From ae03b12925b9d3529030d23718c42c6566cb3a05 Mon Sep 17 00:00:00 2001 From: Elliott Hughes Date: Tue, 17 Sep 2019 16:37:05 -0700 Subject: [PATCH] Remove global seccomp list. Never used, and incompatible with having bionic in a mainline module. Test: builds Change-Id: If377f66cc105fd3a1ec4d9c92330fa6a2d2c145c --- libc/Android.bp | 36 +-------------------------- libc/SECCOMP_WHITELIST_GLOBAL.TXT | 18 -------------- libc/seccomp/include/seccomp_policy.h | 1 - libc/seccomp/seccomp_bpfs.h | 12 --------- libc/seccomp/seccomp_policy.cpp | 24 ------------------ libc/tools/genfunctosyscallnrs.py | 4 +-- libc/tools/genseccomp.py | 6 ++--- libc/tools/gensyscalls.py | 10 ++++---- 8 files changed, 11 insertions(+), 100 deletions(-) delete mode 100644 libc/SECCOMP_WHITELIST_GLOBAL.TXT diff --git a/libc/Android.bp b/libc/Android.bp index e1c007208..4abb32fec 100644 --- a/libc/Android.bp +++ b/libc/Android.bp @@ -2287,8 +2287,7 @@ cc_object { ], } -// Generate the C++ policy sources for app, system, and global seccomp-bpf -// filters. +// Generate the C++ policy sources for app and system seccomp-bpf filters. python_binary_host { name: "genseccomp", main: "tools/genseccomp.py", @@ -2458,38 +2457,6 @@ cc_genrule { ], } -cc_genrule { - name: "libseccomp_policy_global_sources", - recovery_available: true, - cmd: "$(location genseccomp) --out-dir=$(genDir) --name-modifier=global $(in)", - - tools: [ "genseccomp" ], - - srcs: [ - "SYSCALLS.TXT", - "SECCOMP_WHITELIST_COMMON.TXT", - "SECCOMP_WHITELIST_SYSTEM.TXT", - "SECCOMP_WHITELIST_APP.TXT", - "SECCOMP_WHITELIST_GLOBAL.TXT", - "SECCOMP_BLACKLIST_COMMON.TXT", - ":libseccomp_gen_syscall_nrs_arm", - ":libseccomp_gen_syscall_nrs_arm64", - ":libseccomp_gen_syscall_nrs_mips", - ":libseccomp_gen_syscall_nrs_mips64", - ":libseccomp_gen_syscall_nrs_x86", - ":libseccomp_gen_syscall_nrs_x86_64", - ], - - out: [ - "arm64_global_policy.cpp", - "arm_global_policy.cpp", - "mips64_global_policy.cpp", - "mips_global_policy.cpp", - "x86_64_global_policy.cpp", - "x86_global_policy.cpp", - ], -} - cc_library { name: "libseccomp_policy", recovery_available: true, @@ -2497,7 +2464,6 @@ cc_library { generated_sources: [ "libseccomp_policy_app_sources", "libseccomp_policy_app_zygote_sources", - "libseccomp_policy_global_sources", "libseccomp_policy_system_sources", ], diff --git a/libc/SECCOMP_WHITELIST_GLOBAL.TXT b/libc/SECCOMP_WHITELIST_GLOBAL.TXT deleted file mode 100644 index f3e5a98a3..000000000 --- a/libc/SECCOMP_WHITELIST_GLOBAL.TXT +++ /dev/null @@ -1,18 +0,0 @@ -# This file is used to populate seccomp's global whitelist policy in -# combination with SYSCALLS.TXT, SECCOMP_BLACKLIST.TXT and -# SECCOMP_WHITELIST.TXT. Unlike the policy used in normal operation this -# policy is applied globally during the early stage of init, if global seccomp -# is enabled. -# -# See the description at the top of SYSCALLS.TXT for an explanation of the -# format of the entries in this file. -# -# This file is processed by a python script named genseccomp.py. - -# syscalls needed to boot android -int swapon(const char*, int) all -long keyctl(int, ...) all -key_serial_t add_key(const char*, const char*, const void*, size_t, key_serial_t) all - -# b/62715671 -int finit_module(int, const char*, int) all diff --git a/libc/seccomp/include/seccomp_policy.h b/libc/seccomp/include/seccomp_policy.h index fd0fb6035..383c42e40 100644 --- a/libc/seccomp/include/seccomp_policy.h +++ b/libc/seccomp/include/seccomp_policy.h @@ -23,7 +23,6 @@ bool set_app_seccomp_filter(); bool