Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bc130e4f authored by Christopher Ferris's avatar Christopher Ferris
Browse files

Add no mmap/mprotect/prctl policy files. 

The mediaswcodec process requires a less restrictive policy for
mmap/mprotect/prctl. Since the policy files have no flow control, generate
versions of the policies that can be included but only do not have
the mmap/mprotect/prctl rules.

Flag: EXEMPT refactor

Test: Ran debuggerd <PID_OF_media.swcodec> on arm device.
Test: Ran debuggerd <PID_OF_media.swcodec> on arm64 device.
Test: Ran debuggerd <PID_OF_media.swcodec> on riscv64 emulator.
Test: Ran debuggerd <PID_OF_media.swcodec> on x86 emulator.
Test: Ran debuggerd <PID_OF_media.swcodec> on x86_64 emulator.
Change-Id: I3b611a5a0be1cb0bf53295209fc9e8e956f8392a
parent 320aec9e

debuggerd/Android.bp

+58 −0
Original line number Diff line number Diff line
@@ -581,6 +581,41 @@ prebuilt_etc { 
    },

}



prebuilt_etc {

    name: "crash_dump.no_mmap_mprotect_prctl.policy",

    sub_dir: "seccomp_policy",

    filename_from_src: true,

    arch: {

        arm: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.arm.policy",

            required: [

                "crash_dump.policy_no_mmap_mprotect_prctl_other",

            ],

        },

        arm64: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.arm64.policy",

            required: [

                "crash_dump.policy_no_mmap_mprotect_prctl_other",

            ],

        },

        riscv64: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.riscv64.policy",

        },

        x86: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.x86.policy",

            required: [

                "crash_dump.policy_no_mmap_mprotect_prctl_other",

            ],

        },

        x86_64: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.x86_64.policy",

            required: [

                "crash_dump.policy_no_mmap_mprotect_prctl_other",

            ],

        },

    },

}



// This installs the "other" architecture (so 32-bit on 64-bit device).

prebuilt_etc {

    name: "crash_dump.policy_other",
@@ -604,3 +639,26 @@ prebuilt_etc { 
        },

    },

}



prebuilt_etc {

    name: "crash_dump.policy_no_mmap_mprotect_prctl_other",

    sub_dir: "seccomp_policy",

    filename_from_src: true,

    arch: {

        arm: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.arm64.policy",

        },

        arm64: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.arm.policy",

        },

        riscv64: {

            enabled: false,

        },

        x86: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.x86_64.policy",

        },

        x86_64: {

            src: "seccomp_policy/crash_dump.no_mmap_mprotect_prctl.x86.policy",

        },

    },

}

debuggerd/seccomp_policy/crash_dump.arm.policy

+7 −2
Original line number Diff line number Diff line 
# This file was auto-generated for the architecture arm.

# Do not modify this file directly.

# To regenerate all policy files run:

#   cd system/core/debuggerd/seccomp_policy

#   ./generate.sh

read: 1

write: 1

exit: 1
@@ -27,13 +32,13 @@ tgkill: 1 
rt_sigprocmask: 1

rt_sigaction: 1

rt_tgsigqueueinfo: 1

mmap2: arg2 in 0x1|0x2

mprotect: arg2 in 0x1|0x2

prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == 0x53564d41

madvise: 1

mprotect: arg2 in 0x1|0x2

munmap: 1

getuid32: 1

fstat64: 1

mmap2: arg2 in 0x1|0x2

geteuid32: 1

getgid32: 1

getegid32: 1

debuggerd/seccomp_policy/crash_dump.arm64.policy

+7 −2
Original line number Diff line number Diff line 
# This file was auto-generated for the architecture arm64.

# Do not modify this file directly.

# To regenerate all policy files run:

#   cd system/core/debuggerd/seccomp_policy

#   ./generate.sh

read: 1

write: 1

exit: 1
@@ -26,13 +31,13 @@ tgkill: 1 
rt_sigprocmask: 1

rt_sigaction: 1

rt_tgsigqueueinfo: 1

mmap: arg2 in 0x1|0x2|0x20

mprotect: arg2 in 0x1|0x2|0x20

prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == 0x53564d41 || arg0 == PR_PAC_RESET_KEYS || arg0 == 56 || arg0 == 61

madvise: 1

mprotect: arg2 in 0x1|0x2|0x20

munmap: 1

getuid: 1

fstat: 1

mmap: arg2 in 0x1|0x2|0x20

geteuid: 1

getgid: 1

getegid: 1

debuggerd/seccomp_policy/crash_dump.no_mmap_mprotect_prctl.arm.policy

0 → 100644
+42 −0
Original line number Diff line number Diff line 
# This file was auto-generated for the architecture arm.

# Do not modify this file directly.

# To regenerate all policy files run:

#   cd system/core/debuggerd/seccomp_policy

#   ./generate.sh

read: 1

write: 1

exit: 1

rt_sigreturn: 1

sigreturn: 1

exit_group: 1

clock_gettime: 1

gettimeofday: 1

futex: 1

getrandom: 1

getpid: 1

gettid: 1

ppoll: 1

pipe2: 1

openat: 1

dup: 1

close: 1

lseek: 1

getdents64: 1

faccessat: 1

recvmsg: 1

recvfrom: 1

setsockopt: 1

sysinfo: 1

process_vm_readv: 1

tgkill: 1

rt_sigprocmask: 1

rt_sigaction: 1

rt_tgsigqueueinfo: 1

madvise: 1

munmap: 1

getuid32: 1

fstat64: 1

geteuid32: 1

getgid32: 1

getegid32: 1

getgroups32: 1

debuggerd/seccomp_policy/crash_dump.no_mmap_mprotect_prctl.arm64.policy

0 → 100644
+41 −0
Original line number Diff line number Diff line 
# This file was auto-generated for the architecture arm64.

# Do not modify this file directly.

# To regenerate all policy files run:

#   cd system/core/debuggerd/seccomp_policy

#   ./generate.sh

read: 1

write: 1

exit: 1

rt_sigreturn: 1

exit_group: 1

clock_gettime: 1

gettimeofday: 1

futex: 1

getrandom: 1

getpid: 1

gettid: 1

ppoll: 1

pipe2: 1

openat: 1

dup: 1

close: 1

lseek: 1

getdents64: 1

faccessat: 1

recvmsg: 1

recvfrom: 1

setsockopt: 1

sysinfo: 1

process_vm_readv: 1

tgkill: 1

rt_sigprocmask: 1

rt_sigaction: 1

rt_tgsigqueueinfo: 1

madvise: 1

munmap: 1

getuid: 1

fstat: 1

geteuid: 1

getgid: 1

getegid: 1

getgroups: 1