android_bionic/libc/SECCOMP_BLACKLIST_COMMON.TXT

# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT.
# Note that the resultant policy is applied only to zygote spawned processes.
#
# The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT
# Any entry in the blacklist must be in the syscalls file and not be in the whitelist file
#
# This file is processed by a python script named genseccomp.py.

int     swapon(const char*, int) all
int     swapoff(const char*) all
Add seccomp blacklist, and exclude swap functions Bug: 37253880 Test: Make sure device boots Run pylint on genseccomp.py, test_genseccomp.py Run test_genseccomp.py Run new CTS test cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest Change-Id: I833a5364a1481d65173e77654da1798dc45a3f9d 2017-04-12 17:02:54 +00:00			`# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT.`
			`# Note that the resultant policy is applied only to zygote spawned processes.`
			`#`
			`# The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT`
			`# Any entry in the blacklist must be in the syscalls file and not be in the whitelist file`
			`#`
Split zygote's seccomp filter into two To pave the way to reducing app's kernel attack surface, this change split the single filter into one for system and one for apps. Note that there is current no change between them. Zygote will apply these filters appropriately to system server and apps. Keep set_seccomp_filter() for now until the caller has switched to the new API, which I will do immediately after this before the two filters diverse. Also remove get_seccomp_filter() since it doesn't seem to be used anyway. Test: diff the generated code, no difference except the variable names Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest Bug: 63944145 Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23 2017-12-20 17:19:22 +00:00			`# This file is processed by a python script named genseccomp.py.`
Add seccomp blacklist, and exclude swap functions Bug: 37253880 Test: Make sure device boots Run pylint on genseccomp.py, test_genseccomp.py Run test_genseccomp.py Run new CTS test cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest Change-Id: I833a5364a1481d65173e77654da1798dc45a3f9d 2017-04-12 17:02:54 +00:00
			`int swapon(const char*, int) all`
			`int swapoff(const char*) all`