1# Seccomp 2 3The seccomp system is used to filter the syscalls that sandboxed processes can use. The form of 4seccomp used by crosvm (`SECCOMP_SET_MODE_FILTER`) allows for a BPF program to be used. To generate 5the BPF programs, crosvm uses minijail's policy file format. A policy file is written for each 6device per architecture. Each device requires a unique set of syscalls to accomplish their function 7and each architecture has slightly different naming for similar syscalls. The Chrome OS docs have a 8useful 9[listing of syscalls](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md). 10 11## Writing a Policy for crosvm 12 13Most policy files will include the `common_device.policy` from a given architecture using this 14directive near the top: 15 16``` 17@include /usr/share/policy/crosvm/common_device.policy 18``` 19 20The common device policy for `x86_64` is: 21 22``` 23{{#include ../../../../seccomp/x86_64/common_device.policy:5:}} 24``` 25 26The syntax is simple: one syscall per line, followed by a colon `:`, followed by a boolean 27expression used to constrain the arguments of the syscall. The simplest expression is `1` which 28unconditionally allows the syscall. Only simple expressions work, often to allow or deny specific 29flags. A major limitation is that checking the contents of pointers isn't possible using minijail's 30policy format. If a syscall is not listed in a policy file, it is not allowed. 31