Commit graph

18 commits

Author SHA1 Message Date
Victor Hsieh
dbb8670dfd Use more inclusive language for seccomp filter
blacklist and whitelist are replaced with blocklist and allowlist
respectively.

Test: CtsSeccompHostTestCases
Change-Id: I39d9eda89038d1addbdaed59284a254a34cea1c6
2020-06-15 10:12:17 -07:00
Bram Bonné
acadd09c66 Speed up seccomp with priority list.
Allow to provide a list of prioritized syscalls (e.g., syscalls that we
know occur often) which are checked before other syscalls in seccomp.

When constructing the bpf seccomp filter, traverse prioritized syscalls
in a linear list before checking all other syscalls in a binary tree.

Bug: 156732794
Test: make, inspect generated *_system_policy.cpp files
Test: simpleperf on futex/ioctl-heavy app seems to show 5-10% less time
spent in seccomp call

Change-Id: I509343bcd32ada90c0591785ab5cb12d2a38c31e
(cherry picked from commit ce84677733)
2020-05-18 11:20:30 +02:00
Elliott Hughes
ae03b12925 Remove global seccomp list.
Never used, and incompatible with having bionic in a mainline module.

Test: builds
Change-Id: If377f66cc105fd3a1ec4d9c92330fa6a2d2c145c
2019-09-17 16:37:05 -07:00
Luis Hector Chavez
fa09b3c754 seccomp: Generate the policy files at compile time
This change avoids having to run the genseccomp.py script every time a
policy file is edited, and instead generates these files at
compile-time.

Bug: None
Test: m
Test: find out/soong/ -name x86_64_global_policy.cpp  # Shows files
Test: generated policies are equivalent to original policies
Change-Id: I12461fe0c5fb02c008c1b2503fbb994b8aa2f56b
2018-08-06 11:10:25 -07:00
Luis Hector Chavez
fd3f6d7126 genseccomp.py: Add a way to better find the clang prebuilt
This change makes it possible to invoke this tool without having to
fiddle with the path.

Bug: None
Test: ./bionic/libc/tools/genseccomp.py  # Succeeded
Change-Id: Ib24d70abc973fe774cda4209e46a5b66ae7617be
2018-08-03 12:57:21 -07:00
Victor Hsieh
2f23ceda44 Block bunch of privileged syscalls to apps
Test: build, run some app
Bug: 63944145
Change-Id: I13eb56f923732e110851dec02eaa11f6cb44535c
2018-01-22 22:30:17 -08:00
Victor Hsieh
4f02dd5755 Split zygote's seccomp filter into two
To pave the way to reducing app's kernel attack surface, this change
split the single filter into one for system and one for apps.  Note that
there is current no change between them.

Zygote will apply these filters appropriately to system server and apps.

Keep set_seccomp_filter() for now until the caller has switched to the
new API, which I will do immediately after this before the two filters
diverse.

Also remove get_seccomp_filter() since it doesn't seem to be used
anyway.

Test: diff the generated code, no difference except the variable names
Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145

Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23
2018-01-04 12:28:40 -08:00
Steve Muckle
aa3f96c9c4 Create global seccomp policy.
Enabling seccomp across all processes, rather than just zygote, is
useful for auditing the syscall usage of AOSP. Create a global seccomp
policy that can optionally be enabled by init.

Bug: 37960259
Test: confirm global seccomp by removing finit_module from policy and
      observing modprobe fail, confirm regular seccomp unchanged by
      comparing length of installed bpf
Change-Id: Iac53a42fa26a80b05126f262dd9525f4f66df558
2017-07-21 20:30:21 -07:00
Paul Lawrence
3dd3d55af2 Add seccomp blacklist, and exclude swap functions
Bug: 37253880
Test: Make sure device boots
      Run pylint on genseccomp.py, test_genseccomp.py
      Run test_genseccomp.py
      Run new CTS test
      cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest

Change-Id: I833a5364a1481d65173e77654da1798dc45a3f9d
2017-04-12 19:34:33 +00:00
Paul Lawrence
65b47c9fe0 Fix problem that we don't block syscalls below min value
The check that we are not below the lowest permitted syscall was
off by one, so we always allowed them, rather than always denying
them

Test: Check arm64 boots, chrome and maps work
      mips and mips64 emulators boot
      Note that arm, x86 and x86_64 already allow syscall 0 so there
      will be no functional change there

Change-Id: I85873f1d04124e634e648bd47c027f280f1d6dbd
2017-03-22 09:48:17 -07:00
Paul Lawrence
89fa81fda3 Support all architectures in seccomp
Test: Make sure arm, x86, x86_64, mips, mips64 emulators boot
      Make sure sailfish still boots
      Ran CTS test from
      https://android-review.googlesource.com/#/c/348671/3 and it passed
      The instructions for how to run mips emulators above worked, but
      the CTS tests did not seem to actually run.

Change-Id: Iddee5acdb19ed32c7bd4657573313ca439cf6a49
2017-03-13 18:26:50 +00:00
Paul Lawrence
dfe8434a62 Move seccomp policy to bionic
Test: Built and checked booted
Change-Id: Iaec1265fe5a55c4df90ab9e45b010ef36faf6bba
2017-02-27 12:42:39 -08:00
Paul Lawrence
98a53b7c74 Revert "Move seccomp policy to bionic"
This reverts commit 06a32206c5.

Reverting build-breaking change

Change-Id: Ib3698bca8f905033a9c7f22bc2fa9f7e7bf75873
2017-02-27 16:36:18 +00:00
Paul Lawrence
06a32206c5 Move seccomp policy to bionic
Test: Built and checked booted

Change-Id: If777eed75d5280c7a390399261e97125c04767b2
2017-02-24 12:52:19 -08:00
Paul Lawrence
7ea4090c65 Autogenerate single policy from syscalls and whitelist
Bug: 35392119
Bug: 34465958
Test: Check boots and same syscalls are blocked as before

Change-Id: I9efa97032c59aebbbfd32e6f0d2d491f6254f0a2
2017-02-23 10:46:56 -08:00
Paul Lawrence
be8a2af2aa Create seccomp policy without TRAP for further processing
Bug: 34946764
Test: Make sure boots, seccomp still blocks, and is faster
Change-Id: Ib4abf4307ae545ee69a3fb9328f62c760a1b40f7
2017-02-03 09:36:45 -08:00
Paul Lawrence
3d9fc696a5 Use trap not kill in seccomp filter
Bug: 34647665
Test: Make sure boots, check that causing a seccomp failure creates a
      crash dump

Change-Id: I5ab2fe3e8322a3c38318c97d343834baa874af8d
2017-01-24 11:07:04 -08:00
Paul Lawrence
eabc352651 Add seccomp support library
Policy library which exports an autogenerated policy from SYSCALLS.TXT
blocking any other calls.

Test: Generate policy, install onto Sailfish, check boots, Chrome runs,
calls are blocked.
Bug: 32313202

Change-Id: Ib590704e50122f077eeae26561eb9b0a70386551
2017-01-19 13:38:47 -08:00