Commit graph

47 commits

Author SHA1 Message Date
Tom Cherry
a06c49c37f Add recovery_available: true to libseccomp_policy
Init needs this in order to be built in Android.bp

Test: build

Change-Id: I0ce67a3c84cf476b28be039b9c9b345bc381de7b
2018-07-24 13:36:59 -07:00
Treehugger Robot
72d60a95fa Merge "Revert "Revert system seccomp filter changes"" 2018-04-02 23:43:50 +00:00
Victor Hsieh
1afb40c9fe Revert "Revert system seccomp filter changes"
This reverts commit 040c28a023.

Reason for revert: reland since the actual problem has been fixed

Change-Id: Ifd8a85b0de2eb6f2a76a6458570fc03b020a90ab
Test: the apps in the bug no longer crashes.
Bug: 76461821
2018-03-30 16:48:36 +00:00
Victor Hsieh
e15233cc6b Allow several syscalls to app process
Several privileged syscalls are still needed before a zygote-fork hangs
over the execution to the apps.

Test: system starts, different apps run
Bug: 63944145
Bug: 76461821
Change-Id: I78da54dac509eb073bc2aa7b820a1f6b0c39a775
2018-03-28 16:30:20 -07:00
Victor Hsieh
040c28a023 Revert system seccomp filter changes
521b41 "Allow system processes to use vfork"
ed74ab "Move some syscalls in commmon whitelist to app"

An implementation bug actually assigns the system seccomp filter to all
processes after zygote forks.

Test: the apps in the bug no longer crashes.
Bug: 76461821
2018-03-27 13:43:24 -07:00
Victor Hsieh
521b412aa1 Allow system processes to use vfork
java.lang.ProcessBuilder is internally using vfork in the current
configuration (see UNIXProcess_md.c in libcore).

Test: On an x86 Chromebook, trigger dropbox error event (1. settings
      put global logcat_for_system_app_anr 50; 2. kill -19 `pidof
      com.android.settings'; touch Settings).  Saw seccomp error in
      logcat but only without this fix.
Test: fyi, not reproducible on walleye (arm64)
Bug: 74441404

Change-Id: I1f40ae0fe0607c5834ecbe040ed31c4c0e42131d
2018-03-09 11:52:32 -08:00
Victor Hsieh
ed74abc8dc Move some syscalls in commmon whitelist to app
Test: system boots and basically runs
Bug: 63944145

Change-Id: I5cb080d13fb98a2106201037f3817f027912a8aa
2018-03-01 11:07:13 -08:00
Elliott Hughes
cbc80ba9d8 Switch the rest of our internal headers to #pragma once.
We've been using #pragma once for new internal files, but let's be more bold.

Bug: N/A
Test: builds
Change-Id: I7e2ee2730043bd884f9571cdbd8b524043030c07
2018-02-13 14:27:17 -08:00
Elliott Hughes
d50a1de565 Run bpfmt manually.
Bug: N/A
Test: builds
Change-Id: I0cf145c3b699ac8ef170a63366832f63a9cc1a91
2018-02-05 17:30:57 -08:00
Treehugger Robot
6ea80375e6 Merge "Block bunch of privileged syscalls to apps" 2018-01-23 17:54:30 +00:00
Victor Hsieh
2f23ceda44 Block bunch of privileged syscalls to apps
Test: build, run some app
Bug: 63944145
Change-Id: I13eb56f923732e110851dec02eaa11f6cb44535c
2018-01-22 22:30:17 -08:00
Treehugger Robot
0dac05642e Merge "Add bpf syscall to seccomp whitelist" 2018-01-19 01:59:05 +00:00
Chenbo Feng
60f3ed41a3 Add bpf syscall to seccomp whitelist
The netd service and system server will use bpf syscalls to get network
stats information when kernel supported. And the syscall from system
server will need seccomp permission to run it.

