init: add support for global seccomp boot option
Setting androidboot.seccomp=global on the kernel command line shall enable seccomp for all processes rather than just in zygote. Doing this has a performance impact, for now it shall just be used to audit syscall usage during testing. Bug: 37960259 Change-Id: I6b9fc95e9bec5e2bcfe6ef0b4343a5b422e30152
This commit is contained in:
parent
e3d470b81d
commit
af1a9bfb8f
|
@ -77,6 +77,7 @@ LOCAL_STATIC_LIBRARIES := \
|
|||
libcutils \
|
||||
libbase \
|
||||
libc \
|
||||
libseccomp_policy \
|
||||
libselinux \
|
||||
liblog \
|
||||
libcrypto_utils \
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
#include <inttypes.h>
|
||||
#include <libgen.h>
|
||||
#include <paths.h>
|
||||
#include <seccomp_policy.h>
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
|
@ -554,6 +555,15 @@ static int queue_property_triggers_action(const std::vector<std::string>& args)
|
|||
return 0;
|
||||
}
|
||||
|
||||
static void global_seccomp() {
|
||||
import_kernel_cmdline(false, [](const std::string& key, const std::string& value, bool in_qemu) {
|
||||
if (key == "androidboot.seccomp" && value == "global" && !set_global_seccomp_filter()) {
|
||||
LOG(ERROR) << "Failed to globally enable seccomp!";
|
||||
panic();
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
static void selinux_init_all_handles(void)
|
||||
{
|
||||
sehandle = selinux_android_file_context_handle();
|
||||
|
@ -1004,6 +1014,9 @@ int main(int argc, char** argv) {
|
|||
|
||||
SetInitAvbVersionInRecovery();
|
||||
|
||||
// Enable seccomp if global boot option was passed (otherwise it is enabled in zygote).
|
||||
global_seccomp();
|
||||
|
||||
// Set up SELinux, loading the SELinux policy.
|
||||
selinux_initialize(true);
|
||||
|
||||
|
|
Loading…
Reference in New Issue