set_app_zygote_seccomp_filter(); bool set_system_seccomp_filter(); -bool set_global_seccomp_filter(); // Installs a filter that limits setresuid/setresgid to a range of // [uid_gid_min..uid_gid_max] (for the real-, effective- and super-ids). diff --git a/libc/seccomp/seccomp_bpfs.h b/libc/seccomp/seccomp_bpfs.h index d9e80479c..824542916 100644 --- a/libc/seccomp/seccomp_bpfs.h +++ b/libc/seccomp/seccomp_bpfs.h @@ -25,8 +25,6 @@ extern const struct sock_filter arm_app_zygote_filter[]; extern const size_t arm_app_zygote_filter_size; extern const struct sock_filter arm_system_filter[]; extern const size_t arm_system_filter_size; -extern const struct sock_filter arm_global_filter[]; -extern const size_t arm_global_filter_size; extern const struct sock_filter arm64_app_filter[]; extern const size_t arm64_app_filter_size; @@ -34,8 +32,6 @@ extern const struct sock_filter arm64_app_zygote_filter[]; extern const size_t arm64_app_zygote_filter_size; extern const struct sock_filter arm64_system_filter[]; extern const size_t arm64_system_filter_size; -extern const struct sock_filter arm64_global_filter[]; -extern const size_t arm64_global_filter_size; extern const struct sock_filter x86_app_filter[]; extern const size_t x86_app_filter_size; @@ -43,8 +39,6 @@ extern const struct sock_filter x86_app_zygote_filter[]; extern const size_t x86_app_zygote_filter_size; extern const struct sock_filter x86_system_filter[]; extern const size_t x86_system_filter_size; -extern const struct sock_filter x86_global_filter[]; -extern const size_t x86_global_filter_size; extern const struct sock_filter x86_64_app_filter[]; extern const size_t x86_64_app_filter_size; @@ -52,8 +46,6 @@ extern const struct sock_filter x86_64_app_zygote_filter[]; extern const size_t x86_64_app_zygote_filter_size; extern const struct sock_filter x86_64_system_filter[]; extern const size_t x86_64_system_filter_size; -extern const struct sock_filter x86_64_global_filter[]; -extern const size_t x86_64_global_filter_size; extern const struct sock_filter mips_app_filter[]; extern const size_t mips_app_filter_size; @@ -61,8 +53,6 @@ extern const struct sock_filter mips_app_zygote_filter[]; extern const size_t mips_app_zygote_filter_size; extern const struct sock_filter mips_system_filter[]; extern const size_t mips_system_filter_size; -extern const struct sock_filter mips_global_filter[]; -extern const size_t mips_global_filter_size; extern const struct sock_filter mips64_app_filter[]; extern const size_t mips64_app_filter_size; @@ -70,5 +60,3 @@ extern const struct sock_filter mips64_app_zygote_filter[]; extern const size_t mips64_app_zygote_filter_size; extern const struct sock_filter mips64_system_filter[]; extern const size_t mips64_system_filter_size; -extern const struct sock_filter mips64_global_filter[]; -extern const size_t mips64_global_filter_size; diff --git a/libc/seccomp/seccomp_policy.cpp b/libc/seccomp/seccomp_policy.cpp index 222a2c87d..bce7b14e8 100644 --- a/libc/seccomp/seccomp_policy.cpp +++ b/libc/seccomp/seccomp_policy.cpp @@ -39,8 +39,6 @@ static const struct sock_filter* primary_app_zygote_filter = arm64_app_zygote_fi static const size_t primary_app_zygote_filter_size = arm64_app_zygote_filter_size; static const struct sock_filter* primary_system_filter = arm64_system_filter; static const size_t primary_system_filter_size = arm64_system_filter_size; -static const struct sock_filter* primary_global_filter = arm64_global_filter; -static const size_t primary_global_filter_size = arm64_global_filter_size; static