Test: -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 30950746
Change-Id: I01c46f243dca0933a44cbfd3148f9e4748f9bc99
2018-01-18 12:08:34 -08:00
Victor Hsieh
52d4c3a53e Deprecate set_seccomp_filter
Test: build
Bug: 63944145
Change-Id: Ifbef2727844cd46eb1f933ed89141186f50e1a1b
2018-01-17 16:44:17 -08:00
Victor Hsieh
dab45ad936 Do not set PR_SET_NO_NEW_PRIVS when install seccomp filter
Setting PR_SET_NO_NEW_PRIVS actually breaks SELinux domain transition
(of debuggerd, for example). Do not set the bit when install the filter.
Instead, the caller must either have done it, or have CAP_SYS_ADMIN.

Test: build
Bug: 63944145
Bug: 71859146
Change-Id: I2af334fed61cac03fd0b3b5c8866e2e72b31cf17
2018-01-15 11:37:49 -08:00
Victor Hsieh
4f02dd5755 Split zygote's seccomp filter into two
To pave the way to reducing app's kernel attack surface, this change
split the single filter into one for system and one for apps.  Note that
there is current no change between them.

Zygote will apply these filters appropriately to system server and apps.

Keep set_seccomp_filter() for now until the caller has switched to the
new API, which I will do immediately after this before the two filters
diverse.

Also remove get_seccomp_filter() since it doesn't seem to be used
anyway.

Test: diff the generated code, no difference except the variable names
Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145

Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23
2018-01-04 12:28:40 -08:00
Chih-Hung Hsieh
84f0dcd59e Use -Werror in bionic
Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: Ic68141a5c50880c485646e38349f94b866267bd9
2017-10-02 13:21:22 -07:00
Elliott Hughes
9651093569 Run other maintenance scripts as part of the preupload hooks.
And get back up to date by actually running them...

Bug: N/A
Test: uploaded this
Change-Id: I54fec461190e8570929fdcbcbf2746ddd6a4b293
2017-09-28 22:28:23 -07:00
Treehugger Robot
0e23c87de5 Merge "Allow io_* syscalls." 2017-08-29 03:28:25 +00:00
Steve Muckle
aa3f96c9c4 Create global seccomp policy.
Enabling seccomp across all processes, rather than just zygote, is
useful for auditing the syscall usage of AOSP. Create a global seccomp
policy that can optionally be enabled by init.

Bug: 37960259
Test: confirm global seccomp by removing finit_module from policy and
      observing modprobe fail, confirm regular seccomp unchanged by
      comparing length of installed bpf
Change-Id: Iac53a42fa26a80b05126f262dd9525f4f66df558
2017-07-21 20:30:21 -07:00
Jerry Zhang
8dc4ef98ff Allow io_* syscalls.
Bug: 37916658
Bug: 31712568
Test: Use the syscalls, verify not seccomp blocked
Change-Id: Iae19003cc5ff7e3d00cfc2237420f370fba7e289
2017-07-14 11:14:49 -07:00
Paul Lawrence
076b8d75be Expand Seccomp whitelist
This seccomp failure is in the fault handler:

05-25 12:03:25.042 10201 27425 27425 F DEBUG   : backtrace:
05-25 12:03:25.042 10201 27425 27425 F DEBUG   :     #00 pc 00015380
/data/data/redacted/files/storage/lib/libcrashsdk.so

So whenever an app using this crash sdk crashes it looks like a seccomp
problem.  Fixing this won't stop the apps crashing, but will make the
crash reports accurate and useful.

So yes, the bug below is already fixed, but this issue has come back 2
or 3 times with different apps (latest is b/62874867). This change
doesn't fix that crash either, but again it improves the reporting.

