Add seccomp support library

Policy library which exports an autogenerated policy from SYSCALLS.TXT
blocking any other calls.

Test: Generate policy, install onto Sailfish, check boots, Chrome runs,
calls are blocked.
Bug: 32313202

Change-Id: Ib590704e50122f077eeae26561eb9b0a70386551
diff --git a/libc/seccomp/Android.mk b/libc/seccomp/Android.mk
new file mode 100644
index 0000000..af1311c
--- /dev/null
+++ b/libc/seccomp/Android.mk
@@ -0,0 +1,12 @@
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
+LOCAL_MODULE := libseccomp_policy
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := arm_policy.c arm64_policy.c
+LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)
+
+include $(BUILD_STATIC_LIBRARY)
+
diff --git a/libc/seccomp/arm64_policy.c b/libc/seccomp/arm64_policy.c
new file mode 100644
index 0000000..d5a87d6
--- /dev/null
+++ b/libc/seccomp/arm64_policy.c
@@ -0,0 +1,48 @@
+// Autogenerated file - edit at your peril!!
+
+#include <linux/filter.h>
+#include <errno.h>
+
+#include "seccomp_policy.h"
+const struct sock_filter arm64_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 0, 35),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 140, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 101, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 32, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 18, 29, 30), //setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr|getcwd
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 30, 28, 29), //eventfd2|epoll_create1|epoll_ctl|epoll_pwait|dup|dup3|fcntl|inotify_init1|inotify_add_watch|inotify_rm_watch|ioctl
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 27, 28), //flock|mknodat|mkdirat|unlinkat|symlinkat|linkat|renameat|umount2|mount
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 59, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 25, 26), //statfs|fstatfs|truncate|ftruncate|fallocate|faccessat|chdir|fchdir|chroot|fchmod|fchmodat|fchownat|fchown|openat|close
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 24, 25), //pipe2|quotactl|getdents64|lseek|read|write|readv|writev|pread64|pwrite64|preadv|pwritev|sendfile|pselect6|ppoll|signalfd4|vmsplice|splice|tee|readlinkat|newfstatat|fstat|sync|fsync|fdatasync|sync_file_range|timerfd_create|timerfd_settime|timerfd_gettime|utimensat|acct|capget|capset|personality|exit|exit_group|waitid|set_tid_address|unshare
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 129, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 105, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 104, 21, 22), //nanosleep|getitimer|setitimer
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 128, 20, 21), //init_module|delete_module|timer_create|timer_gettime|timer_getoverrun|timer_settime|timer_delete|clock_settime|clock_gettime|clock_getres|clock_nanosleep|syslog|ptrace|sched_setparam|sched_setscheduler|sched_getscheduler|sched_getparam|sched_setaffinity|sched_getaffinity|sched_yield|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 130, 18, 19), //kill
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 139, 17, 18), //tgkill|sigaltstack|rt_sigsuspend|rt_sigaction|rt_sigprocmask|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 242, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 203, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 179, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 178, 12, 13), //setpriority|getpriority|reboot|setregid|setgid|setreuid|setuid|setresuid|getresuid|setresgid|getresgid|setfsuid|setfsgid|times|setpgid|getpgid|getsid|setsid|getgroups|setgroups|uname|sethostname|setdomainname|getrlimit|setrlimit|getrusage|umask|prctl|getcpu|gettimeofday|settimeofday|adjtimex|getpid|getppid|getuid|geteuid|getgid|getegid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 180, 11, 12), //sysinfo
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 202, 10, 11), //socket|socketpair|bind|listen
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 221, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 8, 9), //connect|getsockname|getpeername|sendto|recvfrom|setsockopt|getsockopt|shutdown|sendmsg|recvmsg|readahead|brk|munmap|mremap
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 234, 7, 8), //execve|mmap|fadvise64|swapon|swapoff|mprotect|msync|mlock|munlock|mlockall|munlockall|mincore|madvise
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 266, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 260, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 244, 4, 5), //accept4|recvmmsg
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 3, 4), //wait4|prlimit64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 268, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 267, 1, 2), //clock_adjtime
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 0, 1), //setns|sendmmsg|process_vm_readv|process_vm_writev
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+const size_t arm64_filter_size = sizeof(arm64_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/arm_policy.c b/libc/seccomp/arm_policy.c
new file mode 100644
index 0000000..44e734e
--- /dev/null
+++ b/libc/seccomp/arm_policy.c
@@ -0,0 +1,146 @@
+// Autogenerated file - edit at your peril!!
+
+#include <linux/filter.h>
+#include <errno.h>
+
+#include "seccomp_policy.h"
+const struct sock_filter arm_filter[] = {
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 1, 0, 133),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 174, 67, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 77, 33, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 45, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 26, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 11, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 6, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 3, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 2, 125, 126), //exit
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 5, 124, 125), //read|write
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 7, 123, 124), //close
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 19, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 13, 121, 122), //execve|chdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 22, 120, 121), //lseek|getpid|mount
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 41, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 36, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 27, 117, 118), //ptrace
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 38, 116, 117), //sync|kill
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 43, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 42, 114, 115), //dup
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 44, 113, 114), //times
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 60, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 54, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 51, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 46, 109, 110), //brk
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 53, 108, 109), //acct|umount2
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 57, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 55, 106, 107), //ioctl
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 58, 105, 106), //setpgid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 66, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 64, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 62, 102, 103), //umask|chroot
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 65, 101, 102), //getppid
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 74, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 68, 99, 100), //setsid|sigaction
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 76, 98, 99), //sethostname|setrlimit
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 124, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 103, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 94, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 91, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 87, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 80, 92, 93), //getrusage|gettimeofday|settimeofday
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 89, 91, 92), //swapon|reboot
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 93, 90, 91), //munmap|truncate
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 96, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 95, 88, 89), //fchmod
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 98, 87, 88), //getpriority|setpriority
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 118, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 114, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 106, 84, 85), //syslog|setitimer|getitimer
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 117, 83, 84), //wait4|swapoff|sysinfo
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 121, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 119, 81, 82), //fsync
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 123, 80, 81), //setdomainname|uname
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 138, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 131, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 128, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 126, 76, 77), //adjtimex|mprotect
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 130, 75, 76), //init_module|delete_module
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 136, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 134, 73, 74), //quotactl|getpgid|fchdir
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 137, 72, 73), //personality
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 150, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 143, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 141, 69, 70), //setfsuid|setfsgid|_llseek
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 149, 68, 69), //flock|msync|readv|writev|getsid|fdatasync
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 172, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 164, 66, 67), //mlock|munlock|mlockall|munlockall|sched_setparam|sched_getparam|sched_setscheduler|sched_getscheduler|sched_yield|sched_get_priority_max|sched_get_priority_min|sched_rr_get_interval|nanosleep|mremap
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 173, 65, 66), //prctl
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 290, 33, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 239, 17, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 213, 9, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 197, 5, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 191, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 183, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 182, 58, 59), //rt_sigaction|rt_sigprocmask|rt_sigpending|rt_sigtimedwait|rt_sigqueueinfo|rt_sigsuspend|pread64|pwrite64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 188, 57, 58), //getcwd|capget|capset|sigaltstack|sendfile
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 195, 56, 57), //ugetrlimit|mmap2|truncate64|ftruncate64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 199, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 198, 54, 55), //fstat64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 212, 53, 54), //getuid32|getgid32|geteuid32|getegid32|setreuid32|setregid32|getgroups32|setgroups32|fchown32|setresuid32|getresuid32|setresgid32|getresgid32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 219, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 217, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 215, 50, 51), //setuid32|setgid32
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 218, 49, 50), //getdents64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 225, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 222, 47, 48), //mincore|madvise|fcntl64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 238, 46, 47), //readahead|setxattr|lsetxattr|fsetxattr|getxattr|lgetxattr|fgetxattr|listxattr|llistxattr|flistxattr|removexattr|lremovexattr|fremovexattr
