From 634fb404d3e4a92c2ef669a3b14b234c7968cdfd Mon Sep 17 00:00:00 2001 From: Victor Hsieh Date: Tue, 27 Mar 2018 15:02:38 -0700 Subject: Fix seccomp filter set up in zygote This needs to land with extra syscalls whitelisted, including capset and setresuid. These privileged syscalls are used in the setup after the filter is initialized. Test: system starts, different apps run Bug: 63944145 Bug: 76461821 Change-Id: I49e6b292805f35baffb3530461c8741e75aceb32 Merged-In: I49e6b292805f35baffb3530461c8741e75aceb32 --- core/jni/com_android_internal_os_Zygote.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/core/jni/com_android_internal_os_Zygote.cpp b/core/jni/com_android_internal_os_Zygote.cpp index b5fd7929eeae..b2853c9f1c61 100644 --- a/core/jni/com_android_internal_os_Zygote.cpp +++ b/core/jni/com_android_internal_os_Zygote.cpp @@ -260,7 +260,7 @@ static void SetUpSeccompFilter(uid_t uid) { } // Apply system or app filter based on uid. - if (getuid() >= AID_APP_START) { + if (uid >= AID_APP_START) { set_app_seccomp_filter(); } else { set_system_seccomp_filter(); @@ -619,11 +619,6 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra fail_fn(CREATE_ERROR("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno))); } - // Must be called when the new process still has CAP_SYS_ADMIN. The other alternative is to - // call prctl(PR_SET_NO_NEW_PRIVS, 1) afterward, but that breaks SELinux domain transition (see - // b/71859146). - SetUpSeccompFilter(uid); - // Keep capabilities across UID change, unless we're staying root. if (uid != 0) { if (!EnableKeepCapabilities(&error_msg)) { @@ -699,6 +694,13 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra fail_fn(CREATE_ERROR("setresgid(%d) failed: %s", gid, strerror(errno))); } + // Must be called when the new process still has CAP_SYS_ADMIN, in this case, before changing + // uid from 0, which clears capabilities. The other alternative is to call + // prctl(PR_SET_NO_NEW_PRIVS, 1) afterward, but that breaks SELinux domain transition (see + // b/71859146). As the result, privileged syscalls used below still need to be accessible in + // app process. + SetUpSeccompFilter(uid); + rc = setresuid(uid, uid, uid); if (rc == -1) { fail_fn(CREATE_ERROR("setresuid(%d) failed: %s", uid, strerror(errno))); -- cgit v1.2.3-59-g8ed1b