Add seccomp blacklist, and exclude swap functions
Bug: 37253880
Test: Make sure device boots
Run pylint on genseccomp.py, test_genseccomp.py
Run test_genseccomp.py
Run new CTS test
cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Change-Id: I833a5364a1481d65173e77654da1798dc45a3f9d
diff --git a/libc/SECCOMP_BLACKLIST.TXT b/libc/SECCOMP_BLACKLIST.TXT
new file mode 100644
index 0000000..2834515
--- /dev/null
+++ b/libc/SECCOMP_BLACKLIST.TXT
@@ -0,0 +1,32 @@
+# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT.
+# Note that the resultant policy is applied only to zygote spawned processes.
+#
+# The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT
+# Any entry in the blacklist must be in the syscalls file and not be in the whitelist file
+#
+# Each non-blank, non-comment line has the following format:
+#
+# return_type func_name[|alias_list][:syscall_name[:socketcall_id]]([parameter_list]) arch_list
+#
+# where:
+# arch_list ::= "all" | arch+
+# arch ::= "arm" | "arm64" | "mips" | "mips64" | "x86" | "x86_64"
+#
+# Note:
+# - syscall_name corresponds to the name of the syscall, which may differ from
+# the exported function name (example: the exit syscall is implemented by the _exit()
+# function, which is not the same as the standard C exit() function which calls it)
+
+# - alias_list is optional comma separated list of function aliases
+#
+# - The call_id parameter, given that func_name and syscall_name have
+# been provided, allows the user to specify dispatch style syscalls.
+# For example, socket() syscall on i386 actually becomes:
+# socketcall(__NR_socket, 1, *(rest of args on stack)).
+#
+# - Each parameter type is assumed to be stored in 32 bits.
+#
+# This file is processed by a python script named gensyscalls.py.
+
+int swapon(const char*, int) all
+int swapoff(const char*) all