Allow several syscalls to app process
Several privileged syscalls are still needed before a zygote-fork hangs
over the execution to the apps.
Test: system starts, different apps run
Bug: 63944145
Bug: 76461821
Change-Id: I78da54dac509eb073bc2aa7b820a1f6b0c39a775
diff --git a/libc/SECCOMP_BLACKLIST_APP.TXT b/libc/SECCOMP_BLACKLIST_APP.TXT
index 25542d6..66e24cb 100644
--- a/libc/SECCOMP_BLACKLIST_APP.TXT
+++ b/libc/SECCOMP_BLACKLIST_APP.TXT
@@ -28,6 +28,9 @@
#
# This file is processed by a python script named genseccomp.py.
+# Note: Some privileged syscalls are still needed in app process after fork before uid change,
+# including capset and setresuid.
+
# syscalls to modify IDs
int setgid:setgid32(gid_t) arm,x86
int setgid:setgid(gid_t) arm64,mips,mips64,x86_64
@@ -35,8 +38,6 @@
int setuid:setuid(uid_t) arm64,mips,mips64,x86_64
int setreuid:setreuid32(uid_t, uid_t) arm,x86
int setreuid:setreuid(uid_t, uid_t) arm64,mips,mips64,x86_64
-int setresuid:setresuid32(uid_t, uid_t, uid_t) arm,x86
-int setresuid:setresuid(uid_t, uid_t, uid_t) arm64,mips,mips64,x86_64
int setresgid:setresgid32(gid_t, gid_t, gid_t) arm,x86
int setresgid:setresgid(gid_t, gid_t, gid_t) arm64,mips,mips64,x86_64
int setfsgid(gid_t) all
@@ -52,8 +53,6 @@
int acct(const char* filepath) all
int klogctl:syslog(int, char*, int) all
-
-int capset(cap_user_header_t header, const cap_user_data_t data) all
int chroot(const char*) all
# syscalls to change machine various configurations