Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dcd14de5 authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "Use bionic's autogenerated whitelist policy"

parents d0fc3f13 04909121

core/jni/android_os_seccomp.cpp

+0 −91
Original line number Diff line number Diff line
@@ -65,11 +65,6 @@ inline static void Allow(filter& f) { 


#pragma clang diagnostic pop



inline static void AllowSyscall(filter& f, __u32 num) {

    f.push_back(BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, num, 0, 1));

    Allow(f);

}



inline static void ExamineSyscall(filter& f) {

    f.push_back(BPF_STMT(BPF_LD|BPF_W|BPF_ABS, syscall_nr));

}
@@ -125,34 +120,6 @@ bool set_seccomp_filter() { 
    // arm64-only filter - autogenerated from bionic syscall usage

    for (size_t i = 0; i < arm64_filter_size; ++i)

        f.push_back(arm64_filter[i]);



    // Syscalls needed to boot Android

    AllowSyscall(f, 41);  // __NR_pivot_root

    AllowSyscall(f, 31);  // __NR_ioprio_get

    AllowSyscall(f, 30);  // __NR_ioprio_set

    AllowSyscall(f, 178); // __NR_gettid

    AllowSyscall(f, 98);  // __NR_futex

    AllowSyscall(f, 220); // __NR_clone

    AllowSyscall(f, 139); // __NR_rt_sigreturn

    AllowSyscall(f, 240); // __NR_rt_tgsigqueueinfo

    AllowSyscall(f, 128); // __NR_restart_syscall

    AllowSyscall(f, 278); // __NR_getrandom



    // Needed for performance tools

    AllowSyscall(f, 241); // __NR_perf_event_open



    // Needed for strace

    AllowSyscall(f, 130); // __NR_tkill



    // Needed for kernel to restart syscalls

    AllowSyscall(f, 128); // __NR_restart_syscall



    // b/35034743

    AllowSyscall(f, 267); // __NR_syncfs



    // b/34763393

    AllowSyscall(f, 277); // __NR_seccomp



    Trap(f);



    if (SetValidateArchitectureJumpTarget(offset_to_32bit_filter, f) != 0)
@@ -164,64 +131,6 @@ bool set_seccomp_filter() { 
    // arm32 filter - autogenerated from bionic syscall usage

    for (size_t i = 0; i < arm_filter_size; ++i)

        f.push_back(arm_filter[i]);



    // Syscalls needed to boot android

    AllowSyscall(f, 120); // __NR_clone

    AllowSyscall(f, 240); // __NR_futex

    AllowSyscall(f, 119); // __NR_sigreturn

    AllowSyscall(f, 173); // __NR_rt_sigreturn

    AllowSyscall(f, 363); // __NR_rt_tgsigqueueinfo

    AllowSyscall(f, 224); // __NR_gettid



    // Syscalls needed to run Chrome

    AllowSyscall(f, 383); // __NR_seccomp - needed to start Chrome

    AllowSyscall(f, 384); // __NR_getrandom - needed to start Chrome



    // Syscalls needed to run GFXBenchmark

    AllowSyscall(f, 190); // __NR_vfork



    // Needed for strace

    AllowSyscall(f, 238); // __NR_tkill



    // Needed for kernel to restart syscalls

    AllowSyscall(f, 0);   // __NR_restart_syscall



    // Needed for debugging 32-bit Chrome

    AllowSyscall(f, 42);  // __NR_pipe



    // b/34732712

    AllowSyscall(f, 364); // __NR_perf_event_open



    // b/34651972

    AllowSyscall(f, 33);  // __NR_access

    AllowSyscall(f, 195); // __NR_stat64



    // b/34813887

    AllowSyscall(f, 5);   // __NR_open

    AllowSyscall(f, 141); // __NR_getdents

    AllowSyscall(f, 217); // __NR_getdents64



    // b/34719286

    AllowSyscall(f, 351); // __NR_eventfd



    // b/34817266

    AllowSyscall(f, 252); // __NR_epoll_wait



    // Needed by sanitizers (b/34606909)

    // 5 (__NR_open) and 195 (__NR_stat64) are also required, but they are

    // already allowed.

    AllowSyscall(f, 85);  // __NR_readlink



    // b/34908783

    AllowSyscall(f, 250); // __NR_epoll_create



    // b/34979910

    AllowSyscall(f, 8);   // __NR_creat

    AllowSyscall(f, 10);  // __NR_unlink



    // b/35059702

    AllowSyscall(f, 196); // __NR_lstat64



    Trap(f);



    return install_filter(f);