Skip to content

S
Startup Init Lite

OpenHarmony / Startup Init Lite
1 年多 前同步成功

通知 3
Star 37
Fork 0
S
Startup Init Lite
切换分支/标签
查找文件 普通视图历史永久链接Permalink
nwebspawn.seccomp.policy 3.6 KB
Newer Older
X
bugfix: nwebspawn增加setuid setgid的限制  
xiacong 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 
# Copyright (c) 2023 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# For now, it supports architechture of ['arm', 'arm64'].

@returnValue
TRAP

@headFiles
"seccomp_policy_constants.h"

@mode
ONLY_CHECK_ARGS

@allowListWithArgs
setresuid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS && arg2 >= START_UID_FOR_RENDER_PROCESS && arg2 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
setresgid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS && arg2 >= START_UID_FOR_RENDER_PROCESS && arg2 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
setresuid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS && arg2 >= START_UID_FOR_RENDER_PROCESS && arg2 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
setresgid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS && arg2 >= START_UID_FOR_RENDER_PROCESS && arg2 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
setuid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
setgid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
setuid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
setgid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
setreuid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
setregid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
setreuid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
setregid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS && arg1 >= START_UID_FOR_RENDER_PROCESS && arg1 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
setfsuid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
setfsgid: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;all
setfsuid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm
setfsgid32: if arg0 >= START_UID_FOR_RENDER_PROCESS && arg0 <= END_UID_FOR_RENDER_PROCESS; return ALLOW; else return TRAP;arm