Bug: 62090571
Test: Device boots, app still fails but no longer with SECCOMP error
Change-Id: Ie0f8dc965001c8bc43f6a545b35bdcd38f006213
2017-06-23 16:50:04 +00:00
Josh Gao
c45b588112 Whitelist __NR__newselect.
Bug: http://b/62779795
Test: treehugger
Change-Id: I3e0279385641d4f06fcdeb955819a01c12c5229e
2017-06-22 16:47:08 -07:00
Paul Lawrence
966cf62a74 Expand whitelist
Bug: 37769298
Test: Boots. Cannot test app behavior without account
Change-Id: Iebb7616f100368bf2e702ec51f637df1f3727885
2017-05-25 16:22:04 -07:00
Lazar Trsic
dd5bd456fb [MIPS64] Enable necessary mips64 syscalls in seccomp whitelist
Allow execution of: newfstatat, fstat and cacheflush syscalls
for mips64 arch.

Test: Boot mips64 emulator to homescreen with 3.18 kernel.
emulator -kernel prebuilts/qemu-kernel/mips64/3.18/kernel-qemu2

Change-Id: Ib5d6b0060f3e17b64d86fc944aa83a5240d512f8
2017-05-05 15:37:11 +02:00
Lazar Trsic
22b4351d5e Fix MIPS seccomp definitions for PRIMARY and SECONDARY arch
Set correct values for PRIMARY and SECONDARY arch definitions
to match LE MIPS architectures.
This change is resolving boot problem for mips32 arch with 3.18 kernel.
This also fixes mips64 issue related to PRIMARY_ARCH definition,
but in order to boot to home screen it needs additional syscalls whitelisted
which will be introduced in separate patch.

Tested on emulator:
emulator -kernel prebuilts/qemu-kernel/mips/3.18/kernel-qemu2

Change-Id: I68dfd136c22141933a8a8c5336db01a02f00b0df
2017-05-05 15:27:58 +02:00
Josh Gao
de9262e5c5 Add syscalls that aren't currently used to the seccomp whitelist.
Add some useful new syscalls that we currently aren't using in bionic,
but might in the future to the seccomp whitelist.

Bug: http://b/37317198
Test: mma
Change-Id: I6550867da152cea84fb13d0c15a399cdb2acf1aa
2017-04-19 13:45:47 -07:00
Paul Lawrence
3dd3d55af2 Add seccomp blacklist, and exclude swap functions
Bug: 37253880
Test: Make sure device boots
      Run pylint on genseccomp.py, test_genseccomp.py
      Run test_genseccomp.py
      Run new CTS test
      cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest

Change-Id: I833a5364a1481d65173e77654da1798dc45a3f9d
2017-04-12 19:34:33 +00:00
Paul Lawrence
8b7a3559c1 Expand whitelist
Bug: 36726183
Test: Builds, call 90 added to policy

(cherry picked from commit 3ba8223b9a)

Change-Id: Ib8db1b764ce22aadf8050031d40040dd6c0e669e
2017-03-31 16:01:32 +00:00
Paul Lawrence
26f57b6b24 Expose seccomp table
Test: Run with internal cl
      https://googleplex-android-review.git.corp.google.com/#/c/2028102/
      and make sure passes
Bug: 20890063
Change-Id: Id78e5ea843554a5d3750b8f9b350f28ad4dca99b
2017-03-27 15:51:50 -07:00
Paul Lawrence
6a6d669bfc Expand whitelist
Bug: 36449658
Test: Builds
Change-Id: I610da03e7a3cede218d1657f53797ab72cbdf317
2017-03-23 12:21:29 -07:00
Paul Lawrence
65b47c9fe0 Fix problem that we don't block syscalls below min value
The check that we are not below the lowest permitted syscall was
off by one, so we always allowed them, rather than always denying
them

Test: Check arm64 boots, chrome and maps work
      mips and mips64 emulators boot
      Note that arm, x86 and x86_64 already allow syscall 0 so there
      will be no functional change there

Change-Id: I85873f1d04124e634e648bd47c027f280f1d6dbd
2017-03-22 09:48:17 -07:00
Paul Lawrence
822ecece23 Expand whitelist
Bug: 36435222
Test: App starts, plays game
Change-Id: If21f59e4d218be64fdac46115d35dc1ffb6fe771
2017-03-20 11:03:19 -07:00
Paul Lawrence
89fa81fda3 Support all architectures in seccomp
Test: Make sure arm, x86, x86_64, mips, mips64 emulators boot
      Make sure sailfish still boots
      Ran CTS test from
      https://android-review.googlesource.com/#/c/348671/3 and it passed
      The instructions for how to run mips emulators above worked, but
      the CTS tests did not seem to actually run.

