Merge "configstore: sandbox with seccomp filter"

configstore/1.1/default/Android.mk

@@ -3,6 +3,7 @@ LOCAL_PATH := $(call my-dir)
 ################################################################################
 include $(CLEAR_VARS)
 LOCAL_MODULE := android.hardware.configstore@1.1-service
+LOCAL_REQUIRED_MODULES_arm64 := configstore@1.1.policy
 LOCAL_PROPRIETARY_MODULE := true
 LOCAL_MODULE_CLASS := EXECUTABLES
 LOCAL_MODULE_RELATIVE_PATH := hw
@@ -17,7 +18,18 @@ LOCAL_SHARED_LIBRARIES := \
     libhidlbase \
     libhidltransport \
     libbase \
+    libhwminijail \
     liblog \
     libutils \
 
 include $(BUILD_EXECUTABLE)
+
+# seccomp filter for configstore
+ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm64))
+include $(CLEAR_VARS)
+LOCAL_MODULE := configstore@1.1.policy
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/seccomp_policy
+LOCAL_SRC_FILES := seccomp_policy/configstore@1.1-$(TARGET_ARCH).policy
+include $(BUILD_PREBUILT)
+endif

configstore/1.1/default/seccomp_policy/configstore@1.1-arm64.policy

@@ -0,0 +1,40 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+futex: 1
+# ioctl: arg1 == BINDER_WRITE_READ
+ioctl: arg1 == 0xc0306201
+ioctl: 1
+# prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_VMA || arg0 == PR_SET_TIMERSLACK
+prctl: arg0 == 15 || arg0 == 0x53564d41 || arg0 == 29
+openat: 1
+mmap: 1
+mprotect: 1
+close: 1
+getuid: 1
+read: 1
+faccessat: 1
+write: 1
+fstat: 1
+clone: 1
+munmap: 1
+lseek: 1
+sigaltstack: 1
+writev: 1
+setpriority: 1
+restart_syscall: 1
+exit: 1
+exit_group: 1
+rt_sigreturn: 1
+getrlimit: 1

configstore/1.1/default/service.cpp

@@ -18,6 +18,7 @@
 
 #include <android/hardware/configstore/1.1/ISurfaceFlingerConfigs.h>
 #include <hidl/HidlTransportSupport.h>
+#include <hwminijail/HardwareMinijail.h>
 
 #include "SurfaceFlingerConfigs.h"
 
@@ -25,6 +26,7 @@ using android::hardware::configureRpcThreadpool;
 using android::hardware::joinRpcThreadpool;
 using android::hardware::configstore::V1_1::ISurfaceFlingerConfigs;
 using android::hardware::configstore::V1_1::implementation::SurfaceFlingerConfigs;
+using android::hardware::SetupMinijail;
 using android::sp;
 using android::status_t;
 using android::OK;
@@ -32,6 +34,8 @@ using android::OK;
 int main() {
     configureRpcThreadpool(10, true);
 
+    SetupMinijail("/vendor/etc/seccomp_policy/configstore@1.1.policy");
+
     sp<ISurfaceFlingerConfigs> surfaceFlingerConfigs = new SurfaceFlingerConfigs;
     status_t status = surfaceFlingerConfigs->registerAsService();
     LOG_ALWAYS_FATAL_IF(status != OK, "Could not register ISurfaceFlingerConfigs");

minijail/Android.mk

@@ -0,0 +1,14 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := libhwminijail
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/include
+LOCAL_SRC_FILES := HardwareMinijail.cpp
+
+LOCAL_SHARED_LIBRARIES := \
+    libbase \
+    libminijail_vendor
+
+include $(BUILD_SHARED_LIBRARY)

minijail/HardwareMinijail.cpp

@@ -0,0 +1,45 @@
+//
+// Copyright (C) 2017 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#include <android-base/logging.h>
+#include <libminijail.h>
+
+#include <hwminijail/HardwareMinijail.h>
+
+namespace android {
+namespace hardware {
+
+void SetupMinijail(const std::string& seccomp_policy_path) {
+    if (access(seccomp_policy_path.c_str(), R_OK) == -1) {
+        LOG(WARNING) << "Could not find seccomp policy file at: " << seccomp_policy_path;
+        return;
+    }
+
+    struct minijail* jail = minijail_new();
+    if (jail == NULL) {
+        LOG(FATAL) << "Failed to create minijail.";
+    }
+
+    minijail_no_new_privs(jail);
+    minijail_log_seccomp_filter_failures(jail);
+    minijail_use_seccomp_filter(jail);
+    minijail_parse_seccomp_filters(jail, seccomp_policy_path.c_str());
+    minijail_enter(jail);
+    minijail_destroy(jail);
+}
+
+}  // namespace hardware
+}  // namespace android

minijail/include/hwminijail/HardwareMinijail.h

@@ -0,0 +1,30 @@
+//
+// Copyright (C) 2017 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef ANDROID_HARDWARE_CONFIGSTORE_MINIJAIL_H
+#define ANDROID_HARDWARE_CONFIGSTORE_MINIJAIL_H
+
+#include <string>
+
+namespace android {
+namespace hardware {
+
+void SetupMinijail(const std::string& seccomp_policy_path);
+
+}  // namespace hardware
+}  // namespace android
+
+#endif  // ANDROID_HARDWARE_CONFIGSTORE_UTILS_H