tequilaOS/platform_bionic
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_bionic/libc/SECCOMP_WHITELIST_SYSTEM.TXT

7 lines
301 B
Text
Raw Normal View History

Add seccomp blacklist, and exclude swap functions Bug: 37253880 Test: Make sure device boots Run pylint on genseccomp.py, test_genseccomp.py Run test_genseccomp.py Run new CTS test cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest Change-Id: I833a5364a1481d65173e77654da1798dc45a3f9d
2017-04-12 19:02:54 +02:00
# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes.
#
Split zygote's seccomp filter into two To pave the way to reducing app's kernel attack surface, this change split the single filter into one for system and one for apps. Note that there is current no change between them. Zygote will apply these filters appropriately to system server and apps. Keep set_seccomp_filter() for now until the caller has switched to the new API, which I will do immediately after this before the two filters diverse. Also remove get_seccomp_filter() since it doesn't seem to be used anyway. Test: diff the generated code, no difference except the variable names Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest Bug: 63944145 Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23
2017-12-20 18:19:22 +01:00
# This file is processed by a python script named genseccomp.py.
Add bpf syscall to seccomp whitelist The netd service and system server will use bpf syscalls to get network stats information when kernel supported. And the syscall from system server will need seccomp permission to run it. Test: -m CtsNetTestCases -t android.net.cts.TrafficStatsTest Bug: 30950746 Change-Id: I01c46f243dca0933a44cbfd3148f9e4748f9bc99
2018-01-18 20:26:24 +01:00
int bpf(int cmd, union bpf_attr *attr, unsigned int size) all
Reference in a new issue Copy permalink