commit 4f02dd5755c7ce1c7948f2d00d9e50995fff42c5
author Victor Hsieh <victorhsieh@google.com> Wed Dec 20 09:19:22 2017 -0800
committer Victor Hsieh <victorhsieh@google.com> Thu Jan 04 12:28:40 2018 -0800
tree cf33552f160a67cfc96eaf4a997a4b437aae536e
parent 558a4f59237245916d93075eb60ed7d16cf55c42

Split zygote's seccomp filter into two

To pave the way to reducing app's kernel attack surface, this change
split the single filter into one for system and one for apps.  Note that
there is current no change between them.

Zygote will apply these filters appropriately to system server and apps.

Keep set_seccomp_filter() for now until the caller has switched to the
new API, which I will do immediately after this before the two filters
diverse.

Also remove get_seccomp_filter() since it doesn't seem to be used
anyway.

Test: diff the generated code, no difference except the variable names
Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145

Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23

libc/seccomp/seccomp_policy.cpp

diff --git a/libc/seccomp/seccomp_policy.cpp b/libc/seccomp/seccomp_policy.cpp
index 19ef299..99a821f 100644
--- a/libc/seccomp/seccomp_policy.cpp
+++ b/libc/seccomp/seccomp_policy.cpp
@@ -32,13 +32,17 @@
 
 #define DUAL_ARCH
 #define PRIMARY_ARCH AUDIT_ARCH_AARCH64
-static const struct sock_filter* primary_filter = arm64_filter;
-static const size_t primary_filter_size = arm64_filter_size;
+static const struct sock_filter* primary_app_filter = arm64_app_filter;
+static const size_t primary_app_filter_size = arm64_app_filter_size;
+static const struct sock_filter* primary_system_filter = arm64_system_filter;
+static const size_t primary_system_filter_size = arm64_system_filter_size;
 static const struct sock_filter* primary_global_filter = arm64_global_filter;
 static const size_t primary_global_filter_size = arm64_global_filter_size;
 #define SECONDARY_ARCH AUDIT_ARCH_ARM
-static const struct sock_filter* secondary_filter = arm_filter;
-static const size_t secondary_filter_size = arm_filter_size;
+static const struct sock_filter* secondary_app_filter = arm_app_filter;
+static const size_t secondary_app_filter_size = arm_app_filter_size;
+static const struct sock_filter* secondary_system_filter = arm_system_filter;
+static const size_t secondary_system_filter_size = arm_system_filter_size;
 static const struct sock_filter* secondary_global_filter = arm_global_filter;
 static const size_t secondary_global_filter_size = arm_global_filter_size;
 
@@ -46,13 +50,17 @@
 
 #define DUAL_ARCH
 #define PRIMARY_ARCH AUDIT_ARCH_X86_64
-static const struct sock_filter* primary_filter = x86_64_filter;
-static const size_t primary_filter_size = x86_64_filter_size;
+static const struct sock_filter* primary_app_filter = x86_64_app_filter;
+static const size_t primary_app_filter_size = x86_64_app_filter_size;
+static const struct sock_filter* primary_system_filter = x86_64_system_filter;
+static const size_t primary_system_filter_size = x86_64_system_filter_size;
 static const struct sock_filter* primary_global_filter = x86_64_global_filter;
 static const size_t primary_global_filter_size = x86_64_global_filter_size;
 #define SECONDARY_ARCH AUDIT_ARCH_I386
-static const struct sock_filter* secondary_filter = x86_filter;
-static const size_t secondary_filter_size = x86_filter_size;
+static const struct sock_filter* secondary_app_filter = x86_app_filter;
+static const size_t secondary_app_filter_size = x86_app_filter_size;
+static const struct sock_filter* secondary_system_filter = x86_system_filter;
+static const size_t secondary_system_filter_size = x86_system_filter_size;
 static const struct sock_filter* secondary_global_filter = x86_global_filter;
 static const size_t secondary_global_filter_size = x86_global_filter_size;
 
