| commit | 7d698904b713098bfd469644432ba60107dbe7b0 | [log] [tgz] |
|---|---|---|
| author | Jeff Xu <[email protected]> | Sun Nov 03 06:31:54 2024 |
| committer | Chromeos LUCI <[email protected]> | Mon Nov 04 23:46:55 2024 |
| tree | 14f36b4bacbb9186aabb06f1d64723cbf4a37796 | |
| parent | ae5774deead032031438f75d1ce2e99e8161a8ba [diff] |
seccomp: add mseal to seccomp policy (ml) mseal might be called when process call dlopen() and mmap new dll. Add mseal to seccomp policies which have mmap. BUG=b:373509070 TEST=CQ Change-Id: Ib83664dafd4ecf8835d52a6ab82a3bb6a7c841a9 Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/frameworks/ml/+/5985279 Reviewed-by: Jim Pollock <[email protected]> Commit-Queue: Jeff Xu <[email protected]> Tested-by: Jeff Xu <[email protected]> Reviewed-by: Allen Webb <[email protected]> Auto-Submit: Jeff Xu <[email protected]>
diff --git a/seccomp/nnapi-hal-driver-seccomp-amd64.policy b/seccomp/nnapi-hal-driver-seccomp-amd64.policy index 2f56b1d..5ca91cd 100644 --- a/seccomp/nnapi-hal-driver-seccomp-amd64.policy +++ b/seccomp/nnapi-hal-driver-seccomp-amd64.policy
@@ -20,6 +20,7 @@ read: 1 write: 1 mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +mseal: 1 set_robust_list: 1 clone: 1 madvise: 1
diff --git a/seccomp/nnapi-hal-driver-seccomp-arm.policy b/seccomp/nnapi-hal-driver-seccomp-arm.policy index 72fe3cd..bf816a0 100644 --- a/seccomp/nnapi-hal-driver-seccomp-arm.policy +++ b/seccomp/nnapi-hal-driver-seccomp-arm.policy
@@ -24,6 +24,7 @@ madvise: 1 exit: 1 mmap2: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +mseal: 1 munmap: 1 openat: 1 mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
diff --git a/seccomp/nnapi-hal-driver-seccomp-arm64.policy b/seccomp/nnapi-hal-driver-seccomp-arm64.policy index 04cab34..c082a18 100644 --- a/seccomp/nnapi-hal-driver-seccomp-arm64.policy +++ b/seccomp/nnapi-hal-driver-seccomp-arm64.policy
@@ -18,6 +18,7 @@ dup: 1 rt_sigprocmask: 1 mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +mseal: 1 set_robust_list: 1 clone: 1 madvise: 1