Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 125c0457 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

mediaex: apply seccomp filter 

We can safely reduce the number of accessible system calls from ~250
down to ~30.

This commit adds a seccomp filter for arm/arm64 devices. Mediaextractor
runs as a 32 bit process so the same filter is used for both arm and
arm64 devices. The filter is arranged by frequency of the systemcall to
provide the best performance.

Most system calls are whitelisted without argument inspection. The
exception is the socket syscall where the first argument is checked to
ensure only domain=AF_LOCAL sockets are allowed - used for logging.

Vendor additions may be appended to the default filter by creating
mediaextractor-seccomp.policy file and pointing BOARD_SECCOMP_POLICY
to the directory where it resides. For example:

create: device/<oem>/<target>/seccomp/mediaextractor-seccomp.policy

with the necessary syscalls. set:
BOARD_SECCOMP_POLICY=device/<oem>/<target>/seccomp
in the device's BoardConfig.mk

Change-Id: I384a43beaa18f10081c15320a795d9d9d0180de4
parent cbc455fb

services/mediaextractor/Android.mk

+6 −3
Original line number Diff line number Diff line
@@ -11,12 +11,15 @@ include $(BUILD_SHARED_LIBRARY) 


# service executable

include $(CLEAR_VARS)

LOCAL_SRC_FILES := main_extractorservice.cpp

LOCAL_SHARED_LIBRARIES := libmedia libmediaextractorservice libbinder libutils liblog libicuuc

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

LOCAL_ADDITIONAL_DEPENDENCIES += mediaextractor-seccomp.policy

endif

LOCAL_SRC_FILES := main_extractorservice.cpp minijail/minijail.cpp

LOCAL_SHARED_LIBRARIES := libmedia libmediaextractorservice libbinder libutils liblog libicuuc libminijail

LOCAL_STATIC_LIBRARIES := libicuandroid_utils

LOCAL_MODULE:= mediaextractor

LOCAL_32_BIT_ONLY := true

LOCAL_INIT_RC := mediaextractor.rc

include $(BUILD_EXECUTABLE)



include $(call all-makefiles-under, $(LOCAL_PATH))

services/mediaextractor/main_extractorservice.cpp

+2 −0
Original line number Diff line number Diff line
@@ -29,12 +29,14 @@ 
// from LOCAL_C_INCLUDES

#include "IcuUtils.h"

#include "MediaExtractorService.h"

#include "minijail/minijail.h"



using namespace android;



int main(int argc __unused, char** argv)

{

    signal(SIGPIPE, SIG_IGN);

    MiniJail();



    InitializeIcuOrDie();

services/mediaextractor/minijail/Android.mk

0 → 100644
+27 −0
Original line number Diff line number Diff line 
LOCAL_PATH := $(call my-dir)



ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

include $(CLEAR_VARS)

LOCAL_MODULE := mediaextractor-seccomp.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy/



# mediaextractor runs in 32-bit combatibility mode. For 64 bit architectures,

# use the 32 bit policy

ifdef TARGET_2ND_ARCH

    LOCAL_SRC_FILES := $(LOCAL_PATH)/seccomp_policy/mediaextractor-seccomp-$(TARGET_2ND_ARCH).policy

else

    LOCAL_SRC_FILES := $(LOCAL_PATH)/seccomp_policy/mediaextractor-seccomp-$(TARGET_ARCH).policy

endif



# allow device specific additions to the syscall whitelist

ifneq (,$(wildcard $(BOARD_SECCOMP_POLICY)/mediaextractor-seccomp.policy))

    LOCAL_SRC_FILES += $(BOARD_SECCOMP_POLICY)/mediaextractor-seccomp.policy

endif



include $(BUILD_SYSTEM)/base_rules.mk



$(LOCAL_BUILT_MODULE): $(LOCAL_SRC_FILES)

	cat > $@ $^



endif

services/mediaextractor/minijail/minijail.cpp

0 → 100644
+50 −0
Original line number Diff line number Diff line 
/*

**

** Copyright 2015, The Android Open Source Project

**

** Licensed under the Apache License, Version 2.0 (the "License");

** you may not use this file except in compliance with the License.

** You may obtain a copy of the License at

**

**     http://www.apache.org/licenses/LICENSE-2.0

**

** Unless required by applicable law or agreed to in writing, software

** distributed under the License is distributed on an "AS IS" BASIS,

** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

** See the License for the specific language governing permissions and

** limitations under the License.

*/



#include <cutils/log.h>

#include <libminijail.h>



#include "minijail.h"



namespace android {



/* Must match location in Android.mk */

static const char kSeccompFilePath[] = "/system/etc/seccomp_policy/mediaextractor-seccomp.policy";



int MiniJail()

{

    /* no seccomp policy for this architecture */

    if (access(kSeccompFilePath, R_OK) == -1) {

        ALOGW("No seccomp filter defined for this architecture.");

        return 0;

    }



    struct minijail *jail = minijail_new();

    if (jail == NULL) {

        ALOGW("Failed to create minijail.");

        return -1;

    }



    minijail_no_new_privs(jail);

    minijail_log_seccomp_filter_failures(jail);

    minijail_use_seccomp_filter(jail);

    minijail_parse_seccomp_filters(jail, kSeccompFilePath);

    minijail_enter(jail);

    minijail_destroy(jail);

    return 0;

}

}

services/mediaextractor/minijail/minijail.h

0 → 100644
+20 −0
Original line number Diff line number Diff line 
/*

**

** Copyright 2015, The Android Open Source Project

**

** Licensed under the Apache License, Version 2.0 (the "License");

** you may not use this file except in compliance with the License.

** You may obtain a copy of the License at

**

**     http://www.apache.org/licenses/LICENSE-2.0

**

** Unless required by applicable law or agreed to in writing, software

** distributed under the License is distributed on an "AS IS" BASIS,

** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

** See the License for the specific language governing permissions and

** limitations under the License.

*/



namespace android {

int MiniJail();

}