@@ -60,13 +68,17 @@
 
 #define DUAL_ARCH
 #define PRIMARY_ARCH AUDIT_ARCH_MIPSEL64
-static const struct sock_filter* primary_filter = mips64_filter;
-static const size_t primary_filter_size = mips64_filter_size;
+static const struct sock_filter* primary_app_filter = mips64_app_filter;
+static const size_t primary_app_filter_size = mips64_app_filter_size;
+static const struct sock_filter* primary_system_filter = mips64_system_filter;
+static const size_t primary_system_filter_size = mips64_system_filter_size;
 static const struct sock_filter* primary_global_filter = mips64_global_filter;
 static const size_t primary_global_filter_size = mips64_global_filter_size;
 #define SECONDARY_ARCH AUDIT_ARCH_MIPSEL
-static const struct sock_filter* secondary_filter = mips_filter;
-static const size_t secondary_filter_size = mips_filter_size;
+static const struct sock_filter* secondary_app_filter = mips_app_filter;
+static const size_t secondary_app_filter_size = mips_app_filter_size;
+static const struct sock_filter* secondary_system_filter = mips_system_filter;
+static const size_t secondary_system_filter_size = mips_system_filter_size;
 static const struct sock_filter* secondary_global_filter = mips_global_filter;
 static const size_t secondary_global_filter_size = mips_global_filter_size;
 
@@ -122,30 +134,48 @@
         const_cast<struct sock_filter*>(&f[0]),
     };
 
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
+        PLOG(FATAL) << "Could not set to no new privs";
+        return false;
+    }
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
         PLOG(FATAL) << "Could not set seccomp filter of size " << f.size();
         return false;
     }
-
-    LOG(INFO) << "Global filter of size " << f.size() << " installed";
     return true;
 }
 
-bool _set_seccomp_filter(bool global) {
+enum FilterType {
+  APP,
+  SYSTEM,
+  GLOBAL
+};
+
+bool _set_seccomp_filter(FilterType type) {
     const sock_filter *p, *s;
     size_t p_size, s_size;
     filter f;
 
-    if (global) {
+    switch (type) {
+      case APP:
+        p = primary_app_filter;
+        p_size = primary_app_filter_size;
+        s = secondary_app_filter;
+        s_size = secondary_app_filter_size;
+        break;
+      case SYSTEM:
+        p = primary_system_filter;
+        p_size = primary_system_filter_size;
+        s = secondary_system_filter;
+        s_size = secondary_system_filter_size;
+        break;
+      case GLOBAL:
         p = primary_global_filter;
         p_size = primary_global_filter_size;
         s = secondary_global_filter;
         s_size = secondary_global_filter_size;
-    } else {
-        p = primary_filter;
-        p_size = primary_filter_size;
-        s = secondary_filter;
-        s_size = secondary_filter_size;
+        break;
+
     }
 
 #ifdef DUAL_ARCH
@@ -181,19 +211,17 @@
 }
 
 bool set_seccomp_filter() {
-    return _set_seccomp_filter(false);
+    return _set_seccomp_filter(FilterType::APP);
+}
+
+bool set_app_seccomp_filter() {
+    return _set_seccomp_filter(FilterType::APP);
+}
+
+bool set_system_seccomp_filter() {
+    return _set_seccomp_filter(FilterType::SYSTEM);
 }
 
 bool set_global_seccomp_filter() {
-    return _set_seccomp_filter(true);
-}
-
-void get_seccomp_filter(const sock_filter*& filter, size_t& filter_size) {
-#if defined __aarch64__ || defined __x86_64__ || defined __mips64__
-    filter = primary_filter;
-    filter_size = primary_filter_size;
-#else
-    filter = secondary_filter;
-    filter_size = secondary_filter_size;
-#endif
+    return _set_seccomp_filter(FilterType::GLOBAL);
 }