Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 03253b48 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

configstore: sandbox with seccomp filter 

Configstore HAL is accessible to third party apps and thus requires
a tight sandbox that reflects the limited system access this HAL
needs.

We use two primary mechanisms to sandbox configstore, selinux and
seccomp, with the goal of restricting its access to userspace and
the kernel. The addition of a seccomp filter is primarily aimed
at reducing the kernel's attack surface that is reachable by
configstore HAL.

Seccomp filters are architecture dependent, so filters need to be
added for each architecture. This change adds a seccomp filter for
arm64 and issues a non-fatal runtime warning for other architectures
which still require a seccomp filter.

Bug: 36453956
Test: boot Marlin and Angler. Verify that configstore is not aborting
    due to seccomp violations.
Test: "cat proc/<configstore pid>/status | grep seccomp " returns:
    seccomp: 2
    Which indicates that configstore is using seccomp-bpf.

Change-Id: Iab014ff357b7329085a5e18a92f51838d2c72371
(cherry picked from commit ed95043d)
parent 43b3865a

configstore/1.1/default/Android.mk

+12 −0
Original line number Diff line number Diff line
@@ -3,6 +3,7 @@ LOCAL_PATH := $(call my-dir) 
################################################################################

include $(CLEAR_VARS)

LOCAL_MODULE := android.hardware.configstore@1.1-service

LOCAL_REQUIRED_MODULES_arm64 := configstore@1.1.policy

LOCAL_PROPRIETARY_MODULE := true

LOCAL_MODULE_CLASS := EXECUTABLES

LOCAL_MODULE_RELATIVE_PATH := hw
@@ -17,7 +18,18 @@ LOCAL_SHARED_LIBRARIES := \ 
    libhidlbase \

    libhidltransport \

    libbase \

    libhwminijail \

    liblog \

    libutils \



include $(BUILD_EXECUTABLE)



# seccomp filter for configstore

ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm64))

include $(CLEAR_VARS)

LOCAL_MODULE := configstore@1.1.policy

LOCAL_MODULE_CLASS := ETC

LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/seccomp_policy

LOCAL_SRC_FILES := seccomp_policy/configstore@1.1-$(TARGET_ARCH).policy

include $(BUILD_PREBUILT)

endif

configstore/1.1/default/seccomp_policy/configstore@1.1-arm64.policy

0 → 100644
+40 −0
Original line number Diff line number Diff line 
# Copyright (C) 2017 The Android Open Source Project

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#      http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.



futex: 1

# ioctl: arg1 == BINDER_WRITE_READ

ioctl: arg1 == 0xc0306201

ioctl: 1

# prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_VMA || arg0 == PR_SET_TIMERSLACK

prctl: arg0 == 15 || arg0 == 0x53564d41 || arg0 == 29

openat: 1

mmap: 1

mprotect: 1

close: 1

getuid: 1

read: 1

faccessat: 1

write: 1

fstat: 1

clone: 1

munmap: 1

lseek: 1

sigaltstack: 1

writev: 1

setpriority: 1

restart_syscall: 1

exit: 1

exit_group: 1

rt_sigreturn: 1

getrlimit: 1

configstore/1.1/default/service.cpp

+4 −0
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ 


#include <android/hardware/configstore/1.1/ISurfaceFlingerConfigs.h>

#include <hidl/HidlTransportSupport.h>

#include <hwminijail/HardwareMinijail.h>



#include "SurfaceFlingerConfigs.h"
@@ -25,6 +26,7 @@ using android::hardware::configureRpcThreadpool; 
using android::hardware::joinRpcThreadpool;

using android::hardware::configstore::V1_1::ISurfaceFlingerConfigs;

using android::hardware::configstore::V1_1::implementation::SurfaceFlingerConfigs;

using android::hardware::SetupMinijail;

using android::sp;

using android::status_t;

using android::OK;
@@ -32,6 +34,8 @@ using android::OK; 
int main() {

    configureRpcThreadpool(10, true);



    SetupMinijail("/vendor/etc/seccomp_policy/configstore@1.1.policy");



    sp<ISurfaceFlingerConfigs> surfaceFlingerConfigs = new SurfaceFlingerConfigs;

    status_t status = surfaceFlingerConfigs->registerAsService();

    LOG_ALWAYS_FATAL_IF(status != OK, "Could not register ISurfaceFlingerConfigs");

minijail/Android.mk

0 → 100644
+14 −0
Original line number Diff line number Diff line 
LOCAL_PATH := $(call my-dir)



include $(CLEAR_VARS)

LOCAL_MODULE := libhwminijail

LOCAL_PROPRIETARY_MODULE := true

LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include

LOCAL_C_INCLUDES := $(LOCAL_PATH)/include

LOCAL_SRC_FILES := HardwareMinijail.cpp



LOCAL_SHARED_LIBRARIES := \

    libbase \

    libminijail_vendor



include $(BUILD_SHARED_LIBRARY)

minijail/HardwareMinijail.cpp

0 → 100644
+45 −0
Original line number Diff line number Diff line 
//

// Copyright (C) 2017 The Android Open Source Project

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//      http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

//



#include <android-base/logging.h>

#include <libminijail.h>



#include <hwminijail/HardwareMinijail.h>



namespace android {

namespace hardware {



void SetupMinijail(const std::string& seccomp_policy_path) {

    if (access(seccomp_policy_path.c_str(), R_OK) == -1) {

        LOG(WARNING) << "Could not find seccomp policy file at: " << seccomp_policy_path;

        return;

    }



    struct minijail* jail = minijail_new();

    if (jail == NULL) {

        LOG(FATAL) << "Failed to create minijail.";

    }



    minijail_no_new_privs(jail);

    minijail_log_seccomp_filter_failures(jail);

    minijail_use_seccomp_filter(jail);

    minijail_parse_seccomp_filters(jail, seccomp_policy_path.c_str());

    minijail_enter(jail);

    minijail_destroy(jail);

}



}  // namespace hardware

}  // namespace android