msm8226_sec_defconfig: enable seccomp && seccomp_filter support
CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y This commit finalizes and enables seccomp-bpf support for CyanogenMod/android_kernel_samsung_klte The prior 38 seccomp-bpf patches were cherry-picked from the CodeAurora/linux-msm-3.4 branch[1]. they were originally written for ChromiumOS's linux-3.4 seccomp-bpf support[2]. I have reworked the patchset to apply over CyanogenMod/android_kernel_samsung_klte to improve security, properly support sandboxing and support Android 7.0 'minijails'; a seccomp-bpf wrapper/library. - Tested with Chromium 56 - Tested with Chrome 54 - Tested with mediacodec - Tested with mediaextractor To check if a process has seccomp filters enabled; /proc/<PID>/status seccomp: 0 = OFF seccomp: 2 = ON (seccomp filters are enabled) [1] https://source.codeaurora.org/quic/la/kernel/msm/log/?h=aosp-common/android-3.4 [2] https://www.chromium.org/chromium-os/developer-guide/chromium-os-sandboxing#h.l7ou90opzirq Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This commit is contained in:
parent
deff0f7d9b
commit
8202d19608
|
@ -11,6 +11,8 @@ CONFIG_CGROUP_CPUACCT=y
|
|||
CONFIG_RESOURCE_COUNTERS=y
|
||||
CONFIG_CGROUP_SCHED=y
|
||||
CONFIG_RT_GROUP_SCHED=y
|
||||
CONFIG_SECCOMP=y
|
||||
CONFIG_SECCOMP_FILTER=y
|
||||
CONFIG_NAMESPACES=y
|
||||
CONFIG_USER_RESET_DEBUG=y
|
||||
CONFIG_UTS_NS=y
|
||||
|
|
Loading…
Reference in New Issue