypto_init

Also add a helper script (run_bio_crypto_init_strace.sh) to make it easy to
capture the syscall strace output, which can then be processed with
~/chromiumos/src/aosp/external/minijail/tools/generate_seccomp_policy.py

Currently the only devices with fingerprint are amd64, so that is the
only seccomp policy.

BUG= chromium:919529 
TEST=reboot; verify log messages in
     /var/log/bio_crypto_init/bio_crypto_init.log
TEST=Add fingerprint, verify unlock works
TEST=Delete fingerprint; verify fingerprint deleted on filesystem
CQ-DEPEND=Ib7b8a19ad82b082928e2a6bc99508864f3b02566

Change-Id: Id0b426df173e9c10c712a4687cffbc7c85cb28d3
Reviewed-on: https://chromium-review.googlesource.com/1403897
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[add] https://crrev.com/f3effa386bb84b2f43db55db358a3d5e6e3b848d/biod/init/seccomp/bio-crypto-init-seccomp-amd64.policy
[add] https://crrev.com/f3effa386bb84b2f43db55db358a3d5e6e3b848d/biod/init/seccomp/run_bio_crypto_init_strace.sh
[modify] https://crrev.com/f3effa386bb84b2f43db55db358a3d5e6e3b848d/biod/init/bio_crypto_init.conf

Verified policy files (/usr/share/policy/biod-seccomp.policy, /usr/share/policy/bio-crypto-init-seccomp.policy) and upstart changes (/etc/init/biod.conf, /etc/init/bio_crypto_init.conf) are in R73-11582.0.0.