From fa046a1c9e24b1c9522d8606b9663c19dfa11640 Mon Sep 17 00:00:00 2001 From: Victor Hsieh Date: Wed, 28 Mar 2018 16:26:28 -0700 Subject: [PATCH] Fix seccomp filter set up in zygote This needs to land with extra syscalls whitelisted, including capset and setresuid. These privileged syscalls are used in the setup after the filter is initialized. Test: system starts, different apps run Bug: 63944145 Bug: 76461821 Change-Id: I49e6b292805f35baffb3530461c8741e75aceb32 --- core/jni/com_android_internal_os_Zygote.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/core/jni/com_android_internal_os_Zygote.cpp b/core/jni/com_android_internal_os_Zygote.cpp index f1b736b16a4e..e5281ff9b624 100644 --- a/core/jni/com_android_internal_os_Zygote.cpp +++ b/core/jni/com_android_internal_os_Zygote.cpp @@ -260,7 +260,7 @@ static void SetUpSeccompFilter(uid_t uid) { } // Apply system or app filter based on uid. - if (getuid() >= AID_APP_START) { + if (uid >= AID_APP_START) { set_app_seccomp_filter(); } else { set_system_seccomp_filter(); @@ -619,11 +619,6 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra fail_fn(CREATE_ERROR("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno))); } - // Must be called when the new process still has CAP_SYS_ADMIN. The other alternative is to - // call prctl(PR_SET_NO_NEW_PRIVS, 1) afterward, but that breaks SELinux domain transition (see - // b/71859146). - SetUpSeccompFilter(uid); - // Keep capabilities across UID change, unless we're staying root. if (uid != 0) { if (!EnableKeepCapabilities(&error_msg)) { @@ -697,6 +692,13 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra fail_fn(CREATE_ERROR("setresgid(%d) failed: %s", gid, strerror(errno))); } + // Must be called when the new process still has CAP_SYS_ADMIN, in this case, before changing + // uid from 0, which clears capabilities. The other alternative is to call + // prctl(PR_SET_NO_NEW_PRIVS, 1) afterward, but that breaks SELinux domain transition (see + // b/71859146). As the result, privileged syscalls used below still need to be accessible in + // app process. + SetUpSeccompFilter(uid); + rc = setresuid(uid, uid, uid); if (rc == -1) { fail_fn(CREATE_ERROR("setresuid(%d) failed: %s", uid, strerror(errno))); -- 2.11.0