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 256, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 248, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 241, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 240, 42, 43), //sendfile64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 243, 41, 42), //sched_setaffinity|sched_getaffinity
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 251, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 249, 39, 40), //exit_group
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 252, 38, 39), //epoll_ctl
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 280, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 270, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 269, 35, 36), //set_tid_address|timer_create|timer_settime|timer_gettime|timer_getoverrun|timer_delete|clock_settime|clock_gettime|clock_getres|clock_nanosleep|statfs64|fstatfs64|tgkill
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 271, 34, 35), //arm_fadvise64_64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 286, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 285, 32, 33), //waitid|socket|bind|connect|listen
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 289, 31, 32), //getsockname|getpeername|socketpair
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 350, 15, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 327, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 317, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 292, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 291, 26, 27), //sendto
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 298, 25, 26), //recvfrom|shutdown|setsockopt|getsockopt|sendmsg|recvmsg
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 322, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 319, 23, 24), //inotify_add_watch|inotify_rm_watch
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 326, 22, 23), //openat|mkdirat|mknodat|fchownat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 345, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 340, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 338, 19, 20), //fstatat64|unlinkat|renameat|linkat|symlinkat|readlinkat|fchmodat|faccessat|pselect6|ppoll|unshare
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 344, 18, 19), //splice|sync_file_range2|tee|vmsplice
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 348, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 347, 16, 17), //getcpu|epoll_pwait
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 349, 15, 16), //utimensat
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 372, 7, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 365, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 352, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 351, 11, 12), //timerfd_create
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 363, 10, 11), //fallocate|timerfd_settime|timerfd_gettime|signalfd4|eventfd2|epoll_create1|dup3|pipe2|inotify_init1|preadv|pwritev
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 369, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 367, 8, 9), //recvmmsg|accept4
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 370, 7, 8), //prlimit64
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983042, 3, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 374, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 373, 4, 5), //clock_adjtime
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 378, 3, 4), //sendmmsg|setns|process_vm_readv|process_vm_writev
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983045, 1, 0),
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983043, 1, 2), //__ARM_NR_cacheflush
+BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983046, 0, 1), //__ARM_NR_set_tls
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+};
+
+const size_t arm_filter_size = sizeof(arm_filter) / sizeof(struct sock_filter);
diff --git a/libc/seccomp/seccomp_policy.h b/libc/seccomp/seccomp_policy.h
new file mode 100644
index 0000000..e0282bd
--- /dev/null
+++ b/libc/seccomp/seccomp_policy.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SECCOMP_POLICY_H
+#define SECCOMP_POLICY_H
+
+#include <stddef.h>
+#include <linux/seccomp.h>
+
+extern const struct sock_filter arm_filter[];
+extern const size_t arm_filter_size;
+extern const struct sock_filter arm64_filter[];
+extern const size_t arm64_filter_size;
+
+#endif
diff --git a/libc/tools/genseccomp.py b/libc/tools/genseccomp.py
new file mode 100755
index 0000000..b82bb12
--- /dev/null
+++ b/libc/tools/genseccomp.py
@@ -0,0 +1,171 @@
+#!/usr/bin/env python
+import os
+from subprocess import Popen, PIPE
+import textwrap
+from gensyscalls import SysCallsTxtParser
+
+
+syscall_file = "SYSCALLS.TXT"
+
+
+class SyscallRange(object):
+  def __init__(self, name, value):
+    self.names = [name]
+    self.begin = value
+    self.end = self.begin + 1
+
+  def add(self, name, value):
+    if value != self.end:
+      raise ValueError
+    self.end += 1
+    self.names.append(name)
+
+
+def generate_bpf_jge(value, ge_target, less_target):
+  return "BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, {0}, {1}, {2})".format(value, ge_target, less_target)
+
+
+# Converts the sorted ranges of allowed syscalls to a binary tree bpf
+# For a single range, output a simple jump to {fail} or {allow}. We can't set
+# the jump ranges yet, since we don't know the size of the filter, so use a
+# placeholder
+# For multiple ranges, split into two, convert the two halves and output a jump
+# to the correct half
+def convert_to_bpf(ranges):
+  if len(ranges) == 1:
+    # We will replace {fail} and {allow} with appropriate range jumps later
+    return [generate_bpf_jge(ranges[0].end, "{fail}", "{allow}") +
+            ", //" + "|".join(ranges[0].names)]
+  else:
+    half = (len(ranges) + 1) / 2
+    first = convert_to_bpf(ranges[:half])
+    second = convert_to_bpf(ranges[half:])
+    return [generate_bpf_jge(ranges[half].begin, len(first), 0) + ","] + first + second
+
+
+def construct_bpf(architecture, header_dir, output_path):
+  parser = SysCallsTxtParser()
+  parser.parse_file(syscall_file)
+  syscalls = parser.syscalls
+
+  # Select only elements matching required architecture
+  syscalls = [x for x in syscalls if architecture in x and x[architecture]]
+
+  # We only want the name
+  names = [x["name"] for x in syscalls]
+
+  # Run preprocessor over the __NR_syscall symbols, including unistd.h,
+  # to get the actual numbers
+  prefix = "__SECCOMP_"  # prefix to ensure no name collisions
+  cpp = Popen(["../../prebuilts/clang/host/linux-x86/clang-stable/bin/clang",
+               "-E", "-nostdinc", "-I" + header_dir, "-Ikernel/uapi/", "-"],
+              stdin=PIPE, stdout=PIPE)
+  cpp.stdin.write("#include <asm/unistd.h>\n")
+  for name in names:
+    # In SYSCALLS.TXT, there are two arm-specific syscalls whose names start
+    # with __ARM__NR_. These we must simply write out as is.