Change-Id: Iddee5acdb19ed32c7bd4657573313ca439cf6a49
2017-03-13 18:26:50 +00:00
Paul Lawrence
34ddaaf256 Expand whitelist
Bug: 35879294
Test: Builds, boots. No easy test for reported issues.
Change-Id: Ib68a36f849a8dab14426600cdc6401fa8bb5b914
2017-03-07 15:23:08 -08:00
Elliott Hughes
cdf19c84e8 Merge "Generate both static and shared libseccomp_policy." 2017-03-04 00:20:13 +00:00
Paul Lawrence
e6daf3f34a Expand whitelist
Bug: 35917228
Test: App now runs fine with setenforce 0
Change-Id: I039385e5d0e5105ec337c62dd098dd1662442a2e
2017-03-03 11:19:08 -08:00
Elliott Hughes
926add1593 Generate both static and shared libseccomp_policy.
Also switch to Android.bp

Bug: N/A
Test: builds
Change-Id: I33697a40b30d071f8d07aa33e1fb2b0c6e8a9f6d
2017-03-02 18:57:44 -08:00
Paul Lawrence
7b4e7c4d55 Expand whitelist
Bug: 35906875
Test: Device boots, app runs further and fails with different error
Change-Id: I8df40ff85f8248504bca9a048510153970b31716
2017-03-02 18:48:13 +00:00
Paul Lawrence
dfe8434a62 Move seccomp policy to bionic
Test: Built and checked booted
Change-Id: Iaec1265fe5a55c4df90ab9e45b010ef36faf6bba
2017-02-27 12:42:39 -08:00
Paul Lawrence
98a53b7c74 Revert "Move seccomp policy to bionic"
This reverts commit 06a32206c5.

Reverting build-breaking change

Change-Id: Ib3698bca8f905033a9c7f22bc2fa9f7e7bf75873
2017-02-27 16:36:18 +00:00
Paul Lawrence
06a32206c5 Move seccomp policy to bionic
Test: Built and checked booted

Change-Id: If777eed75d5280c7a390399261e97125c04767b2
2017-02-24 12:52:19 -08:00
Paul Lawrence
0b2486a324 Expand whitelist
Bug: 35217603
Test: App no longer triggers seccomp exceptions when launched
Change-Id: I8ea904640a2f14c67a075e593067327407766220
2017-02-23 13:04:39 -08:00
Paul Lawrence
7ea4090c65 Autogenerate single policy from syscalls and whitelist
Bug: 35392119
Bug: 34465958
Test: Check boots and same syscalls are blocked as before

Change-Id: I9efa97032c59aebbbfd32e6f0d2d491f6254f0a2
2017-02-23 10:46:56 -08:00
Paul Lawrence
be8a2af2aa Create seccomp policy without TRAP for further processing
Bug: 34946764
Test: Make sure boots, seccomp still blocks, and is faster
Change-Id: Ib4abf4307ae545ee69a3fb9328f62c760a1b40f7
2017-02-03 09:36:45 -08:00
Paul Lawrence
3d9fc696a5 Use trap not kill in seccomp filter
Bug: 34647665
Test: Make sure boots, check that causing a seccomp failure creates a
      crash dump

Change-Id: I5ab2fe3e8322a3c38318c97d343834baa874af8d
2017-01-24 11:07:04 -08:00
Paul Lawrence
eabc352651 Add seccomp support library
Policy library which exports an autogenerated policy from SYSCALLS.TXT
blocking any other calls.

Test: Generate policy, install onto Sailfish, check boots, Chrome runs,
calls are blocked.
Bug: 32313202

Change-Id: Ib590704e50122f077eeae26561eb9b0a70386551
2017-01-19 13:38:47 -08:00