From 6a4a3398325787f6cb1b93db17a7bf50d353e2a5 Mon Sep 17 00:00:00 2001
From: Victor Hsieh <victorhsieh@google.com>
Date: Wed, 20 Dec 2017 09:51:51 -0800
Subject: [PATCH] Move zygote's seccomp setup to post-fork

Before this change, seccomp filter setup is as early as in zygote's main
function.  To make it possible to split app and system server's filter,
this postpone the setup to after fork.  It also starts to call app
specific and system server specific setup function.

In terms of performance since this happens at fork, the measure shows
the overhead is negligible.  Assuming 130 instruction in the BPF, on
walleye, even when running on little core with fixed low frequency, each
setup took about 60.9us on average.  When it runs on big core with
higher frequency, it took about 39.3us.

Test: (cts) -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145

Change-Id: I748735b478405098beac1e200d911c13ea60e380
Merged-In: I748735b478405098beac1e200d911c13ea60e380
---
 core/java/android/os/Seccomp.java             |  3 ++-
 core/java/com/android/internal/os/Zygote.java |  4 ++++
 .../android/internal/os/ZygoteConnection.java |  4 ++++
 .../com/android/internal/os/ZygoteInit.java   |  3 ---
 core/jni/android_os_seccomp.cpp               | 19 ++++++++++++++++---
 5 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/core/java/android/os/Seccomp.java b/core/java/android/os/Seccomp.java
index f14e93fe9403a..335e44b657111 100644
--- a/core/java/android/os/Seccomp.java
+++ b/core/java/android/os/Seccomp.java
@@ -20,5 +20,6 @@ package android.os;
  * @hide
  */
 public final class Seccomp {
-    public static final native void setPolicy();
+    public static native void setSystemServerPolicy();
+    public static native void setAppPolicy();
 }
diff --git a/core/java/com/android/internal/os/Zygote.java b/core/java/com/android/internal/os/Zygote.java
index 3ee8b472869b6..ebebad2950ce9 100644
--- a/core/java/com/android/internal/os/Zygote.java
+++ b/core/java/com/android/internal/os/Zygote.java
@@ -17,6 +17,7 @@
 package com.android.internal.os;
 
 
+import android.os.Seccomp;
 import android.os.Trace;
 import dalvik.system.ZygoteHooks;
 import android.system.ErrnoException;
@@ -155,6 +156,9 @@ public final class Zygote {
      */
     public static int forkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,
             int[][] rlimits, long permittedCapabilities, long effectiveCapabilities) {
+        // Set system server specific seccomp policy.
+        Seccomp.setSystemServerPolicy();
+
         VM_HOOKS.preFork();
         // Resets nice priority for zygote process.
         resetNicePriority();
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 6a87b1f4d3fd8..24c4a8d8d438a 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -30,6 +30,7 @@ import android.net.Credentials;
 import android.net.LocalSocket;
 import android.os.FactoryTest;
 import android.os.Process;
+import android.os.Seccomp;
 import android.os.SystemProperties;
 import android.os.Trace;
 import android.system.ErrnoException;
@@ -767,6 +768,9 @@ class ZygoteConnection {
             Process.setArgV0(parsedArgs.niceName);
         }
 
+        // Set app specific seccomp policy.
+        Seccomp.setAppPolicy();
+
         // End of the postFork event.
         Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
         if (parsedArgs.invokeWith != null) {
diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java
index 2be6212b9f1ee..40168328c5bc9 100644
--- a/core/java/com/android/internal/os/ZygoteInit.java
+++ b/core/java/com/android/internal/os/ZygoteInit.java
@@ -782,9 +782,6 @@ public class ZygoteInit {
             // Zygote process unmounts root storage spaces.
             Zygote.nativeUnmountStorageOnInit();
 
-            // Set seccomp policy
-            Seccomp.setPolicy();
-
             ZygoteHooks.stopZygoteNoThreadCreation();
 
             if (startSystemServer) {
diff --git a/core/jni/android_os_seccomp.cpp b/core/jni/android_os_seccomp.cpp
index 06e2a167de0a8..b9006e4403cd2 100644
--- a/core/jni/android_os_seccomp.cpp
+++ b/core/jni/android_os_seccomp.cpp
@@ -21,20 +21,33 @@
 
 #include "seccomp_policy.h"
 
-static void Seccomp_setPolicy(JNIEnv* /*env*/) {
+static void Seccomp_setSystemServerPolicy(JNIEnv* /*env*/) {
     if (security_getenforce() == 0) {
         ALOGI("seccomp disabled by setenforce 0");
         return;
     }
 
-    if (!set_seccomp_filter()) {
+    if (!set_system_seccomp_filter()) {
+        ALOGE("Failed to set seccomp policy - killing");
+        exit(1);
+    }
+}
+
+static void Seccomp_setAppPolicy(JNIEnv* /*env*/) {
+    if (security_getenforce() == 0) {
+        ALOGI("seccomp disabled by setenforce 0");
+        return;
+    }
+
+    if (!set_app_seccomp_filter()) {
         ALOGE("Failed to set seccomp policy - killing");
         exit(1);
     }
 }
 
 static const JNINativeMethod method_table[] = {
-    NATIVE_METHOD(Seccomp, setPolicy, "()V"),
+    NATIVE_METHOD(Seccomp, setSystemServerPolicy, "()V"),
+    NATIVE_METHOD(Seccomp, setAppPolicy, "()V"),
 };
 
 namespace android {