1# Seccomp 2 3The seccomp system is used to filter the syscalls that sandboxed processes can use. The form of 4seccomp used by crosvm (`SECCOMP_SET_MODE_FILTER`) allows for a BPF program to be used. To generate 5the BPF programs, crosvm uses minijail's policy file format. A policy file is written for each 6device per architecture. Each device requires a unique set of syscalls to accomplish their function 7and each architecture has slightly different naming for similar syscalls. The ChromeOS docs have a 8useful 9[listing of syscalls](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md). 10 11## Writing a Policy for crosvm 12 13The detailed rules for naming policy files can be found in 14[seccomp/README.md](https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/seccomp/README.md) 15 16Most policy files will include the `common_device.policy` from a given architecture using this 17directive near the top: 18 19``` 20@include /usr/share/policy/crosvm/common_device.policy 21``` 22 23The common device policy for `x86_64` is: 24 25``` 26{{#include ../../../../jail/seccomp/x86_64/common_device.policy:5:}} 27``` 28 29The syntax is simple: one syscall per line, followed by a colon `:`, followed by a boolean 30expression used to constrain the arguments of the syscall. The simplest expression is `1` which 31unconditionally allows the syscall. Only simple expressions work, often to allow or deny specific 32flags. A major limitation is that checking the contents of pointers isn't possible using minijail's 33policy format. If a syscall is not listed in a policy file, it is not allowed. 34