Merge "mediaex: apply seccomp filter"

# service executable

include $(CLEAR_VARS)

LOCAL_SRC_FILES := main_extractorservice.cpp

LOCAL_SHARED_LIBRARIES := libmedia libmediaextractorservice libbinder libutils liblog libicuuc

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

LOCAL_ADDITIONAL_DEPENDENCIES += mediaextractor-seccomp.policy

endif

LOCAL_SRC_FILES := main_extractorservice.cpp minijail/minijail.cpp

LOCAL_SHARED_LIBRARIES := libmedia libmediaextractorservice libbinder libutils liblog libicuuc libminijail

LOCAL_STATIC_LIBRARIES := libicuandroid_utils

LOCAL_MODULE:= mediaextractor

LOCAL_32_BIT_ONLY := true

LOCAL_INIT_RC := mediaextractor.rc

include $(BUILD_EXECUTABLE)

include $(call all-makefiles-under, $(LOCAL_PATH))

// from LOCAL_C_INCLUDES

#include "IcuUtils.h"

#include "MediaExtractorService.h"

#include "minijail/minijail.h"

using namespace android;

int main(int argc __unused, char** argv)

{

    signal(SIGPIPE, SIG_IGN);

    MiniJail();

    InitializeIcuOrDie();

LOCAL_PATH := $(call my-dir)

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

include $(CLEAR_VARS)

LOCAL_MODULE := mediaextractor-seccomp.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy/

# mediaextractor runs in 32-bit combatibility mode. For 64 bit architectures,

# use the 32 bit policy

ifdef TARGET_2ND_ARCH

    LOCAL_SRC_FILES := $(LOCAL_PATH)/seccomp_policy/mediaextractor-seccomp-$(TARGET_2ND_ARCH).policy

else

    LOCAL_SRC_FILES := $(LOCAL_PATH)/seccomp_policy/mediaextractor-seccomp-$(TARGET_ARCH).policy

endif

# allow device specific additions to the syscall whitelist

ifneq (,$(wildcard $(BOARD_SECCOMP_POLICY)/mediaextractor-seccomp.policy))

    LOCAL_SRC_FILES += $(BOARD_SECCOMP_POLICY)/mediaextractor-seccomp.policy

endif

include $(BUILD_SYSTEM)/base_rules.mk

$(LOCAL_BUILT_MODULE): $(LOCAL_SRC_FILES)

	cat > $@ $^

endif

/*

**

** Copyright 2015, The Android Open Source Project

**

** Licensed under the Apache License, Version 2.0 (the "License");

** you may not use this file except in compliance with the License.

** You may obtain a copy of the License at

**

**     http://www.apache.org/licenses/LICENSE-2.0

**

** Unless required by applicable law or agreed to in writing, software

** distributed under the License is distributed on an "AS IS" BASIS,

** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

** See the License for the specific language governing permissions and

** limitations under the License.

*/

#include <cutils/log.h>

#include <libminijail.h>

#include "minijail.h"

namespace android {

/* Must match location in Android.mk */

static const char kSeccompFilePath[] = "/system/etc/seccomp_policy/mediaextractor-seccomp.policy";

int MiniJail()

{

    /* no seccomp policy for this architecture */

    if (access(kSeccompFilePath, R_OK) == -1) {

        ALOGW("No seccomp filter defined for this architecture.");

        return 0;

    }

    struct minijail *jail = minijail_new();

    if (jail == NULL) {

        ALOGW("Failed to create minijail.");

        return -1;

    }

    minijail_no_new_privs(jail);

    minijail_log_seccomp_filter_failures(jail);

    minijail_use_seccomp_filter(jail);

    minijail_parse_seccomp_filters(jail, kSeccompFilePath);

    minijail_enter(jail);

    minijail_destroy(jail);

    return 0;

}

}

/*

**

** Copyright 2015, The Android Open Source Project

**

** Licensed under the Apache License, Version 2.0 (the "License");

** you may not use this file except in compliance with the License.

** You may obtain a copy of the License at

**

**     http://www.apache.org/licenses/LICENSE-2.0

**

** Unless required by applicable law or agreed to in writing, software

** distributed under the License is distributed on an "AS IS" BASIS,

** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

** See the License for the specific language governing permissions and

** limitations under the License.

*/

namespace android {

int MiniJail();

}