ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "init: add support for global seccomp boot option" am: 9f1980e2fc

Browse source 
am: 5a79972238

Change-Id: Ide7500d4ff4d9eebf2fea1d81ff77044a6d63c57
This commit is contained in:
Steve Muckle 2017-07-25 20:30:30 +00:00 committed by android-build-merger
commit eb7db75c28
2 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
init/Android.mk
View file

@ -77,6 +77,7 @@ LOCAL_STATIC_LIBRARIES := \
libcutils \ libcutils \
libbase \ libbase \
libc \ libc \
libseccomp_policy \
libselinux \ libselinux \
liblog \ liblog \
libcrypto_utils \ libcrypto_utils \

13
init/init.cpp
View file

@ -23,6 +23,7 @@
#include <inttypes.h> #include <inttypes.h>
#include <libgen.h> #include <libgen.h>
#include <paths.h> #include <paths.h>
#include <seccomp_policy.h>
#include <signal.h> #include <signal.h>
#include <stdarg.h> #include <stdarg.h>
#include <stdio.h> #include <stdio.h>
@ -554,6 +555,15 @@ static int queue_property_triggers_action(const std::vector<std::string>& args)
return 0; return 0;
} }
static void global_seccomp() {
import_kernel_cmdline(false, [](const std::string& key, const std::string& value, bool in_qemu) {
if (key == "androidboot.seccomp" && value == "global" && !set_global_seccomp_filter()) {
LOG(ERROR) << "Failed to globally enable seccomp!";
panic();
}
});
}
static void selinux_init_all_handles(void) static void selinux_init_all_handles(void)
{ {
sehandle = selinux_android_file_context_handle(); sehandle = selinux_android_file_context_handle();
@ -1035,6 +1045,9 @@ int main(int argc, char** argv) {
SetInitAvbVersionInRecovery(); SetInitAvbVersionInRecovery();
// Enable seccomp if global boot option was passed (otherwise it is enabled in zygote).
global_seccomp();
// Set up SELinux, loading the SELinux policy. // Set up SELinux, loading the SELinux policy.
selinux_initialize(true); selinux_initialize(true);