Merge "Move zygote's seccomp setup to post-fork"

2018-01-09 21:41:19 +00:00
parent 99f99a52e7 6a4a339832
commit 5d33c10a96
5 changed files with 26 additions and 7 deletions
--- a/core/java/android/os/Seccomp.java
+++ b/core/java/android/os/Seccomp.java
@@ -20,5 +20,6 @@ package android.os;
 * @hide
 */
 public final class Seccomp {
-    public static final native void setPolicy();
+    public static native void setSystemServerPolicy();
+    public static native void setAppPolicy();
 }
--- a/core/java/com/android/internal/os/Zygote.java
+++ b/core/java/com/android/internal/os/Zygote.java
@@ -17,6 +17,7 @@
 package com.android.internal.os;


+import android.os.Seccomp;
 import android.os.Trace;
 import dalvik.system.ZygoteHooks;
 import android.system.ErrnoException;
@@ -155,6 +156,9 @@ public final class Zygote {
     */
    public static int forkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,
            int[][] rlimits, long permittedCapabilities, long effectiveCapabilities) {
+        // Set system server specific seccomp policy.
+        Seccomp.setSystemServerPolicy();
+
        VM_HOOKS.preFork();
        // Resets nice priority for zygote process.
        resetNicePriority();
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -30,6 +30,7 @@ import android.net.Credentials;
 import android.net.LocalSocket;
 import android.os.FactoryTest;
 import android.os.Process;
+import android.os.Seccomp;
 import android.os.SystemProperties;
 import android.os.Trace;
 import android.system.ErrnoException;
@@ -767,6 +768,9 @@ class ZygoteConnection {
            Process.setArgV0(parsedArgs.niceName);
        }

+        // Set app specific seccomp policy.
+        Seccomp.setAppPolicy();
+
        // End of the postFork event.
        Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
        if (parsedArgs.invokeWith != null) {
--- a/core/java/com/android/internal/os/ZygoteInit.java
+++ b/core/java/com/android/internal/os/ZygoteInit.java
@@ -782,9 +782,6 @@ public class ZygoteInit {
            // Zygote process unmounts root storage spaces.
            Zygote.nativeUnmountStorageOnInit();

-            // Set seccomp policy
-            Seccomp.setPolicy();
-
            ZygoteHooks.stopZygoteNoThreadCreation();

            if (startSystemServer) {
--- a/core/jni/android_os_seccomp.cpp
+++ b/core/jni/android_os_seccomp.cpp
@@ -21,20 +21,33 @@

 #include "seccomp_policy.h"

-static void Seccomp_setPolicy(JNIEnv* /*env*/) {
+static void Seccomp_setSystemServerPolicy(JNIEnv* /*env*/) {
    if (security_getenforce() == 0) {
        ALOGI("seccomp disabled by setenforce 0");
        return;
    }

-    if (!set_seccomp_filter()) {
+    if (!set_system_seccomp_filter()) {
+        ALOGE("Failed to set seccomp policy - killing");
+        exit(1);
+    }
+}
+
+static void Seccomp_setAppPolicy(JNIEnv* /*env*/) {
+    if (security_getenforce() == 0) {
+        ALOGI("seccomp disabled by setenforce 0");
+        return;
+    }
+
+    if (!set_app_seccomp_filter()) {
        ALOGE("Failed to set seccomp policy - killing");
        exit(1);
    }
 }

 static const JNINativeMethod method_table[] = {
-    NATIVE_METHOD(Seccomp, setPolicy, "()V"),
+    NATIVE_METHOD(Seccomp, setSystemServerPolicy, "()V"),
+    NATIVE_METHOD(Seccomp, setAppPolicy, "()V"),
 };

 namespace android {