Fix seccomp filter set up in zygote
This needs to land with extra syscalls whitelisted, including capset and
setresuid. These privileged syscalls are used in the setup after the
filter is initialized.
Test: system starts, different apps run
Bug: 63944145
Bug: 76461821
Change-Id: I49e6b292805f35baffb3530461c8741e75aceb32
diff --git a/core/jni/com_android_internal_os_Zygote.cpp b/core/jni/com_android_internal_os_Zygote.cpp
index f1b736b..e5281ff 100644
--- a/core/jni/com_android_internal_os_Zygote.cpp
+++ b/core/jni/com_android_internal_os_Zygote.cpp
@@ -260,7 +260,7 @@
}
// Apply system or app filter based on uid.
- if (getuid() >= AID_APP_START) {
+ if (uid >= AID_APP_START) {
set_app_seccomp_filter();
} else {
set_system_seccomp_filter();
@@ -619,11 +619,6 @@
fail_fn(CREATE_ERROR("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno)));
}
- // Must be called when the new process still has CAP_SYS_ADMIN. The other alternative is to
- // call prctl(PR_SET_NO_NEW_PRIVS, 1) afterward, but that breaks SELinux domain transition (see
- // b/71859146).
- SetUpSeccompFilter(uid);
-
// Keep capabilities across UID change, unless we're staying root.
if (uid != 0) {
if (!EnableKeepCapabilities(&error_msg)) {
@@ -697,6 +692,13 @@
fail_fn(CREATE_ERROR("setresgid(%d) failed: %s", gid, strerror(errno)));
}
+ // Must be called when the new process still has CAP_SYS_ADMIN, in this case, before changing
+ // uid from 0, which clears capabilities. The other alternative is to call
+ // prctl(PR_SET_NO_NEW_PRIVS, 1) afterward, but that breaks SELinux domain transition (see
+ // b/71859146). As the result, privileged syscalls used below still need to be accessible in
+ // app process.
+ SetUpSeccompFilter(uid);
+
rc = setresuid(uid, uid, uid);
if (rc == -1) {
fail_fn(CREATE_ERROR("setresuid(%d) failed: %s", uid, strerror(errno)));