Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 79234e4a authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

Combine platform and vendor seccomp policy at runtime 

Previously, vendor customization to seccomp policy was combined
with the platform's policy at build time. In order to remove
frameworks dependencies on the device folder, this policy
combination is being moved to runtime.

For mediacodec and mediaextractor, platform seccomp policy specified
in the frameworks will be loaded from /system/etc/seccomp_policy.
Optional vendor customizations must reside in
/vendor/etc/seccomp_policy. If the vendor policy exists, it will be
concatenated to the end of the platform policy and loaded, otherwise
just the platform policy will be loaded.

Bug: 34723744
Test: Dragon, Marlin, Muskie build and boot.
Test: Watch videos on youtube no seccomp violations observed.
Test: For both mediacodec and mediaextractor verify
"cat proc/<pid>/status | grep Seccomp" == Seccomp: 2
Change-Id: I08b79b207785df69add31e4662e2c33fa28b4f4d
parent 3b3e0303

services/mediacodec/Android.mk

+17 −1
Original line number Diff line number Diff line
@@ -20,7 +20,7 @@ include $(BUILD_SHARED_LIBRARY) 


# service executable

include $(CLEAR_VARS)

LOCAL_REQUIRED_MODULES_arm := mediacodec-seccomp.policy

LOCAL_REQUIRED_MODULES_arm := mediacodec.policy

LOCAL_SRC_FILES := main_codecservice.cpp

LOCAL_SHARED_LIBRARIES := \

    libmedia \
@@ -46,4 +46,20 @@ LOCAL_32_BIT_ONLY := true 
LOCAL_INIT_RC := mediacodec.rc

include $(BUILD_EXECUTABLE)



# service seccomp policy

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

include $(CLEAR_VARS)

LOCAL_MODULE := mediacodec.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy

# mediacodec runs in 32-bit combatibility mode. For 64 bit architectures,

# use the 32 bit policy

ifdef TARGET_2ND_ARCH

    LOCAL_SRC_FILES := seccomp_policy/mediacodec-$(TARGET_2ND_ARCH).policy

else

    LOCAL_SRC_FILES := seccomp_policy/mediacodec-$(TARGET_ARCH).policy

endif

include $(BUILD_PREBUILT)

endif



include $(call all-makefiles-under, $(LOCAL_PATH))

services/mediacodec/main_codecservice.cpp

+5 −2
Original line number Diff line number Diff line
@@ -38,13 +38,16 @@ 
using namespace android;



// Must match location in Android.mk.

static const char kSeccompPolicyPath[] = "/system/etc/seccomp_policy/mediacodec-seccomp.policy";

static const char kSystemSeccompPolicyPath[] =

        "/system/etc/seccomp_policy/mediacodec.policy";

static const char kVendorSeccompPolicyPath[] =

        "/vendor/etc/seccomp_policy/mediacodec.policy";



int main(int argc __unused, char** argv)

{

    LOG(INFO) << "mediacodecservice starting";

    signal(SIGPIPE, SIG_IGN);

    SetUpMinijail(kSeccompPolicyPath, std::string());

    SetUpMinijail(kSystemSeccompPolicyPath, kVendorSeccompPolicyPath);



    strcpy(argv[0], "media.codec");

services/mediacodec/minijail/Android.mk

deleted100644 → 0
+0 −27
Original line number Diff line number Diff line 
LOCAL_PATH := $(call my-dir)



ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

include $(CLEAR_VARS)

LOCAL_MODULE := mediacodec-seccomp.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy



# mediacodec runs in 32-bit combatibility mode. For 64 bit architectures,

# use the 32 bit policy

ifdef TARGET_2ND_ARCH

    LOCAL_SRC_FILES := $(LOCAL_PATH)/seccomp_policy/mediacodec-seccomp-$(TARGET_2ND_ARCH).policy

else

    LOCAL_SRC_FILES := $(LOCAL_PATH)/seccomp_policy/mediacodec-seccomp-$(TARGET_ARCH).policy

endif



# allow device specific additions to the syscall whitelist

LOCAL_SRC_FILES += $(wildcard $(foreach dir, $(BOARD_SECCOMP_POLICY), \

                     $(dir)/mediacodec-seccomp.policy))



include $(BUILD_SYSTEM)/base_rules.mk



$(LOCAL_BUILT_MODULE): $(LOCAL_SRC_FILES)

	@mkdir -p $(dir $@)

	$(hide) cat > $@ $^



endif

services/mediaextractor/Android.mk

+12 −5
Original line number Diff line number Diff line
@@ -11,10 +11,9 @@ include $(BUILD_SHARED_LIBRARY) 
# service executable

include $(CLEAR_VARS)

# seccomp filters are defined for the following architectures:

LOCAL_REQUIRED_MODULES_arm := mediaextractor-seccomp.policy

LOCAL_REQUIRED_MODULES_arm64 := mediaextractor-seccomp.policy

LOCAL_REQUIRED_MODULES_x86 := mediaextractor-seccomp.policy

# TODO add seccomp filter for x86_64.

LOCAL_REQUIRED_MODULES_arm := mediaextractor.policy

LOCAL_REQUIRED_MODULES_arm64 := mediaextractor.policy

LOCAL_REQUIRED_MODULES_x86 := mediaextractor.policy

LOCAL_SRC_FILES := main_extractorservice.cpp

LOCAL_SHARED_LIBRARIES := libmedia libmediaextractorservice libbinder libutils \

    liblog libbase libicuuc libavservices_minijail
@@ -24,4 +23,12 @@ LOCAL_INIT_RC := mediaextractor.rc 
LOCAL_C_INCLUDES := frameworks/av/media/libmedia

include $(BUILD_EXECUTABLE)



include $(call all-makefiles-under, $(LOCAL_PATH))
 
# service seccomp filter

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86))

include $(CLEAR_VARS)

LOCAL_MODULE := mediaextractor.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy

LOCAL_SRC_FILES := seccomp_policy/mediaextractor-$(TARGET_ARCH).policy

include $(BUILD_PREBUILT)

endif