This change provides a reference implementation of the configstore HAL
v1.1.
Bug: 69691076
Test: tested on walleye-userdebug
Change-Id: I68ee224bcbda64f6fef91e8a0f95adb32d504aad
Configstore was up-revisioned from 1.0 to 1.1. However no new
APIs were added to 1.1. Therefore configstore in master will be down
revisioned to 1.0.
Bug: 71555815
Test: lshal | grep configsotre
Test: "cat proc/<configstore pid>/status | grep Seccomp " return:
Seccomp: 2
Change-Id: I65d2dc06fbe12d0c0ccc020bbd287e0b14320f2f
Configstore HAL is accessible to third party apps and thus requires
a tight sandbox that reflects the limited system access this HAL
needs.
We use two primary mechanisms to sandbox configstore, selinux and
seccomp, with the goal of restricting its access to userspace and
the kernel. The addition of a seccomp filter is primarily aimed
at reducing the kernel's attack surface that is reachable by
configstore HAL.
Seccomp filters are architecture dependent, so filters need to be
added for each architecture. This change adds a seccomp filter for
arm64 and issues a non-fatal runtime warning for other architectures
which still require a seccomp filter.
Bug: 36453956
Test: boot Marlin and Angler. Verify that configstore is not aborting
due to seccomp violations.
Test: "cat proc/<configstore pid>/status | grep seccomp " returns:
seccomp: 2
Which indicates that configstore is using seccomp-bpf.
Change-Id: Iab014ff357b7329085a5e18a92f51838d2c72371
This change provides a reference implementation of the configstore HAL
v1.1.
Bug: 37727469
Test: Built sailfish-userdebug and configstore-1.1 works
Change-Id: I75e7fd1da8e90ae48d779a3ba28957c5a93a5529
