Revert "Move seccomp policy to bionic"
This reverts commit 06a32206c5430321dd3fc02b70acbf99383786c1.
Reverting build-breaking change
Change-Id: Ib3698bca8f905033a9c7f22bc2fa9f7e7bf75873
diff --git a/libc/NOTICE b/libc/NOTICE
index 9f0d2c5..6882d0c 100644
--- a/libc/NOTICE
+++ b/libc/NOTICE
@@ -961,22 +961,6 @@
 -------------------------------------------------------------------
 
 Copyright (C) 2017 The Android Open Source Project
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
--------------------------------------------------------------------
-
-Copyright (C) 2017 The Android Open Source Project
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
diff --git a/libc/seccomp/Android.mk b/libc/seccomp/Android.mk
index fa02698..af1311c 100644
--- a/libc/seccomp/Android.mk
+++ b/libc/seccomp/Android.mk
@@ -5,9 +5,8 @@
 LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
 LOCAL_MODULE := libseccomp_policy
 LOCAL_CLANG := true
-LOCAL_SRC_FILES := seccomp_policy.cpp arm_policy.cpp arm64_policy.cpp
+LOCAL_SRC_FILES := arm_policy.c arm64_policy.c
 LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)
-LOCAL_SHARED_LIBRARIES := libbase
 
 include $(BUILD_STATIC_LIBRARY)
 
diff --git a/libc/seccomp/arm64_policy.cpp b/libc/seccomp/arm64_policy.c
similarity index 97%
rename from libc/seccomp/arm64_policy.cpp
rename to libc/seccomp/arm64_policy.c
index 0bf85a3..fc7127f 100644
--- a/libc/seccomp/arm64_policy.cpp
+++ b/libc/seccomp/arm64_policy.c
@@ -3,8 +3,8 @@
 #include <linux/filter.h>
 #include <errno.h>
 
-#include "seccomp_bpfs.h"
-const sock_filter arm64_filter[] = {
+#include "seccomp_policy.h"
+const struct sock_filter arm64_filter[] = {
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 25),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 13, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 7, 0),
diff --git a/libc/seccomp/arm_policy.cpp b/libc/seccomp/arm_policy.c
similarity index 98%
rename from libc/seccomp/arm_policy.cpp
rename to libc/seccomp/arm_policy.c
index a4de612..f175d6a 100644
--- a/libc/seccomp/arm_policy.cpp
+++ b/libc/seccomp/arm_policy.c
@@ -3,8 +3,8 @@
 #include <linux/filter.h>
 #include <errno.h>
 
