From 5e1e5980eb1e9942f52726de49bb1a6600c45238 Mon Sep 17 00:00:00 2001 From: LuK1337 Date: Mon, 4 Jan 2021 22:28:07 +0100 Subject: [PATCH] sm8250-common: Import seccomp policy Change-Id: I37ce3ffb096b18e08f994d0dc327456f850e35eb --- common.mk | 10 +++ seccomp/atfwd@2.0.policy | 67 +++++++++++++++++++ seccomp/codec2.vendor.base.policy | 74 +++++++++++++++++++++ seccomp/imsrtp.policy | 90 ++++++++++++++++++++++++++ seccomp/mediacodec.policy | 21 ++++++ seccomp/qspm.policy | 78 ++++++++++++++++++++++ seccomp/qti-systemd.policy | 77 ++++++++++++++++++++++ seccomp/vendor.qti.hardware.dsp.policy | 63 ++++++++++++++++++ 8 files changed, 480 insertions(+) create mode 100644 seccomp/atfwd@2.0.policy create mode 100644 seccomp/codec2.vendor.base.policy create mode 100644 seccomp/imsrtp.policy create mode 100644 seccomp/mediacodec.policy create mode 100644 seccomp/qspm.policy create mode 100644 seccomp/qti-systemd.policy create mode 100644 seccomp/vendor.qti.hardware.dsp.policy diff --git a/common.mk b/common.mk index 80c72fb..a8e619d 100644 --- a/common.mk +++ b/common.mk @@ -312,6 +312,16 @@ PRODUCT_PACKAGES_DEBUG += \ PRODUCT_PACKAGES += \ vendor.qti.hardware.vibrator.service +# Seccomp policy +PRODUCT_COPY_FILES += \ + $(LOCAL_PATH)/seccomp/atfwd@2.0.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/atfwd@2.0.policy \ + $(LOCAL_PATH)/seccomp/codec2.vendor.base.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/codec2.vendor.base.policy \ + $(LOCAL_PATH)/seccomp/imsrtp.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/imsrtp.policy \ + $(LOCAL_PATH)/seccomp/mediacodec.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/mediacodec.policy \ + $(LOCAL_PATH)/seccomp/qspm.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/qspm.policy \ + $(LOCAL_PATH)/seccomp/qti-systemd.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/qti-systemd.policy \ + $(LOCAL_PATH)/seccomp/vendor.qti.hardware.dsp.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/vendor.qti.hardware.dsp.policy + # WiFi PRODUCT_PACKAGES += \ WifiResCommon diff --git a/seccomp/atfwd@2.0.policy b/seccomp/atfwd@2.0.policy new file mode 100644 index 0000000..d556f3a --- /dev/null +++ b/seccomp/atfwd@2.0.policy @@ -0,0 +1,67 @@ +# Copyright (c) 2020 Qualcomm Technologies, Inc. +# All Rights Reserved. +# Confidential and Proprietary - Qualcomm Technologies, Inc +# +# Not a contribution. +# +# Copyright (C) 2018 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +munmap: 1 +getuid: 1 +writev: 1 +prctl: arg0 == PR_SET_VMA || arg0 == PR_GET_DUMPABLE +mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +openat: 1 +futex: 1 +close: 1 +read: 1 +newfstatat: 1 +fstat: 1 +#ioctl: arg1 == BINDER_WRITE_READ || arg1 == BINDER_SET_MAX_THREADS || arg1 == BINDER_VERSION +ioctl: 1 +mremap: 1 +readlinkat: 1 +pread64: 1 +fstatfs: 1 +rt_sigprocmask: 1 +faccessat: 