Revert "Move zygote's seccomp setup to post-fork"
This reverts commit a188dbc050b9fca41ed92928d68ed00c562de580.
Reason for revert: selinux denials, see b/71768585
Change-Id: Ic1b81e146b52b68445ba634de39657f199107da3
diff --git a/core/java/android/os/Seccomp.java b/core/java/android/os/Seccomp.java
index 335e44b..f14e93f 100644
--- a/core/java/android/os/Seccomp.java
+++ b/core/java/android/os/Seccomp.java
@@ -20,6 +20,5 @@
* @hide
*/
public final class Seccomp {
- public static native void setSystemServerPolicy();
- public static native void setAppPolicy();
+ public static final native void setPolicy();
}
diff --git a/core/java/com/android/internal/os/Zygote.java b/core/java/com/android/internal/os/Zygote.java
index 3ebe921..cbc63cf 100644
--- a/core/java/com/android/internal/os/Zygote.java
+++ b/core/java/com/android/internal/os/Zygote.java
@@ -17,7 +17,6 @@
package com.android.internal.os;
import android.os.IVold;
-import android.os.Seccomp;
import android.os.Trace;
import android.system.ErrnoException;
import android.system.Os;
@@ -154,9 +153,6 @@
*/
public static int forkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,
int[][] rlimits, long permittedCapabilities, long effectiveCapabilities) {
- // Set system server specific seccomp policy.
- Seccomp.setSystemServerPolicy();
-
VM_HOOKS.preFork();
// Resets nice priority for zygote process.
resetNicePriority();
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 24c4a8d..6a87b1f 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -30,7 +30,6 @@
import android.net.LocalSocket;
import android.os.FactoryTest;
import android.os.Process;
-import android.os.Seccomp;
import android.os.SystemProperties;
import android.os.Trace;
import android.system.ErrnoException;
@@ -768,9 +767,6 @@
Process.setArgV0(parsedArgs.niceName);
}
- // Set app specific seccomp policy.
- Seccomp.setAppPolicy();
-
// End of the postFork event.
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
if (parsedArgs.invokeWith != null) {
diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java
index 4016832..2be6212 100644
--- a/core/java/com/android/internal/os/ZygoteInit.java
+++ b/core/java/com/android/internal/os/ZygoteInit.java
@@ -782,6 +782,9 @@
// Zygote process unmounts root storage spaces.
Zygote.nativeUnmountStorageOnInit();
+ // Set seccomp policy
+ Seccomp.setPolicy();
+
ZygoteHooks.stopZygoteNoThreadCreation();
if (startSystemServer) {
diff --git a/core/jni/android_os_seccomp.cpp b/core/jni/android_os_seccomp.cpp
index b9006e4..06e2a16 100644
--- a/core/jni/android_os_seccomp.cpp
+++ b/core/jni/android_os_seccomp.cpp
@@ -21,33 +21,20 @@
#include "seccomp_policy.h"
-static void Seccomp_setSystemServerPolicy(JNIEnv* /*env*/) {
+static void Seccomp_setPolicy(JNIEnv* /*env*/) {
if (security_getenforce() == 0) {
ALOGI("seccomp disabled by setenforce 0");
return;
}
- if (!set_system_seccomp_filter()) {
- ALOGE("Failed to set seccomp policy - killing");
- exit(1);
- }
-}
-
-static void Seccomp_setAppPolicy(JNIEnv* /*env*/) {
- if (security_getenforce() == 0) {
- ALOGI("seccomp disabled by setenforce 0");
- return;
- }
-
- if (!set_app_seccomp_filter()) {
+ if (!set_seccomp_filter()) {
ALOGE("Failed to set seccomp policy - killing");
exit(1);
}
}
static const JNINativeMethod method_table[] = {
- NATIVE_METHOD(Seccomp, setSystemServerPolicy, "()V"),
- NATIVE_METHOD(Seccomp, setAppPolicy, "()V"),
+ NATIVE_METHOD(Seccomp, setPolicy, "()V"),
};
namespace android {