Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ffad2adf authored Mar 03, 2017 by Paul Lawrence

Make seccomp honor setenforce

Note: This code is in frameworks, since we might want to have tools
linked against seccomp_policy that continue to enforce seccomp

Bug: 35950093
Test: Builds, Seccomp: 2 is in zygote & zygote64 status
      Run setenforce 0 && stop && start
      Seccomp: 0 is in zygote & zygote64 status

Change-Id: I797a6c29f58725f84089c570f784125fb99f57ce

parent 6ac19c0d

core/jni/Android.mk

+2 −0

Original line number	Diff line number	Diff line
		@@ -218,6 +218,8 @@ LOCAL_C_INCLUDES += \

		LOCAL_STATIC_LIBRARIES := \
		libseccomp_policy \
		libselinux \
		libcrypto \

		LOCAL_SHARED_LIBRARIES := \
		libmemtrack \

core/jni/android_os_seccomp.cpp

+7 −0

Original line number	Diff line number	Diff line
		@@ -17,9 +17,16 @@
		#include "core_jni_helpers.h"
		#include "JniConstants.h"
		#include "utils/Log.h"
		#include <selinux/selinux.h>

		#include "seccomp_policy.h"

		static void Seccomp_setPolicy(JNIEnv* /env/) {
		if (security_getenforce() == 0) {
		ALOGI("seccomp disabled by setenforce 0");
		return;
		}

		if (!set_seccomp_filter()) {
		ALOGE("Failed to set seccomp policy - killing");
		exit(1);