From af1a9bfb8f4461ba9a28e4df62a55b054d1eebca Mon Sep 17 00:00:00 2001 From: Steve Muckle Date: Mon, 17 Jul 2017 15:14:02 -0700 Subject: [PATCH] init: add support for global seccomp boot option Setting androidboot.seccomp=global on the kernel command line shall enable seccomp for all processes rather than just in zygote. Doing this has a performance impact, for now it shall just be used to audit syscall usage during testing. Bug: 37960259 Change-Id: I6b9fc95e9bec5e2bcfe6ef0b4343a5b422e30152 --- init/Android.mk | 1 + init/init.cpp | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/init/Android.mk b/init/Android.mk index 325614e3a..667521e69 100644 --- a/init/Android.mk +++ b/init/Android.mk @@ -77,6 +77,7 @@ LOCAL_STATIC_LIBRARIES := \ libcutils \ libbase \ libc \ + libseccomp_policy \ libselinux \ liblog \ libcrypto_utils \ diff --git a/init/init.cpp b/init/init.cpp index b0b2e4941..b566cb3d2 100644 --- a/init/init.cpp +++ b/init/init.cpp @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -554,6 +555,15 @@ static int queue_property_triggers_action(const std::vector& args) return 0; } +static void global_seccomp() { + import_kernel_cmdline(false, [](const std::string& key, const std::string& value, bool in_qemu) { + if (key == "androidboot.seccomp" && value == "global" && !set_global_seccomp_filter()) { + LOG(ERROR) << "Failed to globally enable seccomp!"; + panic(); + } + }); +} + static void selinux_init_all_handles(void) { sehandle = selinux_android_file_context_handle(); @@ -1004,6 +1014,9 @@ int main(int argc, char** argv) { SetInitAvbVersionInRecovery(); + // Enable seccomp if global boot option was passed (otherwise it is enabled in zygote). + global_seccomp(); + // Set up SELinux, loading the SELinux policy. selinux_initialize(true);