Commit graph

8 commits

Author SHA1 Message Date
Robert Sesek
74cdb253ba Move pipe, open, and getdents from the APP to COMMON seccomp whitelist.
These system calls are required by Breakpad for crash reporting.
WebViews are spawned from the webview_zygote, which itself is spawned
from the app_process zygote. The webview_zygote gets the SYSTEM seccomp
policy applied because it is not an app, and so the WebView sandboxed
processes inherit that policy.

In Ifd8a85b0de2eb6f2a76a6458570fc03b020a90ab, these system calls were
moved from COMMON to APP, which breaks Breakpad/crash reporting for
WebView sandboxed processes.

Bug: 112572914
Test: `am start com.android.settings/.SettingsLicenseActivity`
Test: Get the pid of the sandboxed_process0 for the license viewer.
Test: Send the process SIGABRT and check logcat for "google-breakpad"
      error messages.

Change-Id: I1cf56ae85b1a67ec91e979bc7e0f941726a9cc0e
2018-09-11 19:20:34 -04:00
Orion Hodson
6ba6694ec2 libc: Add membarrier to common seccomp allowed list
Allows ART JIT use membarrier to invalidate instruction
pipelines.

Bug: 66095511
Test: bionic-unit-tests
Change-Id: I8cf83929f00baf5a3c440a899d2667a992bda8e2
2018-09-06 16:36:09 +01:00
Luis Hector Chavez
ef1a34c85d seccomp: Allow readlink(2) in x86_64 for UBSan's sake
This change allows the use of readlink(2) so that UBSan can work
correctly on x86_64.

Bug: 111999822
Test: CtsWrapWrapDebugTestCases
Change-Id: I7f3013c712e3e41567a0d8e1bbb9d378c04b4433
2018-08-03 10:36:02 -07:00
Victor Hsieh
1afb40c9fe Revert "Revert system seccomp filter changes"
This reverts commit 040c28a023.

Reason for revert: reland since the actual problem has been fixed

Change-Id: Ifd8a85b0de2eb6f2a76a6458570fc03b020a90ab
Test: the apps in the bug no longer crashes.
Bug: 76461821
2018-03-30 16:48:36 +00:00
Victor Hsieh
040c28a023 Revert system seccomp filter changes
521b41 "Allow system processes to use vfork"
ed74ab "Move some syscalls in commmon whitelist to app"

An implementation bug actually assigns the system seccomp filter to all
processes after zygote forks.

Test: the apps in the bug no longer crashes.
Bug: 76461821
2018-03-27 13:43:24 -07:00
Victor Hsieh
521b412aa1 Allow system processes to use vfork
java.lang.ProcessBuilder is internally using vfork in the current
configuration (see UNIXProcess_md.c in libcore).

Test: On an x86 Chromebook, trigger dropbox error event (1. settings
      put global logcat_for_system_app_anr 50; 2. kill -19 `pidof
      com.android.settings'; touch Settings).  Saw seccomp error in
      logcat but only without this fix.
Test: fyi, not reproducible on walleye (arm64)
Bug: 74441404

Change-Id: I1f40ae0fe0607c5834ecbe040ed31c4c0e42131d
2018-03-09 11:52:32 -08:00
Victor Hsieh
ed74abc8dc Move some syscalls in commmon whitelist to app
Test: system boots and basically runs
Bug: 63944145

Change-Id: I5cb080d13fb98a2106201037f3817f027912a8aa
2018-03-01 11:07:13 -08:00
Victor Hsieh
4f02dd5755 Split zygote's seccomp filter into two
To pave the way to reducing app's kernel attack surface, this change
split the single filter into one for system and one for apps.  Note that
there is current no change between them.

Zygote will apply these filters appropriately to system server and apps.

Keep set_seccomp_filter() for now until the caller has switched to the
new API, which I will do immediately after this before the two filters
diverse.

Also remove get_seccomp_filter() since it doesn't seem to be used
anyway.

Test: diff the generated code, no difference except the variable names
Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145

Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23
2018-01-04 12:28:40 -08:00
Renamed from libc/SECCOMP_WHITELIST.TXT (Browse further)