Merge "Make seccomp honor setenforce"

2017-03-04 02:08:53 +00:00 · 2017-03-04 02:08:53 +00:00 · c337e32bb0
commit c337e32bb0
parent 6ac19c0d23 ffad2adfa5
2 changed files with 9 additions and 0 deletions
--- a/core/jni/Android.mk
+++ b/core/jni/Android.mk
@ -218,6 +218,8 @@ LOCAL_C_INCLUDES += \

 LOCAL_STATIC_LIBRARIES := \
    libseccomp_policy \
+    libselinux \
+    libcrypto \

 LOCAL_SHARED_LIBRARIES := \
    libmemtrack \
--- a/core/jni/android_os_seccomp.cpp
+++ b/core/jni/android_os_seccomp.cpp
@ -17,9 +17,16 @@
 #include "core_jni_helpers.h"
 #include "JniConstants.h"
 #include "utils/Log.h"
+#include <selinux/selinux.h>
+
 #include "seccomp_policy.h"

 static void Seccomp_setPolicy(JNIEnv* /*env*/) {
+    if (security_getenforce() == 0) {
+        ALOGI("seccomp disabled by setenforce 0");
+        return;
+    }
+
    if (!set_seccomp_filter()) {
        ALOGE("Failed to set seccomp policy - killing");
        exit(1);