From ffad2adfa5488f43a798a30a7fdb14426f495e59 Mon Sep 17 00:00:00 2001
From: Paul Lawrence <paullawrence@google.com>
Date: Fri, 3 Mar 2017 13:04:35 -0800
Subject: [PATCH] Make seccomp honor setenforce

Note: This code is in frameworks, since we might want to have tools
linked against seccomp_policy that continue to enforce seccomp

Bug: 35950093
Test: Builds, Seccomp: 2 is in zygote & zygote64 status
      Run setenforce 0 && stop && start
      Seccomp: 0 is in zygote & zygote64 status

Change-Id: I797a6c29f58725f84089c570f784125fb99f57ce
---
 core/jni/Android.mk             | 2 ++
 core/jni/android_os_seccomp.cpp | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/core/jni/Android.mk b/core/jni/Android.mk
index a9ca12b26d0b6..69867323a0bed 100644
--- a/core/jni/Android.mk
+++ b/core/jni/Android.mk
@@ -218,6 +218,8 @@ LOCAL_C_INCLUDES += \
 
 LOCAL_STATIC_LIBRARIES := \
     libseccomp_policy \
+    libselinux \
+    libcrypto \
 
 LOCAL_SHARED_LIBRARIES := \
     libmemtrack \
diff --git a/core/jni/android_os_seccomp.cpp b/core/jni/android_os_seccomp.cpp
index dd5622d80e45b..45023713ea859 100644
--- a/core/jni/android_os_seccomp.cpp
+++ b/core/jni/android_os_seccomp.cpp
@@ -17,9 +17,16 @@
 #include "core_jni_helpers.h"
 #include "JniConstants.h"
 #include "utils/Log.h"
+#include <selinux/selinux.h>
+
 #include "seccomp_policy.h"
 
 static void Seccomp_setPolicy(JNIEnv* /*env*/) {
+    if (security_getenforce() == 0) {
+        ALOGI("seccomp disabled by setenforce 0");
+        return;
+    }
+
     if (!set_seccomp_filter()) {
         ALOGE("Failed to set seccomp policy - killing");
         exit(1);