tequilaOS/platform_bionic
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_bionic/libc/SECCOMP_WHITELIST_APP.TXT
Robert Sesek 74cdb253ba Move pipe, open, and getdents from the APP to COMMON seccomp whitelist. 
These system calls are required by Breakpad for crash reporting.
WebViews are spawned from the webview_zygote, which itself is spawned
from the app_process zygote. The webview_zygote gets the SYSTEM seccomp
policy applied because it is not an app, and so the WebView sandboxed
processes inherit that policy.

In Ifd8a85b0de2eb6f2a76a6458570fc03b020a90ab, these system calls were
moved from COMMON to APP, which breaks Breakpad/crash reporting for
WebView sandboxed processes.

Bug: 112572914
Test: `am start com.android.settings/.SettingsLicenseActivity`
Test: Get the pid of the sandboxed_process0 for the license viewer.
Test: Send the process SIGABRT and check logcat for "google-breakpad"
      error messages.

Change-Id: I1cf56ae85b1a67ec91e979bc7e0f941726a9cc0e
2018-09-11 19:20:34 -04:00

73 lines
2.7 KiB
Text
Raw Blame History

# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes.
#
# Each non-blank, non-comment line has the following format:
#
# return_type func_name[|alias_list][:syscall_name[:socketcall_id]]([parameter_list]) arch_list
#
# where:
# arch_list ::= "all" | arch+
# arch ::= "arm" | "arm64" | "mips" | "mips64" | "x86" | "x86_64"
#
# Note:
# - syscall_name corresponds to the name of the syscall, which may differ from
# the exported function name (example: the exit syscall is implemented by the _exit()
# function, which is not the same as the standard C exit() function which calls it)
# - alias_list is optional comma separated list of function aliases
#
# - The call_id parameter, given that func_name and syscall_name have
# been provided, allows the user to specify dispatch style syscalls.
# For example, socket() syscall on i386 actually becomes:
# socketcall(__NR_socket, 1, *(rest of args on stack)).
#
# - Each parameter type is assumed to be stored in 32 bits.
#
# This file is processed by a python script named genseccomp.py.
# b/34651972
int access:access(const char *pathname, int mode) arm,x86,mips
int stat64:stat64(const char*, struct stat64*) arm,x86,mips
# b/34719286
int eventfd:eventfd(unsigned int initval, int flags) arm,x86,mips
# b/34817266
int epoll_wait:epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout) arm,x86,mips
# b/34908783
int epoll_create:epoll_create(int size) arm,x86,mips
# b/34979910
int creat:creat(const char *pathname, mode_t mode) arm,x86,mips
int unlink:unlink(const char *pathname) arm,x86,mips
# b/35059702
int lstat64:lstat64(const char*, struct stat64*) arm,x86,mips
# b/35217603
int fcntl:fcntl(int fd, int cmd, ... /* arg */ ) arm,x86,mips
pid_t fork:fork() arm,x86,mips
int poll:poll(struct pollfd *fds, nfds_t nfds, int timeout) arm,x86,mips
# b/35906875. Note mips already has getuid from SYSCALLS.TXT
int inotify_init() arm,x86,mips
uid_t getuid() arm,x86
# b/36435222
int remap_file_pages(void *addr, size_t size, int prot, size_t pgoff, int flags) arm,x86,mips
# b/36449658
int rename(const char *oldpath, const char *newpath) arm,x86,mips
# b/36726183. Note arm does not support mmap
void* mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset) x86,mips
# b/37769298
int dup2(int oldfd, int newfd) arm,x86,mips
# b/62779795
int compat_select:_newselect(int n, unsigned long* inp, unsigned long* outp, unsigned long* exp, struct timeval* timeout) arm,x86,mips
# b/62090571
int mkdir(const char *pathname, mode_t mode) arm,x86,mips
Reference in a new issue View git blame Copy permalink