-#include "seccomp_bpfs.h"
-const sock_filter arm_filter[] = {
+#include "seccomp_policy.h"
+const struct sock_filter arm_filter[] = {
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 0, 0, 125),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 168, 63, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 31, 0),
diff --git a/libc/seccomp/seccomp_bpfs.h b/libc/seccomp/seccomp_bpfs.h
deleted file mode 100644
index db67041..0000000
--- a/libc/seccomp/seccomp_bpfs.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SECCOMP_BPFS_H
-#define SECCOMP_BPFS_H
-
-#include <stddef.h>
-#include <linux/seccomp.h>
-
-extern const struct sock_filter arm_filter[];
-extern const size_t arm_filter_size;
-extern const struct sock_filter arm64_filter[];
-extern const size_t arm64_filter_size;
-
-#endif
diff --git a/libc/seccomp/seccomp_policy.cpp b/libc/seccomp/seccomp_policy.cpp
deleted file mode 100644
index 6432026..0000000
--- a/libc/seccomp/seccomp_policy.cpp
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <vector>
-
-#include <sys/prctl.h>
-
-#include <linux/unistd.h>
-#include <linux/audit.h>
-#include <linux/filter.h>
-#include <linux/seccomp.h>
-
-#include <android-base/logging.h>
-
-#include "seccomp_policy.h"
-
-extern const struct sock_filter arm_filter[];
-extern const size_t arm_filter_size;
-extern const struct sock_filter arm64_filter[];
-extern const size_t arm64_filter_size;
-
-#define syscall_nr (offsetof(struct seccomp_data, nr))
-#define arch_nr (offsetof(struct seccomp_data, arch))
-
-typedef std::vector<sock_filter> filter;
-
-// We want to keep the below inline functions for debugging and future
-// development even though they are not all sed currently.
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wunused-function"
-
-static inline void Kill(filter& f) {
-    f.push_back(BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL));
-}
-
-static inline void Trap(filter& f) {
-    f.push_back(BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP));
-}
-
-static inline void Error(filter& f, __u16 retcode) {
-    f.push_back(BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ERRNO + retcode));
-}
-
-inline static void Trace(filter& f) {
-    f.push_back(BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE));
-}
-
-inline static void Allow(filter& f) {
-    f.push_back(BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW));
-}
-
-#pragma clang diagnostic pop
-
-inline static void ExamineSyscall(filter& f) {
-    f.push_back(BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_nr));
-}
-
-inline static int SetValidateArchitectureJumpTarget(size_t offset, filter& f) {
-    size_t jump_length = f.size() - offset - 1;
-    auto u8_jump_length = (__u8) jump_length;
-    if (u8_jump_length != jump_length) {
-        LOG(FATAL)
-            << "Can't set jump greater than 255 - actual jump is " <<  jump_length;
-        return -1;
-    }
-    f[offset] = BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, AUDIT_ARCH_ARM, u8_jump_length, 0);
-    return 0;
-}
-
-inline static size_t ValidateArchitectureAndJumpIfNeeded(filter& f) {
-    f.push_back(BPF_STMT(BPF_LD|BPF_W|BPF_ABS, arch_nr));
-
-    f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, AUDIT_ARCH_AARCH64, 2, 0));
-    f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, AUDIT_ARCH_ARM, 1, 0));
-    Trap(f);
-    return f.size() - 2;
-}
-
-static bool install_filter(filter const& f) {
-    struct sock_fprog prog = {
-        static_cast<unsigned short>(f.size()),
-        const_cast<struct sock_filter*>(&f[0]),
-    };
-
-    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
-        PLOG(FATAL) << "Could not set seccomp filter of size " << f.size();
-        return false;
-    }
-
-    LOG(INFO) << "Global filter of size " << f.size() << " installed";
-    return true;
-}
-
-bool set_seccomp_filter() {
-    filter f;
-
-    // Note that for mixed 64/32 bit architectures, ValidateArchitecture inserts a
-    // jump that must be changed to point to the start of the 32-bit policy
-    // 32 bit syscalls will not hit the policy between here and the call to SetJump
-    auto offset_to_32bit_filter = ValidateArchitectureAndJumpIfNeeded(f);
-
-    // 64-bit filter
-    ExamineSyscall(f);
-
-    // arm64-only filter - autogenerated from bionic syscall usage
-    for (size_t i = 0; i < arm64_filter_size; ++i) {
-        f.push_back(arm64_filter[i]);
-    }
-    Trap(f);
-
-    if (SetValidateArchitectureJumpTarget(offset_to_32bit_filter, f) != 0) {
-        return -1;
-    }
-
-    // 32-bit filter
-    ExamineSyscall(f);
-
-    // arm32 filter - autogenerated from bionic syscall usage
-    for (size_t i = 0; i < arm_filter_size; ++i) {
-        f.push_back(arm_filter[i]);
-    }
-    Trap(f);
-
-    return install_filter(f);
-}
diff --git a/libc/seccomp/seccomp_policy.h b/libc/seccomp/seccomp_policy.h
index 33b5d0e..e0282bd 100644
--- a/libc/seccomp/seccomp_policy.h
+++ b/libc/seccomp/seccomp_policy.h
@@ -17,6 +17,12 @@
 #ifndef SECCOMP_POLICY_H
 #define SECCOMP_POLICY_H
 
-bool set_seccomp_filter();
+#include <stddef.h>
+#include <linux/seccomp.h>
+
+extern const struct sock_filter arm_filter[];
+extern const size_t arm_filter_size;
+extern const struct sock_filter arm64_filter[];
+extern const size_t arm64_filter_size;
 
 #endif
diff --git a/libc/tools/genseccomp.py b/libc/tools/genseccomp.py
index 3796683..7d2b1da 100755
--- a/libc/tools/genseccomp.py
+++ b/libc/tools/genseccomp.py
@@ -149,8 +149,8 @@
     #include <linux/filter.h>
     #include <errno.h>
 
-    #include "seccomp_bpfs.h"
-    const sock_filter {architecture}_filter[] = {{
+    #include "seccomp_policy.h"
+    const struct sock_filter {architecture}_filter[] = {{
     """).format(architecture=architecture)
 
   footer = textwrap.dedent("""\
@@ -196,7 +196,7 @@
 
     # And output policy
     existing = ""
-    output_path = "seccomp/{}_policy.cpp".format(arch)
+    output_path = "seccomp/{}_policy.c".format(arch)
     if os.path.isfile(output_path):
       existing = open(output_path).read()
     if output == existing:
diff --git a/libc/tools/test_genseccomp.py b/libc/tools/test_genseccomp.py
index 5b2f14f..de1e5fe 100755
--- a/libc/tools/test_genseccomp.py
+++ b/libc/tools/test_genseccomp.py
@@ -107,8 +107,8 @@
     #include <linux/filter.h>
     #include <errno.h>
 
-    #include "seccomp_bpfs.h"
-    const sock_filter arm_filter[] = {
+    #include "seccomp_policy.h"
+    const struct sock_filter arm_filter[] = {
     line1
     line2
     };
@@ -136,8 +136,8 @@
     #include <linux/filter.h>
     #include <errno.h>
 
-    #include "seccomp_bpfs.h"
-    const sock_filter arm_filter[] = {
+    #include "seccomp_policy.h"
+    const struct sock_filter arm_filter[] = {
     BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 0, 3),
     BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 1, 0),
     BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 4, 2, 1), //read