diff options
author | Steve Muckle <smuckle@google.com> | 2017-07-20 13:11:54 -0700 |
---|---|---|
committer | Steve Muckle <smuckle@google.com> | 2017-07-21 20:30:21 -0700 |
commit | aa3f96c9c429fa6270d86fbd6485e3b12d7d9aa6 (patch) | |
tree | 0c8221de1a0114d281bef45912f35dee6f6c3db3 /libc/SECCOMP_WHITELIST_GLOBAL.TXT | |
parent | b8ce93974a675029c2c8360adf18bc67740658e1 (diff) | |
download | android_bionic-aa3f96c9c429fa6270d86fbd6485e3b12d7d9aa6.tar.gz android_bionic-aa3f96c9c429fa6270d86fbd6485e3b12d7d9aa6.tar.bz2 android_bionic-aa3f96c9c429fa6270d86fbd6485e3b12d7d9aa6.zip |
Create global seccomp policy.
Enabling seccomp across all processes, rather than just zygote, is
useful for auditing the syscall usage of AOSP. Create a global seccomp
policy that can optionally be enabled by init.
Bug: 37960259
Test: confirm global seccomp by removing finit_module from policy and
observing modprobe fail, confirm regular seccomp unchanged by
comparing length of installed bpf
Change-Id: Iac53a42fa26a80b05126f262dd9525f4f66df558
Diffstat (limited to 'libc/SECCOMP_WHITELIST_GLOBAL.TXT')
-rw-r--r-- | libc/SECCOMP_WHITELIST_GLOBAL.TXT | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/libc/SECCOMP_WHITELIST_GLOBAL.TXT b/libc/SECCOMP_WHITELIST_GLOBAL.TXT new file mode 100644 index 000000000..f3e5a98a3 --- /dev/null +++ b/libc/SECCOMP_WHITELIST_GLOBAL.TXT @@ -0,0 +1,18 @@ +# This file is used to populate seccomp's global whitelist policy in +# combination with SYSCALLS.TXT, SECCOMP_BLACKLIST.TXT and +# SECCOMP_WHITELIST.TXT. Unlike the policy used in normal operation this +# policy is applied globally during the early stage of init, if global seccomp +# is enabled. +# +# See the description at the top of SYSCALLS.TXT for an explanation of the +# format of the entries in this file. +# +# This file is processed by a python script named genseccomp.py. + +# syscalls needed to boot android +int swapon(const char*, int) all +long keyctl(int, ...) all +key_serial_t add_key(const char*, const char*, const void*, size_t, key_serial_t) all + +# b/62715671 +int finit_module(int, const char*, int) all |