Google Git
Sign in
fuchsia/third_party/android/platform/frameworks/av/9f60b56976e7bad73890914b486092cad6632253^!/.
commit
9f60b56976e7bad73890914b486092cad6632253
[log]
author
Melvin Xu (徐敏) <melvin.xu@spreadtrum.com>
Wed May 02 17:45:14 2018 +0800
committer
Melvin Xu <melvin.xu@spreadtrum.com>
Thu May 10 02:52:15 2018 +0000
tree
ec45bafa3d2c5a928546de2ac2916abe3b4f3661
parent
334e5dff4751eb77ade396f4c32404ca2b2892b3 [diff]
CTS-on-gsi test, CtsSecurityHostTestCases--android.security.cts.ProcessMustUseSeccompTest#testMediaextractorHasSeccompFilter
--android.security.cts.ProcessMustUseSeccompTest#testOmxHalHasSeccompFilter
failed

[Android Version]:
Android8.1.0_r2

[CTS pachage version]
Suite / Plan	VTS / cts-on-gsi
Suite / Build	8.1_R3 / 4632653

[device](Any device config may relate this failure)
spreadtrum's iSharkL2
size:1080*1920

[bugzilla bugid] 79158930

[CTS Test Pre–Condition]
1.Language set to EN;
2.Keyguard set to none;
3.Enable GPS, Wifi network, USB debugging, Stay awake, Allow mock locations.
4.CTS version is VTS / cts-on-gsi 8.1_R3

[CTS Test Step]:
1 ./vts-tradefed
2 run cts-on-gsi

[Expected Result  ]:
This case will pass.

[Testing Result]:
case failed:
CtsSecurityHostTestCases
--android.security.cts.ProcessMustUseSeccompTest#testMediaextractorHasSeccompFilter
--android.security.cts.ProcessMustUseSeccompTest#testOmxHalHasSeccompFilter


[13. Analysis]:
junit.framework.AssertionFailedError: media.extractor must have a seccomp filter enabled. The "Seccomp" field of media.extractor's /proc/3292/status file should be set to "2"
at junit.framework.Assert.fail(Assert.java:57)
at junit.framework.Assert.assertTrue(Assert.java:22)

For iSharkL2 device, TARGET_ARCH=x86_64, but in the following Android.mk, there is no x86_64 option and mediaextractor-x86_64.policy, so mediaextractor.polily will not be generated in the $(TARGET_OUT)/etc/seccomp_policy.

Frameworks/av/services/mediaextractor/Android.mk:
# service seccomp filter
ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86))
include $(CLEAR_VARS)
LOCAL_MODULE := mediaextractor.policy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy
LOCAL_SRC_FILES := seccomp_policy/mediaextractor-$(TARGET_ARCH).policy
include $(BUILD_PREBUILT)
endif

[Analysize]:
There is no mediaextractor-x86_64.policy file in the frameworks/av/services/mediaextractor/seccomp_policy/, so we can't write this mediaextractor-x86_64.policy

And mediaextractor-x86_64.policy is got based on the mediaextractor-x86.policy and added the differences between mediaextractor-arm.policy and mediaextractor-arm64.policy.

But there is a problem of the arrangement order of syscalls in mediaextractor-x86_64.policy, maybe it need Google engineer to refine it.


[Conclusion]:
1. Add a new mediaextractor-x86_x64.policy
2. Modify the Android.mk file below in the frameworks/av/services/mediaextractor/ seccomp_policy
3. Because current google AOSP don’t consider x86_64 arch for mediaextractor policy, and iSharkL2 device use x86_64 arch, so we need to support it in the frameworks/av/services/mediaextractor/ seccomp_policy/. We will request to waive for this.


[Patch Link]:
https://android-review.googlesource.com/c/platform/frameworks/av/+/676982

Change-Id: Icd14cc62d6a2b8989ae3e2a1650af3749198522f

diff --git a/services/mediaextractor/Android.mk b/services/mediaextractor/Android.mk
index d41da39..3b883e7 100644
--- a/services/mediaextractor/Android.mk
+++ b/services/mediaextractor/Android.mk

@@ -26,7 +26,7 @@
 include $(BUILD_EXECUTABLE)
 
 # service seccomp filter
-ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86))
+ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86 x86_64))
 include $(CLEAR_VARS)
 LOCAL_MODULE := mediaextractor.policy
 LOCAL_MODULE_CLASS := ETC

diff --git a/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy b/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy
new file mode 100755
index 0000000..63c7780
--- /dev/null
+++ b/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy

@@ -0,0 +1,57 @@
+# Organized by frequency of systemcall - in descending order for
+# best performance.
+ioctl: 1
+futex: 1
+prctl: 1
+write: 1
+getpriority: 1
+close: 1
+dup: 1
+munmap: 1
+mmap: 1
+madvise: 1
+openat: 1
+clock_gettime: 1
+writev: 1
+brk: 1
+mprotect: 1
+read: 1
+lseek: 1
+clone: 1
+getuid: 1
+setpriority: 1
+sigaltstack: 1
+newfstatat: 1
+restart_syscall: 1
+exit: 1
+exit_group: 1
+rt_sigreturn: 1
+faccessat: 1
+sched_setscheduler: 1
+getrlimit: 1
+nanosleep: 1
+
+# for FileSource
+readlinkat: 1
+
+# for attaching to debuggerd on process crash
+tgkill: 1
+socket: arg0 == 1
+connect: 1
+fcntl: 1
+rt_sigprocmask: 1
+rt_sigaction: 1
+rt_tgsigqueueinfo: 1
+geteuid: 1
+getgid: 1
+getegid: 1
+getgroups: 1
+getdents64: 1
+pipe2: 1
+ppoll: 1
+
+# Required by AddressSanitizer
+gettid: 1
+sched_yield: 1
+getpid: 1
+gettid: 1