Create global seccomp policy. Enabling seccomp across all processes, rather than just zygote, is useful for auditing the syscall usage of AOSP. Create a global seccomp policy that can optionally be enabled by init. Bug: 37960259 Test: confirm global seccomp by removing finit_module from policy and observing modprobe fail, confirm regular seccomp unchanged by comparing length of installed bpf Change-Id: Iac53a42fa26a80b05126f262dd9525f4f66df558

commit: aa3f96c9c429fa6270d86fbd6485e3b12d7d9aa6 [log] [tgz]
author: Steve Muckle <smuckle@google.com> Thu Jul 20 13:11:54 2017 -0700
committer: Steve Muckle <smuckle@google.com> Fri Jul 21 20:30:21 2017 -0700
tree: 0c8221de1a0114d281bef45912f35dee6f6c3db3
parent: b8ce93974a675029c2c8360adf18bc67740658e1 [diff] [blame]
diff --git a/libc/seccomp/Android.bp b/libc/seccomp/Android.bp
index c341781..a75aa65 100644
--- a/libc/seccomp/Android.bp
+++ b/libc/seccomp/Android.bp

@@ -3,11 +3,17 @@
     srcs: [
         "seccomp_policy.cpp",
         "arm_policy.cpp",
+        "arm_global_policy.cpp",
         "arm64_policy.cpp",
+        "arm64_global_policy.cpp",
         "x86_policy.cpp",
+        "x86_global_policy.cpp",
         "x86_64_policy.cpp",
+        "x86_64_global_policy.cpp",
         "mips_policy.cpp",
+        "mips_global_policy.cpp",
         "mips64_policy.cpp",
+        "mips64_global_policy.cpp",
     ],
     export_include_dirs: ["include"],
     shared: {
commit	aa3f96c9c429fa6270d86fbd6485e3b12d7d9aa6	[log] [tgz]
author	Steve Muckle <smuckle@google.com>	Thu Jul 20 13:11:54 2017 -0700
committer	Steve Muckle <smuckle@google.com>	Fri Jul 21 20:30:21 2017 -0700
tree	0c8221de1a0114d281bef45912f35dee6f6c3db3
parent	b8ce93974a675029c2c8360adf18bc67740658e1 [diff] [blame]