Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 95bab28c authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

mediaex: add seccomp filter for x86 

Filter organized by frequency of syscall for optimal performance.

Change-Id: Ib774cd8e2cca9f2de50caefca7d7f09eeaa371f6
parent 6f6376b9

services/mediaextractor/Android.mk

+1 −0
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ include $(BUILD_SHARED_LIBRARY) 
# service executable

include $(CLEAR_VARS)

LOCAL_REQUIRED_MODULES_arm := mediaextractor-seccomp.policy

LOCAL_REQUIRED_MODULES_x86 := mediaextractor-seccomp.policy

LOCAL_SRC_FILES := main_extractorservice.cpp minijail/minijail.cpp

LOCAL_SHARED_LIBRARIES := libmedia libmediaextractorservice libbinder libutils liblog libicuuc libminijail

LOCAL_STATIC_LIBRARIES := libicuandroid_utils

services/mediaextractor/minijail/Android.mk

+1 −1
Original line number Diff line number Diff line 
LOCAL_PATH := $(call my-dir)



ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86 x86_64))

include $(CLEAR_VARS)

LOCAL_MODULE := mediaextractor-seccomp.policy

LOCAL_MODULE_CLASS := ETC

services/mediaextractor/minijail/seccomp_policy/mediaextractor-seccomp-x86.policy

0 → 100644
+30 −0
Original line number Diff line number Diff line 
# Organized by frequency of systemcall - in descending order for

# best performance.

ioctl: 1

futex: 1

prctl: 1

write: 1

getpriority: 1

close: 1

dup: 1

munmap: 1

mmap2: 1

madvise: 1

openat: 1

clock_gettime: 1

writev: 1

brk: 1

mprotect: 1

read: 1

lseek: 1

getuid32: 1

clone: 1

setpriority: 1

sigaltstack: 1

fstatat64: 1

fstat64: 1

restart_syscall: 1

exit: 1

exit_group: 1

rt_sigreturn: 1

faccessat: 1