+    if not name.startswith("__ARM_NR_"):
+      cpp.stdin.write(prefix + name + ", __NR_" + name + "\n")
+    else:
+      cpp.stdin.write(prefix + name + ", " + name + "\n")
+  content = cpp.communicate()[0].split("\n")
+
+  # The input is now the preprocessed source file. This will contain a lot
+  # of junk from the preprocessor, but our lines will be in the format:
+  #
+  #     __SECCOMP_${NAME}, (0 + value)
+
+  syscalls = []
+  for line in content:
+    if not line.startswith(prefix):
+      continue
+
+    # We might pick up extra whitespace during preprocessing, so best to strip.
+    name, value = [w.strip() for w in line.split(",")]
+    name = name[len(prefix):]
+
+    # Note that some of the numbers were expressed as base + offset, so we
+    # need to eval, not just int
+    value = eval(value)
+    syscalls.append((name, value))
+
+  # Sort the values so we convert to ranges and binary chop
+  syscalls = sorted(syscalls, lambda x, y: cmp(x[1], y[1]))
+
+  # Turn into a list of ranges. Keep the names for the comments
+  ranges = []
+  for name, value in syscalls:
+    if not ranges:
+      ranges.append(SyscallRange(name, value))
+      continue
+
+    last_range = ranges[-1]
+    if last_range.end == value:
+      last_range.add(name, value)
+    else:
+      ranges.append(SyscallRange(name, value))
+
+  bpf = convert_to_bpf(ranges)
+
+  # Now we know the size of the tree, we can substitute the {fail} and {allow}
+  # placeholders
+  for i, statement in enumerate(bpf):
+    # Replace placeholder with
+    # "distance to jump to fail, distance to jump to allow"
+    # We will add a kill statement and an allow statement after the tree
+    # With bpfs jmp 0 means the next statement, so the distance to the end is
+    # len(bpf) - i - 1, which is where we will put the kill statement, and
+    # then the statement after that is the allow statement
+    if "{fail}" in statement and "{allow}" in statement:
+      bpf[i] = statement.format(fail=str(len(bpf) - i - 1),
+                                allow=str(len(bpf) - i))
+
+  # Add check that we aren't off the bottom of the syscalls
+  bpf.insert(0,
+             "BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, " + str(ranges[0].begin) +
+             ", 0, " + str(len(bpf)) + "),")
+
+  # Add the error and allow calls at the end
+  bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),")
+  bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),")
+
+  # And output policy
+  header = textwrap.dedent("""\
+    // Autogenerated file - edit at your peril!!
+
+    #include <linux/filter.h>
+    #include <errno.h>
+
+    #include "seccomp_policy.h"
+    const struct sock_filter {architecture}_filter[] = {{
+    """).format(architecture=architecture)
+
+  footer = textwrap.dedent("""\
+
+    }};
+
+    const size_t {architecture}_filter_size = sizeof({architecture}_filter) / sizeof(struct sock_filter);
+    """).format(architecture=architecture)
+  output = header + "\n".join(bpf) + footer
+
+  existing = ""
+  if os.path.isfile(output_path):
+    existing = open(output_path).read()
+  if output == existing:
+    print "File " + output_path + " not changed."
+  else:
+    with open(output_path, "w") as output_file:
+      output_file.write(output)
+
+    print "Generated file " + output_path
+
+
+def main():
+  # Set working directory for predictable results
+  os.chdir(os.path.join(os.environ["ANDROID_BUILD_TOP"], "bionic/libc"))
+  construct_bpf("arm", "kernel/uapi/asm-arm", "seccomp/arm_policy.c")
+  construct_bpf("arm64", "kernel/uapi/asm-arm64", "seccomp/arm64_policy.c")
+
+
+if __name__ == "__main__":
+  main()
diff --git a/libc/tools/gensyscalls.py b/libc/tools/gensyscalls.py
index b4aa06c..329184f 100755
--- a/libc/tools/gensyscalls.py
+++ b/libc/tools/gensyscalls.py
@@ -674,6 +674,7 @@
 
 logging.basicConfig(level=logging.INFO)
 
-state = State()
-state.process_file(os.path.join(bionic_libc_root, "SYSCALLS.TXT"))
-state.regenerate()
+if __name__ == "__main__":
+    state = State()
+    state.process_file(os.path.join(bionic_libc_root, "SYSCALLS.TXT"))
+    state.regenerate()