1 +sendto: 1 +rt_sigaction: 1 +socket: arg0 == AF_UNIX || arg0 == AF_QIPCRTR +recvfrom: 1 +getsockname: 1 +getdents64: 1 +fcntl: 1 +nanosleep: 1 +getrandom: 1 +clone: 1 +pipe2: 1 +exit_group: 1 +write: 1 +exit: 1 +getpid: 1 +sigaltstack: 1 +getrlimit: 1 +restart_syscall: 1 +setsockopt: 1 +sched_getscheduler: 1 +rt_sigreturn: 1 +execve: 1 +madvise: 1 +set_tid_address: 1 +connect: 1 +ppoll: 1 +clock_gettime: 1 diff --git a/seccomp/codec2.vendor.base.policy b/seccomp/codec2.vendor.base.policy new file mode 100644 index 0000000..4785704 --- /dev/null +++ b/seccomp/codec2.vendor.base.policy @@ -0,0 +1,74 @@ +# Copyright (C) 2018 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Organized by frequency of systemcall - in descending order for +# best performance. +futex: 1 +ioctl: 1 +write: 1 +prctl: 1 +clock_gettime: 1 +getpriority: 1 +read: 1 +close: 1 +writev: 1 +dup: 1 +ppoll: 1 +mmap2: 1 +getrandom: 1 + +# mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail +# parser support for '<' is in this needs to be modified to also prevent +# |old_address| and |new_address| from touching the exception vector page, which +# on ARM is statically loaded at 0xffff 0000. See +# http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html +# for more details. +#mremap: arg3 == 3 +mremap: arg3 == 3 || arg3 == MREMAP_MAYMOVE +munmap: 1 +mprotect: 1 +madvise: 1 +openat: 1 +sigaltstack: 1 +clone: 1 +setpriority: 1 +getuid32: 1 +fstat64: 1 +fstatfs64: 1 +pread64: 1 +faccessat: 1 +readlinkat: 1 +exit: 1 +rt_sigprocmask: 1 +set_tid_address: 1 +restart_syscall: 1 +exit_group: 1 +rt_sigreturn: 1 +pipe2: 1 +gettimeofday: 1 +sched_yield: 1 +nanosleep: 1 +lseek: 1 +_llseek: 1 +sched_get_priority_max: 1 +sched_get_priority_min: 1 +statfs64: 1 +sched_setscheduler: 1 +fstatat64: 1 +ugetrlimit: 1 +getdents64: 1 +getrandom: 1 + +@include /system/etc/seccomp_policy/crash_dump.arm.policy + diff --git a/seccomp/imsrtp.policy b/seccomp/imsrtp.policy new file mode 100644 index 0000000..44092b0 --- /dev/null +++ b/seccomp/imsrtp.policy @@ -0,0 +1,90 @@ +#Copyright (c) 2020 Qualcomm Technologies, Inc. +#All Rights Reserved. +#Confidential and Proprietary - Qualcomm Technologies, Inc + +#Not a contribution. + +#Copyright (C) 2018 The Android Open Source Project + +#"Licensed under the Apache License, Version 2.0 (the \"License\");" +#you may not use this file except in compliance with the License. +#You may obtain a copy of the License at + +#http://www.apache.org/licenses/LICENSE-2.0 + +#Unless required by applicable law or agreed to in writing, software +#"distributed under the License is distributed on an \"AS IS\" BASIS," +#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +#See the License for the specific language governing permissions and +#limitations under the License. + +mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +munmap: 