Create global seccomp policy. Enabling seccomp across all processes, rather than just zygote, is useful for auditing the syscall usage of AOSP. Create a global seccomp policy that can optionally be enabled by init. Bug: 37960259 Test: confirm global seccomp by removing finit_module from policy and observing modprobe fail, confirm regular seccomp unchanged by comparing length of installed bpf Change-Id: Iac53a42fa26a80b05126f262dd9525f4f66df558

commit: aa3f96c9c429fa6270d86fbd6485e3b12d7d9aa6 [log] [tgz]
author: Steve Muckle <smuckle@google.com> Thu Jul 20 13:11:54 2017 -0700
committer: Steve Muckle <smuckle@google.com> Fri Jul 21 20:30:21 2017 -0700
tree: 0c8221de1a0114d281bef45912f35dee6f6c3db3
parent: b8ce93974a675029c2c8360adf18bc67740658e1 [diff] [blame]
diff --git a/libc/seccomp/include/seccomp_policy.h b/libc/seccomp/include/seccomp_policy.h
index 397f8e4..e337dec 100644
--- a/libc/seccomp/include/seccomp_policy.h
+++ b/libc/seccomp/include/seccomp_policy.h

@@ -21,6 +21,7 @@
 #include <linux/filter.h>
 
 bool set_seccomp_filter();
+bool set_global_seccomp_filter();
 void get_seccomp_filter(const sock_filter*& filter, size_t& filter_size);
 
 #endif
commit	aa3f96c9c429fa6270d86fbd6485e3b12d7d9aa6	[log] [tgz]
author	Steve Muckle <smuckle@google.com>	Thu Jul 20 13:11:54 2017 -0700
committer	Steve Muckle <smuckle@google.com>	Fri Jul 21 20:30:21 2017 -0700
tree	0c8221de1a0114d281bef45912f35dee6f6c3db3
parent	b8ce93974a675029c2c8360adf18bc67740658e1 [diff] [blame]