This reverts commit 040c28a023.
Reason for revert: reland since the actual problem has been fixed
Change-Id: Ifd8a85b0de2eb6f2a76a6458570fc03b020a90ab
Test: the apps in the bug no longer crashes.
Bug: 76461821
Several privileged syscalls are still needed before a zygote-fork hangs
over the execution to the apps.
Test: system starts, different apps run
Bug: 63944145
Bug: 76461821
Change-Id: I78da54dac509eb073bc2aa7b820a1f6b0c39a775
521b41 "Allow system processes to use vfork"
ed74ab "Move some syscalls in commmon whitelist to app"
An implementation bug actually assigns the system seccomp filter to all
processes after zygote forks.
Test: the apps in the bug no longer crashes.
Bug: 76461821
java.lang.ProcessBuilder is internally using vfork in the current
configuration (see UNIXProcess_md.c in libcore).
Test: On an x86 Chromebook, trigger dropbox error event (1. settings
put global logcat_for_system_app_anr 50; 2. kill -19 `pidof
com.android.settings'; touch Settings). Saw seccomp error in
logcat but only without this fix.
Test: fyi, not reproducible on walleye (arm64)
Bug: 74441404
Change-Id: I1f40ae0fe0607c5834ecbe040ed31c4c0e42131d
We've been using #pragma once for new internal files, but let's be more bold.
Bug: N/A
Test: builds
Change-Id: I7e2ee2730043bd884f9571cdbd8b524043030c07
The netd service and system server will use bpf syscalls to get network
stats information when kernel supported. And the syscall from system
server will need seccomp permission to run it.
Test: -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 30950746
Change-Id: I01c46f243dca0933a44cbfd3148f9e4748f9bc99
Setting PR_SET_NO_NEW_PRIVS actually breaks SELinux domain transition
(of debuggerd, for example). Do not set the bit when install the filter.
Instead, the caller must either have done it, or have CAP_SYS_ADMIN.
Test: build
Bug: 63944145
Bug: 71859146
Change-Id: I2af334fed61cac03fd0b3b5c8866e2e72b31cf17
To pave the way to reducing app's kernel attack surface, this change
split the single filter into one for system and one for apps. Note that
there is current no change between them.
Zygote will apply these filters appropriately to system server and apps.
Keep set_seccomp_filter() for now until the caller has switched to the
new API, which I will do immediately after this before the two filters
diverse.
Also remove get_seccomp_filter() since it doesn't seem to be used
anyway.
Test: diff the generated code, no difference except the variable names
Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145
Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23
Enabling seccomp across all processes, rather than just zygote, is
useful for auditing the syscall usage of AOSP. Create a global seccomp
policy that can optionally be enabled by init.
Bug: 37960259
Test: confirm global seccomp by removing finit_module from policy and
observing modprobe fail, confirm regular seccomp unchanged by
comparing length of installed bpf
Change-Id: Iac53a42fa26a80b05126f262dd9525f4f66df558
This seccomp failure is in the fault handler:
05-25 12:03:25.042 10201 27425 27425 F DEBUG : backtrace:
05-25 12:03:25.042 10201 27425 27425 F DEBUG : #00 pc 00015380
/data/data/redacted/files/storage/lib/libcrashsdk.so
So whenever an app using this crash sdk crashes it looks like a seccomp
problem. Fixing this won't stop the apps crashing, but will make the
crash reports accurate and useful.
So yes, the bug below is already fixed, but this issue has come back 2
or 3 times with different apps (latest is b/62874867). This change
doesn't fix that crash either, but again it improves the reporting.
Bug: 62090571
Test: Device boots, app still fails but no longer with SECCOMP error
Change-Id: Ie0f8dc965001c8bc43f6a545b35bdcd38f006213
Set correct values for PRIMARY and SECONDARY arch definitions
to match LE MIPS architectures.
This change is resolving boot problem for mips32 arch with 3.18 kernel.
This also fixes mips64 issue related to PRIMARY_ARCH definition,
but in order to boot to home screen it needs additional syscalls whitelisted
which will be introduced in separate patch.
Tested on emulator:
emulator -kernel prebuilts/qemu-kernel/mips/3.18/kernel-qemu2
Change-Id: I68dfd136c22141933a8a8c5336db01a02f00b0df
Add some useful new syscalls that we currently aren't using in bionic,
but might in the future to the seccomp whitelist.
Bug: http://b/37317198
Test: mma
Change-Id: I6550867da152cea84fb13d0c15a399cdb2acf1aa
Bug: 37253880
Test: Make sure device boots
Run pylint on genseccomp.py, test_genseccomp.py
Run test_genseccomp.py
Run new CTS test
cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Change-Id: I833a5364a1481d65173e77654da1798dc45a3f9d
The check that we are not below the lowest permitted syscall was
off by one, so we always allowed them, rather than always denying
them
Test: Check arm64 boots, chrome and maps work
mips and mips64 emulators boot
Note that arm, x86 and x86_64 already allow syscall 0 so there
will be no functional change there
Change-Id: I85873f1d04124e634e648bd47c027f280f1d6dbd
Test: Make sure arm, x86, x86_64, mips, mips64 emulators boot
Make sure sailfish still boots
Ran CTS test from
https://android-review.googlesource.com/#/c/348671/3 and it passed
The instructions for how to run mips emulators above worked, but
the CTS tests did not seem to actually run.
Change-Id: Iddee5acdb19ed32c7bd4657573313ca439cf6a49
Policy library which exports an autogenerated policy from SYSCALLS.TXT
blocking any other calls.
Test: Generate policy, install onto Sailfish, check boots, Chrome runs,
calls are blocked.
Bug: 32313202
Change-Id: Ib590704e50122f077eeae26561eb9b0a70386551
