Merge "Whitelist mremap for the mediacodec seccomp filter."

commit: 5867438fb562c80b8952c0b206ca1bf2f02e6a07 [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Fri Jan 20 18:17:24 2017 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Fri Jan 20 18:17:26 2017 +0000
tree: 68c15996320e8565d8c7c5fd00d32ad37ce231b3
parent: 2a0c6d54dc34fdd8cca4e8ed7f39ad512133a878 [diff]
parent: 3187436320be4c370b02aefe1acb064f364f4e1f [diff]
diff --git a/services/mediacodec/minijail/seccomp_policy/mediacodec-seccomp-arm.policy b/services/mediacodec/minijail/seccomp_policy/mediacodec-seccomp-arm.policy
index 0afaa15..9a0894d 100644
--- a/services/mediacodec/minijail/seccomp_policy/mediacodec-seccomp-arm.policy
+++ b/services/mediacodec/minijail/seccomp_policy/mediacodec-seccomp-arm.policy

@@ -12,6 +12,14 @@
 dup: 1
 ppoll: 1
 mmap2: 1
+
+# mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail
+# parser support for '<' is in this needs to be modified to also prevent
+# |old_address| and |new_address| from touching the exception vector page, which
+# on ARM is statically loaded at 0xffff 0000. See
+# http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html
+# for more details.
+mremap: arg3 == 3
 munmap: 1
 mprotect: 1
 madvise: 1
commit	5867438fb562c80b8952c0b206ca1bf2f02e6a07	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Fri Jan 20 18:17:24 2017 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Fri Jan 20 18:17:26 2017 +0000
tree	68c15996320e8565d8c7c5fd00d32ad37ce231b3
parent	2a0c6d54dc34fdd8cca4e8ed7f39ad512133a878 [diff]
parent	3187436320be4c370b02aefe1acb064f364f4e1f [diff]