executor: add seccomp support for Android

This adds support for the seccomp filters that are part of Android into
the sandbox.  A process running as untrusted_app in Android has a
restricted set of syscalls that it is allow to run.  This is
accomplished by setting seccomp filters in the zygote process prior to
forking into the application process.  The seccomp filter list comes
directly from the Android source, it cannot be dynamically loaded from
an Android phone because libseccomp_policy.so does not exist as a
library on the system partition.

1 files changed, 111 insertions, 0 deletions

diff --git a/executor/android/android_seccomp.h b/executor/android/android_seccomp.h
new file mode 100644
index 000000000..21fd723e3
--- /dev/null
+++ b/executor/android/android_seccomp.h
@@ -0,0 +1,111 @@
+// Copyright 2016 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+// These headers are generated by the Android build system and need to be updated periodically.
+#if GOARCH_arm64
+#define PRIMARY_ARCH AUDIT_ARCH_AARCH64
+#include "arm64_app_policy.h"
+static const struct sock_filter* primary_app_filter = arm64_app_filter;
+static const size_t primary_app_filter_size = arm64_app_filter_size;
+// We need 3 for ValidateArchitecture and 1 for ExamineSyscall and 4 for ValidateArchitectureAndJumpIfNeeded + 2 extra Disallow
+#define kFilterMaxSize (arm64_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_arm
+#define PRIMARY_ARCH AUDIT_ARCH_ARM
+#include "arm_app_policy.h"
+static const struct sock_filter* primary_app_filter = arm_app_filter;
+static const size_t primary_app_filter_size = arm_app_filter_size;
+#define kFilterMaxSize (arm_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_amd64
+#define PRIMARY_ARCH AUDIT_ARCH_X86_64
+#include "x86_64_app_policy.h"
+static const struct sock_filter* primary_app_filter = x86_64_app_filter;
+static const size_t primary_app_filter_size = x86_64_app_filter_size;
+#define kFilterMaxSize (x86_64_app_filter_size + 3 + 1 + 4 + 2)
+
+#elif GOARCH_386
+#define PRIMARY_ARCH AUDIT_ARCH_I386
+#include "x86_app_policy.h"
+static const struct sock_filter* primary_app_filter = x86_app_filter;
+static const size_t primary_app_filter_size = x86_app_filter_size;
+#define kFilterMaxSize (x86_app_filter_size + 3 + 1 + 4 + 2)
+
+#else
+#error No architecture was defined!
+#endif
+
+#define syscall_nr (offsetof(struct seccomp_data, nr))
+#define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
+#define arch_nr (offsetof(struct seccomp_data, arch))
+
+
+typedef struct Filter_t {
+	struct sock_filter data[kFilterMaxSize];
+	size_t count;
+} Filter;
+
+inline void push_back(Filter* filter_array, struct sock_filter filter)
+{
+	if (filter_array->count == kFilterMaxSize)
+		fail("Can't add another syscall to seccomp filter: count %zu.", filter_array->count);
+	filter_array->data[filter_array->count++] = filter;
+}
+
+inline void Disallow(Filter* f)
+{
+	struct sock_filter filter = BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP);
+	push_back(f, filter);
+}
+
+static void ExamineSyscall(Filter* f)
+{
+    struct sock_filter filter = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, syscall_nr);
+	push_back(f, filter);
+}
+
+static void ValidateArchitecture(Filter* f)
+{
+    struct sock_filter filter1 = BPF_STMT(BPF_LD | BPF_W | BPF_ABS, arch_nr);
+    struct sock_filter filter2 = BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, PRIMARY_ARCH, 1, 0);
+	push_back(f, filter1);
+	push_back(f, filter2);
+	Disallow(f);
+}
+
+// Modified from the orignal Android code to fail instead of return.
+static void install_filter(const Filter* f)
+{
+	struct sock_fprog prog = {
+		(unsigned short)f->count,
+		(struct sock_filter*)&f->data[0],
+	};
+	// This assumes either the current process has CAP_SYS_ADMIN, or PR_SET_NO_NEW_PRIVS bit is set.
+	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
+		fail("Could not set seccomp filter of size %zu", f->count);
+	}
+}
+
+// Modified from the orignal Android code as we don't need dual arch support
+void set_app_seccomp_filter()
+{
+	const struct sock_filter *p;
+	size_t p_size;
+	Filter f;
+	f.count = 0;
+
+	p = primary_app_filter;
+	p_size = primary_app_filter_size;
+
+	ValidateArchitecture(&f);
+
+	ExamineSyscall(&f);
+
+	for (size_t i = 0; i < p_size; ++i) {
+		push_back(&f, p[i]);
+	}
+	Disallow(&f);
+
+	// Will fail() if anything fails.
+	install_filter(&f);
+}