From e103bc9e1bb4453045c4795f9a10a671e72b1aba Mon Sep 17 00:00:00 2001 From: mspectorgoogle Date: Wed, 11 Mar 2020 03:21:36 -0700 Subject: executor: add seccomp support for Android This adds support for the seccomp filters that are part of Android into the sandbox. A process running as untrusted_app in Android has a restricted set of syscalls that it is allow to run. This is accomplished by setting seccomp filters in the zygote process prior to forking into the application process. The seccomp filter list comes directly from the Android source, it cannot be dynamically loaded from an Android phone because libseccomp_policy.so does not exist as a library on the system partition. --- pkg/csource/gen.go | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) (limited to 'pkg/csource/gen.go') diff --git a/pkg/csource/gen.go b/pkg/csource/gen.go index 3a857ed93..773676e95 100644 --- a/pkg/csource/gen.go +++ b/pkg/csource/gen.go @@ -23,7 +23,7 @@ func main() { if err != nil { failf("%v", err) } - for _, include := range []string{ + executorFilenames := []string{ "common_linux.h", "common_akaros.h", "common_bsd.h", @@ -33,19 +33,18 @@ func main() { "common_kvm_amd64.h", "common_kvm_arm64.h", "common_usb.h", + "android/android_seccomp.h", "kvm.h", "kvm.S.h", - } { - contents, err := ioutil.ReadFile("../../executor/" + include) - if err != nil { - failf("%v", err) - } - replace := []byte("#include \"" + include + "\"") - if bytes.Index(data, replace) == -1 { - failf("can't fine %v include", include) - } - data = bytes.Replace(data, replace, contents, -1) } + data = replaceIncludes(executorFilenames, "../../executor/", data) + androidFilenames := []string{ + "arm64_app_policy.h", + "arm_app_policy.h", + "x86_64_app_policy.h", + "x86_app_policy.h", + } + data = replaceIncludes(androidFilenames, "../../executor/android/", data) for _, remove := range []string{ "(\n|^)\\s*//.*", "\\s*//.*", @@ -62,3 +61,18 @@ func failf(msg string, args ...interface{}) { fmt.Fprintf(os.Stderr, msg+"\n", args...) os.Exit(1) } + +func replaceIncludes(filenames []string, location string, data []byte) []byte { + for _, include := range filenames { + contents, err := ioutil.ReadFile(location + include) + if err != nil { + failf("%v", err) + } + replace := []byte("#include \"" + include + "\"") + if bytes.Index(data, replace) == -1 { + failf("can't find %v include", include) + } + data = bytes.Replace(data, replace, contents, -1) + } + return data +} -- cgit mrf-deployment