Skip to content
Commit c8176efe authored by Victor Hsieh's avatar Victor Hsieh
Browse files

Reland: Move zygote's seccomp setup to post-fork 

Before this change, seccomp filter setup is as early as in zygote's main
function.  To make it possible to split app and system server's filter,
this postpone the setup to after fork.  It also starts to call app
specific and system server specific setup function.

The filter setup is done in Zygote's ForkAndSpecializeCommon.  This is
because adding a seccomp filter must be done when either the caller has
CAP_SYS_ADMIN or after the PR_SET_NO_NEW_PRIVS bit is set.  Given that
setting PR_SET_NO_NEW_PRIVS breaks SELinux domain transition
(b/71859146), this must be done after Zygote forks but before
CAP_SYS_ADMIN is droppped.

Test: (cts) -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Test: no selinux denial flood in dmesg with selinux enforced
Test: debuggerd -b `pidof com.android.phone`  # logcat shows tombstoned
      received crash request
Bug: 63944145
Bug: 71859146

Change-Id: I8215c8530d3d0de504a270488f8e29635805e8b0
parent 106a9152
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment