!1928 updater增加seccomp机制

Merge pull request !1928 from qy136/master

services/modules/seccomp/BUILD.gn

@@ -85,6 +85,19 @@ ohos_prebuilt_seccomp("app_filter") {
   install_images = [ "system" ]
 }
 
+ohos_prebuilt_seccomp("updater_filter") {
+  sources = [ "seccomp_policy/updater.seccomp.policy" ]
+
+  filtername = "updater"
+  process_type = "system"
+
+  part_name = INIT_PART
+  subsystem_name = "startup"
+
+  install_enable = true
+  install_images = [ "updater" ]
+}
+
 config("libseccomp_static_config") {
   include_dirs = [
     "..",
@@ -121,6 +134,7 @@ group("seccomp_filter") {
   deps = [
     ":app_filter",
     ":system_filter",
+    ":updater_filter",
   ]
   if (appspawn_featrue) {
     deps += [

services/modules/seccomp/seccomp_policy/updater.seccomp.policy

+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# For now, it supports architechture of ['arm', 'arm64'].
+
+@returnValue
+TRAP
+
+@allowList
+setxattr;all
+lsetxattr;all
+fsetxattr;all
+getxattr;all
+lgetxattr;all
+fgetxattr;all
+getcwd;all
+eventfd2;all
+epoll_create1;all
+epoll_ctl;all
+epoll_pwait;all
+dup;all
+dup3;all
+fcntl;arm64
+inotify_init1;all
+inotify_add_watch;all
+inotify_rm_watch;all
+ioctl;all
+ioprio_set;arm64
+ioprio_get;arm64
+flock;all
+mknodat;all
+mkdirat;all
+unlinkat;all
+symlinkat;all
+linkat;all
+renameat;all
+umount2;all
+mount;all
+statfs;arm64
+fstatfs;arm64
+truncate;all
+ftruncate;arm64
+fallocate;all
+faccessat;all
+chdir;all
+fchdir;all
+chroot;all
+fchmod;all
+fchmodat;all
+fchownat;all
+fchown;arm64
+openat;all
+close;all
+pipe2;all
+quotactl;all
+getdents64;all
+lseek;all
+read;all
+write;all
+readv;all
+writev;all
+pread64;all
+pwrite64;all
+preadv;all
+pwritev;all
+sendfile;all
+pselect6;all
+ppoll;all
+signalfd4;all
+vmsplice;all
+splice;all
+tee;all
+readlinkat;all
+newfstatat;arm64
+fstat;arm64
+sync;all
+fsync;all
+fdatasync;all
+sync_file_range;arm64
+utimensat;all
+acct;all
+capget;all
+capset;all
+personality;all
+exit;all
+exit_group;all
+waitid;all
+set_tid_address;all
+unshare;all
+futex;all
+set_robust_list;all
+get_robust_list;all
+nanosleep;all
+clock_gettime;all
+clock_getres;all
+clock_nanosleep;all
+syslog;all
+ptrace;all
+sched_setparam;all
+sched_setscheduler;all
+sched_getscheduler;all
+sched_getparam;all
+sched_setaffinity;all
+sched_getaffinity;all
+sched_yield;all
+sched_get_priority_max;all
+sched_get_priority_min;all
+sched_rr_get_interval;all
+restart_syscall;all
+kill;all
+tkill;all
+tgkill;all
+sigaltstack;all
+rt_sigsuspend;all
+rt_sigaction;all
+rt_sigprocmask;all
+rt_sigpending;all
+rt_sigtimedwait;all
+rt_sigqueueinfo;all
+rt_sigreturn;all
+setpriority;all
+getpriority;all
+reboot;all
+setregid;arm64
+setgid;arm64
+setreuid;arm64
+setuid;arm64
+setresuid;arm64
+getresuid;arm64
+setresgid;arm64
+getresgid;arm64
+setfsuid;all
+setfsgid;all
+times;all
+setpgid;all
+getpgid;all
+getsid;all
+setsid;all
+getgroups;arm64
+setgroups;arm64
+uname;all
+sethostname;all
+setdomainname;all
+getrlimit;arm64
+setrlimit;all
+getrusage;all
+umask;all
+prctl;all
+getcpu;all
+gettimeofday;all
+settimeofday;all
+adjtimex;all
+getpid;all
+getppid;all
+getuid;arm64
+geteuid;arm64
+getgid;arm64
+getegid;arm64
+gettid;all
+sysinfo;all
+semget;all
+shmget;all
+shmctl;all
+shmat;all
+shmdt;all
+socket;all
+socketpair;all
+bind;all
+listen;all
+accept;all
+connect;all
+getsockname;all
+getpeername;all
+sendto;all
+recvfrom;all
+setsockopt;all
+getsockopt;all
+shutdown;all
+sendmsg;all
+recvmsg;all
+readahead;all
+brk;all
+munmap;all
+mremap;all
+add_key;all
+keyctl;all
+clone;all
+execve;all
+mmap;arm64
+fadvise64;arm64
+mprotect;all
+msync;all
+mlock;all
+munlock;all
+mlockall;all
+munlockall;all
+mincore;all
+madvise;all
+rt_tgsigqueueinfo;all
+perf_event_open;all
+accept4;all
+recvmmsg;all
+wait4;all
+prlimit64;all
+clock_adjtime;all
+syncfs;all
+setns;all
+sendmmsg;all
+process_vm_readv;all
+process_vm_writev;all
+finit_module;all
+sched_setattr;all
+sched_getattr;all
+renameat2;all
+seccomp;all
+getrandom;all
+memfd_create;all
+bpf;all
+execveat;all
+userfaultfd;all
+membarrier;all
+mlock2;all
+copy_file_range;all
+preadv2;all
+pwritev2;all
+statx;all
+pidfd_send_signal;all
+pidfd_open;all
+close_range;all
+pidfd_getfd;all
+process_madvise;all
+fork;arm
+open;arm
+unlink;arm
+mknod;arm
+chmod;arm
+access;arm
+rename;arm
+mkdir;arm
+rmdir;arm
+pipe;arm
+dup2;arm
+sigaction;arm
+symlink;arm
+readlink;arm
+stat;arm
+sigreturn;arm
+_llseek;arm
+_newselect;arm
+poll;arm
+vfork;arm
+ugetrlimit;arm
+mmap2;arm
+truncate64;arm
+ftruncate64;arm
+stat64;arm
+fstat64;arm
+lchown32;arm
+getuid32;arm
+getgid32;arm
+geteuid32;arm
+getegid32;arm
+setreuid32;arm
+setregid32;arm
+chown32;arm
+getgroups32;arm
+setgroups32;arm
+fchown32;arm
+setresuid32;arm
+getresuid32;arm
+setresgid32;arm
+getresgid32;arm
+setuid32;arm
+setgid32;arm
+fcntl64;arm
+sendfile64;arm
+statfs64;arm
+fstatfs64;arm
+fadvise64_64;arm
+fstatat64;arm
+sync_file_range2;arm
+clock_gettime64;arm
+cacheflush;arm
+set_tls;arm
\ No newline at end of file