Loading configstore/1.1/default/Android.mk +12 −0 Original line number Diff line number Diff line Loading @@ -3,6 +3,7 @@ LOCAL_PATH := $(call my-dir) ################################################################################ include $(CLEAR_VARS) LOCAL_MODULE := android.hardware.configstore@1.1-service LOCAL_REQUIRED_MODULES_arm64 := configstore@1.1.policy LOCAL_PROPRIETARY_MODULE := true LOCAL_MODULE_CLASS := EXECUTABLES LOCAL_MODULE_RELATIVE_PATH := hw Loading @@ -17,7 +18,18 @@ LOCAL_SHARED_LIBRARIES := \ libhidlbase \ libhidltransport \ libbase \ libhwminijail \ liblog \ libutils \ include $(BUILD_EXECUTABLE) # seccomp filter for configstore ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm64)) include $(CLEAR_VARS) LOCAL_MODULE := configstore@1.1.policy LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/seccomp_policy LOCAL_SRC_FILES := seccomp_policy/configstore@1.1-$(TARGET_ARCH).policy include $(BUILD_PREBUILT) endif configstore/1.1/default/seccomp_policy/configstore@1.1-arm64.policy 0 → 100644 +40 −0 Original line number Diff line number Diff line # Copyright (C) 2017 The Android Open Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. futex: 1 # ioctl: arg1 == BINDER_WRITE_READ ioctl: arg1 == 0xc0306201 ioctl: 1 # prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_VMA || arg0 == PR_SET_TIMERSLACK prctl: arg0 == 15 || arg0 == 0x53564d41 || arg0 == 29 openat: 1 mmap: 1 mprotect: 1 close: 1 getuid: 1 read: 1 faccessat: 1 write: 1 fstat: 1 clone: 1 munmap: 1 lseek: 1 sigaltstack: 1 writev: 1 setpriority: 1 restart_syscall: 1 exit: 1 exit_group: 1 rt_sigreturn: 1 getrlimit: 1 configstore/1.1/default/service.cpp +4 −0 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ #include <android/hardware/configstore/1.1/ISurfaceFlingerConfigs.h> #include <hidl/HidlTransportSupport.h> #include <hwminijail/HardwareMinijail.h> #include "SurfaceFlingerConfigs.h" Loading @@ -25,6 +26,7 @@ using android::hardware::configureRpcThreadpool; using android::hardware::joinRpcThreadpool; using android::hardware::configstore::V1_1::ISurfaceFlingerConfigs; using android::hardware::configstore::V1_1::implementation::SurfaceFlingerConfigs; using android::hardware::SetupMinijail; using android::sp; using android::status_t; using android::OK; Loading @@ -32,6 +34,8 @@ using android::OK; int main() { configureRpcThreadpool(10, true); SetupMinijail("/vendor/etc/seccomp_policy/configstore@1.1.policy"); sp<ISurfaceFlingerConfigs> surfaceFlingerConfigs = new SurfaceFlingerConfigs; status_t status = surfaceFlingerConfigs->registerAsService(); LOG_ALWAYS_FATAL_IF(status != OK, "Could not register ISurfaceFlingerConfigs"); Loading minijail/Android.mk 0 → 100644 +14 −0 Original line number Diff line number Diff line LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE := libhwminijail LOCAL_PROPRIETARY_MODULE := true LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include LOCAL_C_INCLUDES := $(LOCAL_PATH)/include LOCAL_SRC_FILES := HardwareMinijail.cpp LOCAL_SHARED_LIBRARIES := \ libbase \ libminijail_vendor include $(BUILD_SHARED_LIBRARY) minijail/HardwareMinijail.cpp 0 → 100644 +45 −0 Original line number Diff line number Diff line // // Copyright (C) 2017 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // #include <android-base/logging.h> #include <libminijail.h> #include <hwminijail/HardwareMinijail.h> namespace android { namespace hardware { void SetupMinijail(const std::string& seccomp_policy_path) { if (access(seccomp_policy_path.c_str(), R_OK) == -1) { LOG(WARNING) << "Could not find seccomp policy file at: " << seccomp_policy_path; return; } struct minijail* jail = minijail_new(); if (jail == NULL) { LOG(FATAL) << "Failed to create minijail."; } minijail_no_new_privs(jail); minijail_log_seccomp_filter_failures(jail); minijail_use_seccomp_filter(jail); minijail_parse_seccomp_filters(jail, seccomp_policy_path.c_str()); minijail_enter(jail); minijail_destroy(jail); } } // namespace hardware } // namespace android Loading
