Add support for SECCOMP_FILTER_FLAG_TSYNC. This allows synchronizing all threads in a thread group to the same seccomp filter tree. Some processes only receive control over their execution after threads have already been created in their thread group. This happens for example with apps forked from the Android zygote. Thread sync (TSYNC) allows these processes to safely apply seccomp filters to all threads in their thread group, therefore preventing a thread running with seccomp filters from being able to circumvent the filter by exploiting an unconfined thread in the same thread group. Bug: 31267783 Test: Manual, with multithreaded program calling libminijail. Change-Id: I902428abf2e4d7fb3e2200ebfe9d5e640a1b10e0

commit: 13650616ba6faa3ad84c69816e80a2f65bce6331 [log] [tgz]
author: Jorge Lucangeli Obes <jorgelo@google.com> Fri Sep 02 11:27:29 2016 -0400
committer: Jorge Lucangeli Obes <jorgelo@google.com> Fri Sep 09 14:27:21 2016 -0400
tree: 8c4e3fef63687340f81a0918b43b000edfd801f2
parent: a32e8393f2864625038eb355b479a5263fb3d363 [diff] [blame]
diff --git a/libminijail.h b/libminijail.h
index 62005c8..98d5009 100644
--- a/libminijail.h
+++ b/libminijail.h

@@ -50,6 +50,7 @@
 void minijail_use_seccomp(struct minijail *j);
 void minijail_no_new_privs(struct minijail *j);
 void minijail_use_seccomp_filter(struct minijail *j);
+void minijail_set_seccomp_filter_tsync(struct minijail *j);
 void minijail_parse_seccomp_filters(struct minijail *j, const char *path);
 void minijail_parse_seccomp_filters_from_fd(struct minijail *j, int fd);
 void minijail_log_seccomp_filter_failures(struct minijail *j);
commit	13650616ba6faa3ad84c69816e80a2f65bce6331	[log] [tgz]
author	Jorge Lucangeli Obes <jorgelo@google.com>	Fri Sep 02 11:27:29 2016 -0400
committer	Jorge Lucangeli Obes <jorgelo@google.com>	Fri Sep 09 14:27:21 2016 -0400
tree	8c4e3fef63687340f81a0918b43b000edfd801f2
parent	a32e8393f2864625038eb355b479a5263fb3d363 [diff] [blame]