5 files changed, 26 insertions, 7 deletions

diff --git a/core/java/android/os/Seccomp.java b/core/java/android/os/Seccomp.java
index f14e93fe9403..335e44b65711 100644
--- a/core/java/android/os/Seccomp.java
+++ b/core/java/android/os/Seccomp.java
@@ -20,5 +20,6 @@ package android.os;
  * @hide
  */
 public final class Seccomp {
-    public static final native void setPolicy();
+    public static native void setSystemServerPolicy();
+    public static native void setAppPolicy();
 }
diff --git a/core/java/com/android/internal/os/Zygote.java b/core/java/com/android/internal/os/Zygote.java
index 3ee8b472869b..ebebad2950ce 100644
--- a/core/java/com/android/internal/os/Zygote.java
+++ b/core/java/com/android/internal/os/Zygote.java
@@ -17,6 +17,7 @@
 package com.android.internal.os;
 
 
+import android.os.Seccomp;
 import android.os.Trace;
 import dalvik.system.ZygoteHooks;
 import android.system.ErrnoException;
@@ -155,6 +156,9 @@ public final class Zygote {
      */
     public static int forkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,
             int[][] rlimits, long permittedCapabilities, long effectiveCapabilities) {
+        // Set system server specific seccomp policy.
+        Seccomp.setSystemServerPolicy();
+
         VM_HOOKS.preFork();
         // Resets nice priority for zygote process.
         resetNicePriority();
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 6a87b1f4d3fd..24c4a8d8d438 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -30,6 +30,7 @@ import android.net.Credentials;
 import android.net.LocalSocket;
 import android.os.FactoryTest;
 import android.os.Process;
+import android.os.Seccomp;
 import android.os.SystemProperties;
 import android.os.Trace;
 import android.system.ErrnoException;
@@ -767,6 +768,9 @@ class ZygoteConnection {
             Process.setArgV0(parsedArgs.niceName);
         }
 
+        // Set app specific seccomp policy.
+        Seccomp.setAppPolicy();
+
         // End of the postFork event.
         Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
         if (parsedArgs.invokeWith != null) {
diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java
index 2be6212b9f1e..40168328c5bc 100644
--- a/core/java/com/android/internal/os/ZygoteInit.java
+++ b/core/java/com/android/internal/os/ZygoteInit.java
@@ -782,9 +782,6 @@ public class ZygoteInit {
             // Zygote process unmounts root storage spaces.
             Zygote.nativeUnmountStorageOnInit();
 
-            // Set seccomp policy
-            Seccomp.setPolicy();
-
             ZygoteHooks.stopZygoteNoThreadCreation();
 
             if (startSystemServer) {
diff --git a/core/jni/android_os_seccomp.cpp b/core/jni/android_os_seccomp.cpp
index 06e2a167de0a..b9006e4403cd 100644
--- a/core/jni/android_os_seccomp.cpp
+++ b/core/jni/android_os_seccomp.cpp
@@ -21,20 +21,33 @@
 
 #include "seccomp_policy.h"
 
-static void Seccomp_setPolicy(JNIEnv* /*env*/) {
+static void Seccomp_setSystemServerPolicy(JNIEnv* /*env*/) {
     if (security_getenforce() == 0) {
         ALOGI("seccomp disabled by setenforce 0");
         return;
     }
 
-    if (!set_seccomp_filter()) {
+    if (!set_system_seccomp_filter()) {
+        ALOGE("Failed to set seccomp policy - killing");
+        exit(1);
+    }
+}
+
+static void Seccomp_setAppPolicy(JNIEnv* /*env*/) {
+    if (security_getenforce() == 0) {
+        ALOGI("seccomp disabled by setenforce 0");
+        return;
+    }
+
+    if (!set_app_seccomp_filter()) {
         ALOGE("Failed to set seccomp policy - killing");
         exit(1);
     }
 }
 
 static const JNINativeMethod method_table[] = {
-    NATIVE_METHOD(Seccomp, setPolicy, "()V"),
+    NATIVE_METHOD(Seccomp, setSystemServerPolicy, "()V"),
+    NATIVE_METHOD(Seccomp, setAppPolicy, "()V"),
 };
 
 namespace android {