| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
This change avoids having to run the genseccomp.py script every time a
policy file is edited, and instead generates these files at
compile-time.
Bug: None
Test: m
Test: find out/soong/ -name x86_64_global_policy.cpp # Shows files
Test: generated policies are equivalent to original policies
Change-Id: I12461fe0c5fb02c008c1b2503fbb994b8aa2f56b
|
| |
|
|
|
|
|
|
|
|
| |
Several privileged syscalls are still needed before a zygote-fork hangs
over the execution to the apps.
Test: system starts, different apps run
Bug: 63944145
Bug: 76461821
Change-Id: I78da54dac509eb073bc2aa7b820a1f6b0c39a775
|
| |
|
|
|
|
| |
Test: build, run some app
Bug: 63944145
Change-Id: I13eb56f923732e110851dec02eaa11f6cb44535c
|
|
|
To pave the way to reducing app's kernel attack surface, this change
split the single filter into one for system and one for apps. Note that
there is current no change between them.
Zygote will apply these filters appropriately to system server and apps.
Keep set_seccomp_filter() for now until the caller has switched to the
new API, which I will do immediately after this before the two filters
diverse.
Also remove get_seccomp_filter() since it doesn't seem to be used
anyway.
Test: diff the generated code, no difference except the variable names
Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145
Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23
|
