From 551e5af0d476724f192f896e651d078aea6bf61a Mon Sep 17 00:00:00 2001
From: Victor Hsieh <victorhsieh@google.com>
Date: Wed, 10 Jan 2018 00:48:54 +0000
Subject: Revert "Move zygote's seccomp setup to post-fork"

This reverts commit a188dbc050b9fca41ed92928d68ed00c562de580.

Reason for revert: selinux denials, see b/71768585

Change-Id: Ic1b81e146b52b68445ba634de39657f199107da3
---
 core/java/android/os/Seccomp.java                     |  3 +--
 core/java/com/android/internal/os/Zygote.java         |  4 ----
 .../com/android/internal/os/ZygoteConnection.java     |  4 ----
 core/java/com/android/internal/os/ZygoteInit.java     |  3 +++
 core/jni/android_os_seccomp.cpp                       | 19 +++----------------
 5 files changed, 7 insertions(+), 26 deletions(-)

diff --git a/core/java/android/os/Seccomp.java b/core/java/android/os/Seccomp.java
index 335e44b65711..f14e93fe9403 100644
--- a/core/java/android/os/Seccomp.java
+++ b/core/java/android/os/Seccomp.java
@@ -20,6 +20,5 @@ package android.os;
  * @hide
  */
 public final class Seccomp {
-    public static native void setSystemServerPolicy();
-    public static native void setAppPolicy();
+    public static final native void setPolicy();
 }
diff --git a/core/java/com/android/internal/os/Zygote.java b/core/java/com/android/internal/os/Zygote.java
index 3ebe921234b6..cbc63cf813cb 100644
--- a/core/java/com/android/internal/os/Zygote.java
+++ b/core/java/com/android/internal/os/Zygote.java
@@ -17,7 +17,6 @@
 package com.android.internal.os;
 
 import android.os.IVold;
-import android.os.Seccomp;
 import android.os.Trace;
 import android.system.ErrnoException;
 import android.system.Os;
@@ -154,9 +153,6 @@ public final class Zygote {
      */
     public static int forkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,
             int[][] rlimits, long permittedCapabilities, long effectiveCapabilities) {
-        // Set system server specific seccomp policy.
-        Seccomp.setSystemServerPolicy();
-
         VM_HOOKS.preFork();
         // Resets nice priority for zygote process.
         resetNicePriority();
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 24c4a8d8d438..6a87b1f4d3fd 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -30,7 +30,6 @@ import android.net.Credentials;
 import android.net.LocalSocket;
 import android.os.FactoryTest;
 import android.os.Process;
-import android.os.Seccomp;
 import android.os.SystemProperties;
 import android.os.Trace;
 import android.system.ErrnoException;
@@ -768,9 +767,6 @@ class ZygoteConnection {
             Process.setArgV0(parsedArgs.niceName);
         }
 
-        // Set app specific seccomp policy.
-        Seccomp.setAppPolicy();
-
         // End of the postFork event.
         Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
         if (parsedArgs.invokeWith != null) {
diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java
index 40168328c5bc..2be6212b9f1e 100644
--- a/core/java/com/android/internal/os/ZygoteInit.java
+++ b/core/java/com/android/internal/os/ZygoteInit.java
@@ -782,6 +782,9 @@ public class ZygoteInit {
             // Zygote process unmounts root storage spaces.
             Zygote.nativeUnmountStorageOnInit();
 
+            // Set seccomp policy
+            Seccomp.setPolicy();
+
             ZygoteHooks.stopZygoteNoThreadCreation();
 
             if (startSystemServer) {
diff --git a/core/jni/android_os_seccomp.cpp b/core/jni/android_os_seccomp.cpp
index b9006e4403cd..06e2a167de0a 100644
--- a/core/jni/android_os_seccomp.cpp
+++ b/core/jni/android_os_seccomp.cpp
@@ -21,33 +21,20 @@
 
 #include "seccomp_policy.h"
 
-static void Seccomp_setSystemServerPolicy(JNIEnv* /*env*/) {
+static void Seccomp_setPolicy(JNIEnv* /*env*/) {
     if (security_getenforce() == 0) {
         ALOGI("seccomp disabled by setenforce 0");
         return;
     }
 
-    if (!set_system_seccomp_filter()) {
-        ALOGE("Failed to set seccomp policy - killing");
-        exit(1);
-    }
-}
-
-static void Seccomp_setAppPolicy(JNIEnv* /*env*/) {
-    if (security_getenforce() == 0) {
-        ALOGI("seccomp disabled by setenforce 0");
-        return;
-    }
-
-    if (!set_app_seccomp_filter()) {
+    if (!set_seccomp_filter()) {
         ALOGE("Failed to set seccomp policy - killing");
         exit(1);
     }
 }
 
 static const JNINativeMethod method_table[] = {
-    NATIVE_METHOD(Seccomp, setSystemServerPolicy, "()V"),
-    NATIVE_METHOD(Seccomp, setAppPolicy, "()V"),
+    NATIVE_METHOD(Seccomp, setPolicy, "()V"),
 };
 
 namespace android {
-- 
cgit v1.2.3-59-g8ed1b