init: add support for global seccomp boot option

Setting androidboot.seccomp=global on the kernel command line shall
enable seccomp for all processes rather than just in zygote. Doing
this has a performance impact, for now it shall just be used to audit
syscall usage during testing.

Bug: 37960259
Change-Id: I6b9fc95e9bec5e2bcfe6ef0b4343a5b422e30152
This commit is contained in:
Steve Muckle 2017-07-17 15:14:02 -07:00
parent e3d470b81d
commit af1a9bfb8f
2 changed files with 14 additions and 0 deletions

View File

@ -77,6 +77,7 @@ LOCAL_STATIC_LIBRARIES := \
libcutils \
libbase \
libc \
libseccomp_policy \
libselinux \
liblog \
libcrypto_utils \

View File

@ -23,6 +23,7 @@
#include <inttypes.h>
#include <libgen.h>
#include <paths.h>
#include <seccomp_policy.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
@ -554,6 +555,15 @@ static int queue_property_triggers_action(const std::vector<std::string>& args)
return 0;
}
static void global_seccomp() {
import_kernel_cmdline(false, [](const std::string& key, const std::string& value, bool in_qemu) {
if (key == "androidboot.seccomp" && value == "global" && !set_global_seccomp_filter()) {
LOG(ERROR) << "Failed to globally enable seccomp!";
panic();
}
});
}
static void selinux_init_all_handles(void)
{
sehandle = selinux_android_file_context_handle();
@ -1004,6 +1014,9 @@ int main(int argc, char** argv) {
SetInitAvbVersionInRecovery();
// Enable seccomp if global boot option was passed (otherwise it is enabled in zygote).
global_seccomp();
// Set up SELinux, loading the SELinux policy.
selinux_initialize(true);