const long primary_setresgid = __arm64_setresgid; static const long primary_setresuid = __arm64_setresuid; @@ -51,8 +49,6 @@ static const struct sock_filter* secondary_app_zygote_filter = arm_app_zygote_fi static const size_t secondary_app_zygote_filter_size = arm_app_zygote_filter_size; static const struct sock_filter* secondary_system_filter = arm_system_filter; static const size_t secondary_system_filter_size = arm_system_filter_size; -static const struct sock_filter* secondary_global_filter = arm_global_filter; -static const size_t secondary_global_filter_size = arm_global_filter_size; static const long secondary_setresgid = __arm_setresgid; static const long secondary_setresuid = __arm_setresuid; @@ -66,8 +62,6 @@ static const struct sock_filter* primary_app_zygote_filter = x86_64_app_zygote_f static const size_t primary_app_zygote_filter_size = x86_64_app_zygote_filter_size; static const struct sock_filter* primary_system_filter = x86_64_system_filter; static const size_t primary_system_filter_size = x86_64_system_filter_size; -static const struct sock_filter* primary_global_filter = x86_64_global_filter; -static const size_t primary_global_filter_size = x86_64_global_filter_size; static const long primary_setresgid = __x86_64_setresgid; static const long primary_setresuid = __x86_64_setresuid; @@ -78,8 +72,6 @@ static const struct sock_filter* secondary_app_zygote_filter = x86_app_zygote_fi static const size_t secondary_app_zygote_filter_size = x86_app_zygote_filter_size; static const struct sock_filter* secondary_system_filter = x86_system_filter; static const size_t secondary_system_filter_size = x86_system_filter_size; -static const struct sock_filter* secondary_global_filter = x86_global_filter; -static const size_t secondary_global_filter_size = x86_global_filter_size; static const long secondary_setresgid = __x86_setresgid; static const long secondary_setresuid = __x86_setresuid; @@ -93,8 +85,6 @@ static const struct sock_filter* primary_app_zygote_filter = mips64_app_zygote_f static const size_t primary_app_zygote_filter_size = mips64_app_zygote_filter_size; static const struct sock_filter* primary_system_filter = mips64_system_filter; static const size_t primary_system_filter_size = mips64_system_filter_size; -static const struct sock_filter* primary_global_filter = mips64_global_filter; -static const size_t primary_global_filter_size = mips64_global_filter_size; static const long primary_setresgid = __mips64_setresgid; static const long primary_setresuid = __mips64_setresuid; @@ -105,8 +95,6 @@ static const struct sock_filter* secondary_app_zygote_filter = mips_app_zygote_f static const size_t secondary_app_zygote_filter_size = mips_app_zygote_filter_size; static const struct sock_filter* secondary_system_filter = mips_system_filter; static const size_t secondary_system_filter_size = mips_system_filter_size; -static const struct sock_filter* secondary_global_filter = mips_global_filter; -static const size_t secondary_global_filter_size = mips_global_filter_size; static const long secondary_setresgid = __mips_setresgid; static const long secondary_setresuid = __mips_setresuid; @@ -245,7 +233,6 @@ enum FilterType { APP, APP_ZYGOTE, SYSTEM, - GLOBAL }; bool _set_seccomp_filter(FilterType type) { @@ -272,13 +259,6 @@ bool _set_seccomp_filter(FilterType type) { s = secondary_system_filter; s_size = secondary_system_filter_size; break; - case GLOBAL: - p = primary_global_filter; - p_size = primary_global_filter_size; - s = secondary_global_filter; - s_size = secondary_global_filter_size; - break; - } #ifdef DUAL_ARCH @@ -325,10 +305,6 @@ bool set_system_seccomp_filter() { return _set_seccomp_filter(FilterType::SYSTEM); } -bool set_global_seccomp_filter() { - return _set_seccomp_filter(FilterType::GLOBAL); -} - bool install_setuidgid_seccomp_filter(uint32_t uid_gid_min, uint32_t uid_gid_max) { return _install_setuidgid_filter(uid_gid_min, uid_gid_max); } diff --git a/libc/tools/genfunctosyscallnrs.py b/libc/tools/genfunctosyscallnrs.py index 6a456f269..ecfc8abc1 100755 --- a/libc/tools/genfunctosyscallnrs.py +++ b/libc/tools/genfunctosyscallnrs.py @@ -8,7 +8,7 @@ import re import subprocess import textwrap -from gensyscalls import SysCallsTxtParser +from gensyscalls import SupportedArchitectures, SysCallsTxtParser from genseccomp import parse_syscall_NRs def load_syscall_names_from_file(file_path, architecture): @@ -22,7 +22,7 @@ def load_syscall_names_from_file(file_path, architecture): return arch_map def gen_syscall_nrs(out_file, base_syscall_file, syscall_NRs): - for arch in ('arm', 'arm64', 'mips', 'mips64', 'x86', 'x86_64'): + for arch in SupportedArchitectures: base_names = load_syscall_names_from_file(base_syscall_file, arch) for func,syscall in base_names.iteritems(): diff --git a/libc/tools/genseccomp.py b/libc/tools/genseccomp.py index 365e1980b..cc0ff9940 100755 --- a/libc/tools/genseccomp.py +++ b/libc/tools/genseccomp.py @@ -8,7 +8,7 @@ import re import subprocess import textwrap -from gensyscalls import SysCallsTxtParser +from gensyscalls import SupportedArchitectures, SysCallsTxtParser BPF_JGE = "BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, {0}, {1}, {2})" @@ -181,7 +181,7 @@ def construct_bpf(syscalls, architecture, name_modifier): def gen_policy(name_modifier, out_dir, base_syscall_file, syscall_files, syscall_NRs): - for arch in ('arm', 'arm64', 'mips', 'mips64', 'x86', 'x86_64'): + for arch in SupportedArchitectures: base_names = load_syscall_names_from_file(base_syscall_file, arch) whitelist_names = set() blacklist_names = set() @@ -215,7 +215,7 @@ def main(): parser.add_argument("--verbose", "-v", help="Enables verbose logging.") parser.add_argument("--name-modifier", help=("Specifies the name modifier for the policy. " - "One of {app,global,system}.")) + "One of {app,system}.")) parser.add_argument("--out-dir", help="The output directory for the policy files") parser.add_argument("base_file", metavar="base-file", type=str, diff --git a/libc/tools/gensyscalls.py b/libc/tools/gensyscalls.py index 0f3f1dc15..d863e20e9 100755 --- a/libc/tools/gensyscalls.py +++ b/libc/tools/gensyscalls.py @@ -17,7 +17,7 @@ import sys import tempfile -all_arches = [ "arm", "arm64", "mips", "mips64", "x86", "x86_64" ] +SupportedArchitectures = [ "arm", "arm64", "mips", "mips64", "x86", "x86_64" ] bionic_libc = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..") @@ -456,19 +456,19 @@ class SysCallsTxtParser: # Parse the architecture list. arch_list = line[pos_rparen+1:].strip() if arch_list == "all": - for arch in all_arches: + for arch in SupportedArchitectures: t[arch] = True elif arch_list == "lp32": - for arch in all_arches: + for arch in SupportedArchitectures: if "64" not in arch: t[arch] = True elif arch_list == "lp64": - for arch in all_arches: + for arch in SupportedArchitectures: if "64" in arch: t[arch] = True else: for arch in string.split(arch_list, ','): - if arch in all_arches: + if arch in SupportedArchitectures: t[arch] = True else: E("invalid syscall architecture '%s' in '%s'" % (arch, line))