msm8226_sec_defconfig: enable seccomp && seccomp_filter support

CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

This commit finalizes and enables seccomp-bpf support for
CyanogenMod/android_kernel_samsung_klte

The prior 38 seccomp-bpf patches were cherry-picked from the
CodeAurora/linux-msm-3.4 branch[1]. they were originally
written for ChromiumOS's linux-3.4 seccomp-bpf support[2].
I have reworked the patchset to apply over
CyanogenMod/android_kernel_samsung_klte to improve
security, properly support sandboxing and support
Android 7.0 'minijails'; a seccomp-bpf wrapper/library.

- Tested with Chromium 56
- Tested with Chrome 54
- Tested with mediacodec
- Tested with mediaextractor

To check if a process has seccomp filters enabled;

/proc/<PID>/status

seccomp: 0 = OFF
seccomp: 2 = ON (seccomp filters are enabled)

[1] https://source.codeaurora.org/quic/la/kernel/msm/log/?h=aosp-common/android-3.4
[2] https://www.chromium.org/chromium-os/developer-guide/chromium-os-sandboxing#h.l7ou90opzirq

Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>

This commit is contained in:

ninez

2016-10-21 17:29:15 -04:00

committed by

Francescodario Cuzzocrea

parent deff0f7d9b

commit 8202d19608

1 changed files with 2 additions and 0 deletions

2

arch/arm/configs/msm8226-sec_defconfig

View File

 @ -11,6 +11,8 @@ CONFIG_CGROUP_CPUACCT=y
 CONFIG_RESOURCE_COUNTERS=y
 CONFIG_CGROUP_SCHED=y
 CONFIG_RT_GROUP_SCHED=y
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 CONFIG_NAMESPACES=y
 CONFIG_USER_RESET_DEBUG=y
 CONFIG_UTS_NS=y

msm8226_sec_defconfig: enable seccomp && seccomp_filter support

2 arch/arm/configs/msm8226-sec_defconfig Unescape Escape View File

2

arch/arm/configs/msm8226-sec_defconfig

View File