Create global seccomp policy.
Enabling seccomp across all processes, rather than just zygote, is
useful for auditing the syscall usage of AOSP. Create a global seccomp
policy that can optionally be enabled by init.
Bug: 37960259
Test: confirm global seccomp by removing finit_module from policy and
observing modprobe fail, confirm regular seccomp unchanged by
comparing length of installed bpf
Change-Id: Iac53a42fa26a80b05126f262dd9525f4f66df558
diff --git a/libc/seccomp/seccomp_policy.cpp b/libc/seccomp/seccomp_policy.cpp
index fe83af0..19ef299 100644
--- a/libc/seccomp/seccomp_policy.cpp
+++ b/libc/seccomp/seccomp_policy.cpp
@@ -34,9 +34,13 @@
#define PRIMARY_ARCH AUDIT_ARCH_AARCH64
static const struct sock_filter* primary_filter = arm64_filter;
static const size_t primary_filter_size = arm64_filter_size;
+static const struct sock_filter* primary_global_filter = arm64_global_filter;
+static const size_t primary_global_filter_size = arm64_global_filter_size;
#define SECONDARY_ARCH AUDIT_ARCH_ARM
static const struct sock_filter* secondary_filter = arm_filter;
static const size_t secondary_filter_size = arm_filter_size;
+static const struct sock_filter* secondary_global_filter = arm_global_filter;
+static const size_t secondary_global_filter_size = arm_global_filter_size;
#elif defined __i386__ || defined __x86_64__
@@ -44,9 +48,13 @@
#define PRIMARY_ARCH AUDIT_ARCH_X86_64
static const struct sock_filter* primary_filter = x86_64_filter;
static const size_t primary_filter_size = x86_64_filter_size;
+static const struct sock_filter* primary_global_filter = x86_64_global_filter;
+static const size_t primary_global_filter_size = x86_64_global_filter_size;
#define SECONDARY_ARCH AUDIT_ARCH_I386
static const struct sock_filter* secondary_filter = x86_filter;
static const size_t secondary_filter_size = x86_filter_size;
+static const struct sock_filter* secondary_global_filter = x86_global_filter;
+static const size_t secondary_global_filter_size = x86_global_filter_size;
#elif defined __mips__ || defined __mips64__
@@ -54,9 +62,13 @@
#define PRIMARY_ARCH AUDIT_ARCH_MIPSEL64
static const struct sock_filter* primary_filter = mips64_filter;
static const size_t primary_filter_size = mips64_filter_size;
+static const struct sock_filter* primary_global_filter = mips64_global_filter;
+static const size_t primary_global_filter_size = mips64_global_filter_size;
#define SECONDARY_ARCH AUDIT_ARCH_MIPSEL
static const struct sock_filter* secondary_filter = mips_filter;
static const size_t secondary_filter_size = mips_filter_size;
+static const struct sock_filter* secondary_global_filter = mips_global_filter;
+static const size_t secondary_global_filter_size = mips_global_filter_size;
#else
#error No architecture was defined!
@@ -119,9 +131,23 @@
return true;
}
-bool set_seccomp_filter() {
+bool _set_seccomp_filter(bool global) {
+ const sock_filter *p, *s;
+ size_t p_size, s_size;
filter f;
+ if (global) {
+ p = primary_global_filter;
+ p_size = primary_global_filter_size;
+ s = secondary_global_filter;
+ s_size = secondary_global_filter_size;
+ } else {
+ p = primary_filter;
+ p_size = primary_filter_size;
+ s = secondary_filter;
+ s_size = secondary_filter_size;
+ }
+
#ifdef DUAL_ARCH
// Note that for mixed 64/32 bit architectures, ValidateArchitecture inserts a
// jump that must be changed to point to the start of the 32-bit policy
@@ -133,8 +159,8 @@
ExamineSyscall(f);
- for (size_t i = 0; i < primary_filter_size; ++i) {
- f.push_back(primary_filter[i]);
+ for (size_t i = 0; i < p_size; ++i) {
+ f.push_back(p[i]);
}
Disallow(f);
@@ -145,8 +171,8 @@
ExamineSyscall(f);
- for (size_t i = 0; i < secondary_filter_size; ++i) {
- f.push_back(secondary_filter[i]);
+ for (size_t i = 0; i < s_size; ++i) {
+ f.push_back(s[i]);
}
Disallow(f);
#endif
@@ -154,6 +180,14 @@
return install_filter(f);
}
+bool set_seccomp_filter() {
+ return _set_seccomp_filter(false);
+}
+
+bool set_global_seccomp_filter() {
+ return _set_seccomp_filter(true);
+}
+
void get_seccomp_filter(const sock_filter*& filter, size_t& filter_size) {
#if defined __aarch64__ || defined __x86_64__ || defined __mips64__
filter = primary_filter;