configstore/1.1/default/Android.mk +12 −0 Original line number Diff line number Diff line Loading @@ -3,6 +3,7 @@ LOCAL_PATH := $(call my-dir) ################################################################################ include $(CLEAR_VARS) LOCAL_MODULE := android.hardware.configstore@1.1-service LOCAL_REQUIRED_MODULES_arm64 := configstore@1.1.policy LOCAL_PROPRIETARY_MODULE := true LOCAL_MODULE_CLASS := EXECUTABLES LOCAL_MODULE_RELATIVE_PATH := hw Loading @@ -17,7 +18,18 @@ LOCAL_SHARED_LIBRARIES := \ libhidlbase \ libhidltransport \ libbase \ libhwminijail \ liblog \ libutils \ include $(BUILD_EXECUTABLE) # seccomp filter for configstore ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm64)) include $(CLEAR_VARS) LOCAL_MODULE := configstore@1.1.policy LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/seccomp_policy LOCAL_SRC_FILES := seccomp_policy/configstore@1.1-$(TARGET_ARCH).policy include $(BUILD_PREBUILT) endif
configstore/1.1/default/seccomp_policy/configstore@1.1-arm64.policy 0 → 100644 +40 −0 Original line number Diff line number Diff line # Copyright (C) 2017 The Android Open Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. futex: 1 # ioctl: arg1 == BINDER_WRITE_READ ioctl: arg1 == 0xc0306201 ioctl: 1 # prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_VMA || arg0 == PR_SET_TIMERSLACK prctl: arg0 == 15 || arg0 == 0x53564d41 || arg0 == 29 openat: 1 mmap: 1 mprotect: 1 close: 1 getuid: 1 read: 1 faccessat: 1 write: 1 fstat: 1 clone: 1 munmap: 1 lseek: 1 sigaltstack: 1 writev: 1 setpriority: 1 restart_syscall: 1 exit: 1 exit_group: 1 rt_sigreturn: 1 getrlimit: 1
configstore/1.1/default/service.cpp +4 −0 Original line number Diff line number Diff line Loading @@ -18,6 +18,7 @@ #include <android/hardware/configstore/1.1/ISurfaceFlingerConfigs.h> #include <hidl/HidlTransportSupport.h> #include <hwminijail/HardwareMinijail.h> #include "SurfaceFlingerConfigs.h" Loading @@ -25,6 +26,7 @@ using android::hardware::configureRpcThreadpool; using android::hardware::joinRpcThreadpool; using android::hardware::configstore::V1_1::ISurfaceFlingerConfigs; using android::hardware::configstore::V1_1::implementation::SurfaceFlingerConfigs; using android::hardware::SetupMinijail; using android::sp; using android::status_t; using android::OK; Loading @@ -32,6 +34,8 @@ using android::OK; int main() { configureRpcThreadpool(10, true); SetupMinijail("/vendor/etc/seccomp_policy/configstore@1.1.policy"); sp<ISurfaceFlingerConfigs> surfaceFlingerConfigs = new SurfaceFlingerConfigs; status_t status = surfaceFlingerConfigs->registerAsService(); LOG_ALWAYS_FATAL_IF(status != OK, "Could not register ISurfaceFlingerConfigs"); Loading
minijail/Android.mk 0 → 100644 +14 −0 Original line number Diff line number Diff line LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE := libhwminijail LOCAL_PROPRIETARY_MODULE := true LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include LOCAL_C_INCLUDES := $(LOCAL_PATH)/include LOCAL_SRC_FILES := HardwareMinijail.cpp LOCAL_SHARED_LIBRARIES := \ libbase \ libminijail_vendor include $(BUILD_SHARED_LIBRARY)
minijail/HardwareMinijail.cpp 0 → 100644 +45 −0 Original line number Diff line number Diff line // // Copyright (C) 2017 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // #include <android-base/logging.h> #include <libminijail.h> #include <hwminijail/HardwareMinijail.h> namespace android { namespace hardware { void SetupMinijail(const std::string& seccomp_policy_path) { if (access(seccomp_policy_path.c_str(), R_OK) == -1) { LOG(WARNING) << "Could not find seccomp policy file at: " << seccomp_policy_path; return; } struct minijail* jail = minijail_new(); if (jail == NULL) { LOG(FATAL) << "Failed to create minijail."; } minijail_no_new_privs(jail); minijail_log_seccomp_filter_failures(jail); minijail_use_seccomp_filter(jail); minijail_parse_seccomp_filters(jail, seccomp_policy_path.c_str()); minijail_enter(jail); minijail_destroy(jail); } } // namespace hardware } // namespace android
