From 0490912184edf93d4544e2f1f27a1a52fe5b3192 Mon Sep 17 00:00:00 2001 From: Paul Lawrence Date: Mon, 13 Feb 2017 14:27:54 -0800 Subject: Use bionic's autogenerated whitelist policy Bug: 35392119 Test: Check boots, same syscalls blocked as before Change-Id: I4f9276938663f5b82c82eeea45de317b96b2de84 --- core/jni/android_os_seccomp.cpp | 91 ----------------------------------------- 1 file changed, 91 deletions(-) diff --git a/core/jni/android_os_seccomp.cpp b/core/jni/android_os_seccomp.cpp index 45d50615f232..f1bc76e8f530 100644 --- a/core/jni/android_os_seccomp.cpp +++ b/core/jni/android_os_seccomp.cpp @@ -65,11 +65,6 @@ inline static void Allow(filter& f) { #pragma clang diagnostic pop -inline static void AllowSyscall(filter& f, __u32 num) { - f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, num, 0, 1)); - Allow(f); -} - inline static void ExamineSyscall(filter& f) { f.push_back(BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_nr)); } @@ -125,34 +120,6 @@ bool set_seccomp_filter() { // arm64-only filter - autogenerated from bionic syscall usage for (size_t i = 0; i < arm64_filter_size; ++i) f.push_back(arm64_filter[i]); - - // Syscalls needed to boot Android - AllowSyscall(f, 41); // __NR_pivot_root - AllowSyscall(f, 31); // __NR_ioprio_get - AllowSyscall(f, 30); // __NR_ioprio_set - AllowSyscall(f, 178); // __NR_gettid - AllowSyscall(f, 98); // __NR_futex - AllowSyscall(f, 220); // __NR_clone - AllowSyscall(f, 139); // __NR_rt_sigreturn - AllowSyscall(f, 240); // __NR_rt_tgsigqueueinfo - AllowSyscall(f, 128); // __NR_restart_syscall - AllowSyscall(f, 278); // __NR_getrandom - - // Needed for performance tools - AllowSyscall(f, 241); // __NR_perf_event_open - - // Needed for strace - AllowSyscall(f, 130); // __NR_tkill - - // Needed for kernel to restart syscalls - AllowSyscall(f, 128); // __NR_restart_syscall - - // b/35034743 - AllowSyscall(f, 267); // __NR_syncfs - - // b/34763393 - AllowSyscall(f, 277); // __NR_seccomp - Trap(f); if (SetValidateArchitectureJumpTarget(offset_to_32bit_filter, f) != 0) @@ -164,64 +131,6 @@ bool set_seccomp_filter() { // arm32 filter - autogenerated from bionic syscall usage for (size_t i = 0; i < arm_filter_size; ++i) f.push_back(arm_filter[i]); - - // Syscalls needed to boot android - AllowSyscall(f, 120); // __NR_clone - AllowSyscall(f, 240); // __NR_futex - AllowSyscall(f, 119); // __NR_sigreturn - AllowSyscall(f, 173); // __NR_rt_sigreturn - AllowSyscall(f, 363); // __NR_rt_tgsigqueueinfo - AllowSyscall(f, 224); // __NR_gettid - - // Syscalls needed to run Chrome - AllowSyscall(f, 383); // __NR_seccomp - needed to start Chrome - AllowSyscall(f, 384); // __NR_getrandom - needed to start Chrome - - // Syscalls needed to run GFXBenchmark - AllowSyscall(f, 190); // __NR_vfork - - // Needed for strace - AllowSyscall(f, 238); // __NR_tkill - - // Needed for kernel to restart syscalls - AllowSyscall(f, 0); // __NR_restart_syscall - - // Needed for debugging 32-bit Chrome - AllowSyscall(f, 42); // __NR_pipe - - // b/34732712 - AllowSyscall(f, 364); // __NR_perf_event_open - - // b/34651972 - AllowSyscall(f, 33); // __NR_access - AllowSyscall(f, 195); // __NR_stat64 - - // b/34813887 - AllowSyscall(f, 5); // __NR_open - AllowSyscall(f, 141); // __NR_getdents - AllowSyscall(f, 217); // __NR_getdents64 - - // b/34719286 - AllowSyscall(f, 351); // __NR_eventfd - - // b/34817266 - AllowSyscall(f, 252); // __NR_epoll_wait - - // Needed by sanitizers (b/34606909) - // 5 (__NR_open) and 195 (__NR_stat64) are also required, but they are - // already allowed. - AllowSyscall(f, 85); // __NR_readlink - - // b/34908783 - AllowSyscall(f, 250); // __NR_epoll_create - - // b/34979910 - AllowSyscall(f, 8); // __NR_creat - AllowSyscall(f, 10); // __NR_unlink - - // b/35059702 - AllowSyscall(f, 196); // __NR_lstat64 - Trap(f); return install_filter(f); -- cgit v1.2.3-59-g8ed1b