1 +mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +#prctl: arg0 == PR_SET_VMA || arg0 == PR_SET_NO_NEW_PRIVS || arg0 == PR_GET_DUMPABLE || arg0 == PR_SET_SECCOMP || arg0 == 0x37 /* PR_??? */ +prctl: 1 +read: 1 +openat: 1 +close: 1 +shutdown: 1 +kill: 1 +futex: 1 +fstat: 1 +gettimeofday: 1 +readlinkat: 1 +newfstatat: 1 +mremap: 1 +pread64: 1 +fstatfs: 1 +rt_sigaction: 1 +faccessat: 1 +socket: arg0 == AF_UNIX || arg0 == AF_QIPCRTR +writev: 1 +connect: 1 +rt_sigprocmask: 1 +fcntl: 1 +sendto: 1 +getrandom: 1 +lseek: 1 +exit_group: 1 +rt_tgsigqueueinfo: 1 +write: 1 +exit: 1 +getpid: 1 +sigaltstack: 1 +recvmsg: 1 +dup: 1 +getrlimit: 1 +restart_syscall: 1 +clone: 1 +gettid: 1 +sched_getscheduler: 1 +ioctl: 1 +execve: 1 +getuid: 1 +madvise: 1 +set_tid_address: 1 +nanosleep: 1 +rt_sigreturn: 1 +rt_sigsuspend: 1 +setpriority: 1 +geteuid: 1 +getgid: 1 +getegid: 1 +getgroups: 1 +pipe2: 1 +setitimer: 1 +pselect6: 1 +getsockname: 1 +recvfrom: 1 +ppoll: 1 +socketpair: 1 +setsockopt: 1 +getsockopt: 1 +sendmsg: 1 +bind: 1 +timer_create: 1 +timer_settime: 1 +timer_delete: 1 +clock_gettime: 1 +sched_getaffinity: 1 diff --git a/seccomp/mediacodec.policy b/seccomp/mediacodec.policy new file mode 100644 index 0000000..0b75b84 --- /dev/null +++ b/seccomp/mediacodec.policy @@ -0,0 +1,21 @@ +# device specific syscalls +# extension of services/mediacodec/minijail/seccomp_policy/mediacodec-seccomp-arm.policy +pselect6: 1 +eventfd2: 1 +sendto: 1 +recvfrom: 1 +_llseek: 1 +sysinfo: 1 +getcwd: 1 +getdents64: 1 +ARM_cacheflush: 1 +inotify_init1: 1 +inotify_add_watch: 1 +inotify_rm_watch: 1 +uname: 1 +ueventd: 1 +timer_create: 1 +timer_settime: 1 +rt_sigtimedwait: 1 +readlink: 1 +open: 1 diff --git a/seccomp/qspm.policy b/seccomp/qspm.policy new file mode 100644 index 0000000..83e7250 --- /dev/null +++ b/seccomp/qspm.policy @@ -0,0 +1,78 @@ +# Copyright (c) 2020 Qualcomm Technologies, Inc. +# All Rights Reserved. +# Confidential and Proprietary - Qualcomm Technologies, Inc +# +# Not a contribution. +# +# Copyright (C) 2018 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ioctl: 1 +futex: 1 +openat: 1 +getuid: 1 +writev: 1 +newfstatat: 1 +fstat: 1 +rt_sigaction: 1 +prctl: 1 +mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +close: 1 +rt_sigreturn: 1 +restart_syscall: 1 +exit: 1 +exit_group: 1 +mprotect: 1 +faccessat: 1 +getrlimit: 1 +read: 1 +lseek: 1 +getdents64: 1 +write: 1 +readlinkat: 1 +fstatfs: 1 +pread64: 1 +munmap: 1 +mremap: 1 +dup: 1 +renameat: 1 +unlinkat: 1 +madvise: 1 +mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +fstat: 1 +clock_gettime: 1 +socket: arg0 == AF_UNIX +rt_sigprocmask: 1 +connect: 1 +getrandom: 1 +fcntl: 1 +execve: 1 +getpid: 1 +set_tid_address: 1 +sched_getscheduler: 1 +sigaltstack: 1 +sched_getaffinity: 1 +pipe2: 1 + +# crash dump policy additions +sigreturn: 1 +gettid: 1 +recvmsg: 1 +process_vm_readv: 1 +tgkill: 1 +rt_tgsigqueueinfo: 1 +geteuid32: 1 +getgid32: 1 +getegid32: 1 +getgroups32: 1 diff --git a/seccomp/qti-systemd.policy b/seccomp/qti-systemd.policy new file mode 100644 index 0000000..4020e52 --- /dev/null +++ b/seccomp/qti-systemd.policy @@ -0,0 +1,77 @@ +# Copyright (c) 2020 Qualcomm Technologies, Inc. +# All Rights Reserved. +# Confidential and Proprietary - Qualcomm Technologies, Inc +# +# Not a contribution. +# +# Copyright (C) 2018 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +munmap: 1 +mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +#prctl: arg0 == 0x37 /* PR_??? */ || arg0 == PR_SET_VMA || arg0 == PR_GET_DUMPABLE || arg0 == PR_SET_SECCOMP || arg0 == PR_CAP_AMBIENT || arg0 == PR_GET_NO_NEW_PRIVS || arg0 == PR_SET_DUMPABLE || arg0 == PR_GET_NAME || arg0 == PR_SET_PTRACER +prctl: 1 +openat: 1 +read: 1 +futex: 1 +close: 1 +fstat: 1 +readlinkat: 1 +newfstatat: 1 +mremap: 1 +fstatfs: 1 +pread64: 1 +rt_sigprocmask: 1 +rt_sigaction: 1 +faccessat: 1 +#ioctl: arg1 == _IOC(_IOC_NONE +ioctl: 1 +clock_gettime: 1 +getrandom: 1 +nanosleep: 1 +fcntl: 1 +getuid: 1 +sigaltstack: 1 +socket: arg0 == AF_QIPCRTR || arg0 == AF_UNIX +writev: 1 +execve: 1 +getpid: 1 +set_tid_address: 1 +sched_getscheduler: 1 +sigaltstack: 1 +sched_getaffinity: 1 +connect: 1 +pipe2: 1 +clone: 1 +ppoll: 1 +restart_syscall: 1 +exit: 1 +exit_group: 1 +rt_sigreturn: 1 +rt_tgsigqueueinfo: 1 +getppid: 1 +dup: 1 +capget: 1 +capset: 1 +setsid: 1 +setitimer: 1 +ptrace: 1 +recvmsg: 1 +exit: 1 +restart_syscall: 1 +gettid: 1 +write: 1 +dup3: 1 +getdents64: 1 diff --git a/seccomp/vendor.qti.hardware.dsp.policy b/seccomp/vendor.qti.hardware.dsp.policy new file mode 100644 index 0000000..e5b3618 --- /dev/null +++ b/seccomp/vendor.qti.hardware.dsp.policy @@ -0,0 +1,63 @@ +# Copyright (c) 2020 Qualcomm Technologies, Inc. +# All Rights Reserved. +# Confidential and Proprietary - Qualcomm Technologies, Inc +# +# Not a contribution. +# +# Copyright (C) 2018 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +mmap: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +munmap: 1 +#prctl: arg0 == PR_SET_VMA || arg0 == PR_GET_DUMPABLE || arg0 == 0x37 +mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE +futex: 1 +read: 1 +openat: 1 +close: 1 +fstat: 1 +readlinkat: 1 +newfstatat: 1 +mremap: 1 +clock_gettime: 1 +pread64: 1 +fstatfs: 1 +rt_sigaction: 1 +faccessat: 1 +rt_sigprocmask: 1 +#ioctl: arg1 == TCGETS || arg1 == BINDER_WRITE_READ || arg1 == BINDER_SET_MAX_THREADS || arg1 == BINDER_VERSION +ioctl: 1 +getrandom: 1 +fcntl: 1 +getuid: 1 +lseek: 1 +exit_group: 1 +sched_getaffinity: 1 +writev: 1 +exit: 1 +getpid: 1 +sigaltstack: 1 +getrlimit: 1 +restart_syscall: 1 +clone: 1 +sched_getscheduler: 1 +execve: 1 +socket: arg0 == AF_UNIX +set_tid_address: 1 +rt_sigreturn: 1 +connect: 1 +gettid: 1 +setpriority: 1 +prctl: 1 +write: 1