Make seccomp honor setenforce

Note: This code is in frameworks, since we might want to have tools linked against seccomp_policy that continue to enforce seccomp Bug: 35950093 Test: Builds, Seccomp: 2 is in zygote & zygote64 status Run setenforce 0 && stop && start Seccomp: 0 is in zygote & zygote64 status Change-Id: I797a6c29f58725f84089c570f784125fb99f57ce
author: Paul Lawrence <paullawrence@google.com> 2017-03-03 13:04:35 -0800
committer: Paul Lawrence <paullawrence@google.com> 2017-03-03 13:08:08 -0800
commit: ffad2adfa5488f43a798a30a7fdb14426f495e59 (patch)
tree: a52b744281703447c21ee8f1f5be754eacb6d447
parent: 6ac19c0d23a106991e145e4530c7d08d68bfa2d3 (diff)
2 files changed, 9 insertions, 0 deletions
diff --git a/core/jni/Android.mk b/core/jni/Android.mk
index a9ca12b26d0b..69867323a0be 100644
--- a/core/jni/Android.mk
+++ b/core/jni/Android.mk
@@ -218,6 +218,8 @@ LOCAL_C_INCLUDES += \
 
 LOCAL_STATIC_LIBRARIES := \
     libseccomp_policy \
+    libselinux \
+    libcrypto \
 
 LOCAL_SHARED_LIBRARIES := \
     libmemtrack \
diff --git a/core/jni/android_os_seccomp.cpp b/core/jni/android_os_seccomp.cpp
index dd5622d80e45..45023713ea85 100644
--- a/core/jni/android_os_seccomp.cpp
+++ b/core/jni/android_os_seccomp.cpp
@@ -17,9 +17,16 @@
 #include "core_jni_helpers.h"
 #include "JniConstants.h"
 #include "utils/Log.h"
+#include <selinux/selinux.h>
+
 #include "seccomp_policy.h"
 
 static void Seccomp_setPolicy(JNIEnv* /*env*/) {
+    if (security_getenforce() == 0) {
+        ALOGI("seccomp disabled by setenforce 0");
+        return;
+    }
+
     if (!set_seccomp_filter()) {
         ALOGE("Failed to set seccomp policy - killing");
         exit(1);
author	Paul Lawrence <paullawrence@google.com>	2017-03-03 13:04:35 -0800
committer	Paul Lawrence <paullawrence@google.com>	2017-03-03 13:08:08 -0800
commit	ffad2adfa5488f43a798a30a7fdb14426f495e59 (patch)
tree	a52b744281703447c21ee8f1f5be754eacb6d447
parent	6ac19c0d23a106991e145e4530c7d08d68bfa2d3 (diff)