https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html
As" seccomp filter"本文的一节说,
Android O的seccomp过滤器阻止某些系统调用,例如swapon / swapoff,这些系统调用已经涉及某些安全攻击,以及关键控制系统调用,这对应用程序无用。总共271个过滤器块中的27个系统调用arm64和70个364个手臂。
现在,一些系统调用被阻止并抛出错误signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr -------- Cause: seccomp prevented call to disallowed system call 55。
但我找不到上面列出的arm64中的17个系统调用和70个系统调用。 哪些系统调用受到限制?如何找到导致崩溃的系统调用?
编辑:
此处似乎生成了此错误消息。
} else if (si->si_signo == SIGSYS && si->si_code == SYS_SECCOMP) {
cause = StringPrintf("seccomp prevented call to disallowed %s system call %d", ABI_STRING,
si->si_syscall);
}
答案 0 :(得分:5)
系统调用过滤器source files是自动生成的,但生成过滤器的文本文件位于the next directory up。在这里,我们找到了list of all syscalls of interest,以及一些白名单和黑名单。据推测,app blacklist正是您所寻找的;我在下面总结了它。
过滤本身是Linux内核提供的标准功能,称为seccomp。所有AOSP都会利用此功能过滤上面链接的应用黑名单中列出的系统调用。脚本处理将黑名单列入特定于平台的自动生成过滤器,然后将其提供给seccomp,以启动所有Android应用程序(即Zygote)。一旦此过滤处于活动状态,从过滤的过程(即任何应用程序)进行匹配的系统调用将导致SIGKILL signal被传递。有关Linux信号的一些一般信息,请参阅here。您链接的AOSP源打印的错误消息只是系统在发现您的进程被终止时尝试向您提供一些有用信息 - 请注意方法名称为dump_probable_cause。
+--------------------------------------------------+--------------------------+ | Function | Blocked On | +--------------------------------------------------+--------------------------+ | int setgid:setgid32(gid_t) | arm,x86 | | int setgid:setgid(gid_t) | arm64,mips,mips64,x86_64 | | int setuid:setuid32(uid_t) | arm,x86 | | int setuid:setuid(uid_t) | arm64,mips,mips64,x86_64 | | int setreuid:setreuid32(uid_t, uid_t) | arm,x86 | | int setreuid:setreuid(uid_t, uid_t) | arm64,mips,mips64,x86_64 | | int setresuid:setresuid32(uid_t, uid_t, uid_t) | arm,x86 | | int setresuid:setresuid(uid_t, uid_t, uid_t) | arm64,mips,mips64,x86_64 | | int setresgid:setresgid32(gid_t, gid_t, gid_t) | arm,x86 | | int setresgid:setresgid(gid_t, gid_t, gid_t) | arm64,mips,mips64,x86_64 | | int setfsgid(gid_t) | all | | int setfsuid(uid_t) | all | | int setgroups:setgroups32(int, const gid_t*) | arm,x86 | | int setgroups:setgroups(int, const gid_t*) | arm64,mips,mips64,x86_64 | +--------------------------------------------------+--------------------------+
+--------------------------------------------------------------------+------------+ | Function | Blocked On | +--------------------------------------------------------------------+------------+ | int adjtimex(struct timex*) | all | | int clock_adjtime(clockid_t, struct timex*) | all | | int clock_settime(clockid_t, const struct timespec*) | all | | int settimeofday(const struct timeval*, const struct timezone*) | all | | int acct(const char* filepath) | all | | int klogctl:syslog(int, char*, int) | all | | int capset(cap_user_header_t header, const cap_user_data_t data) | all | | int chroot(const char*) | all | +--------------------------------------------------------------------+------------+
+--------------------------------------------------------------------------------+------------+ | Function | Blocked On | +--------------------------------------------------------------------------------+------------+ | int init_module(void*, unsigned long, const char*) | all | | int delete_module(const char*, unsigned int) | all | | int mount(const char*, const char*, const char*, unsigned long, const void*) | all | | int umount2(const char*, int) | all | | int swapon(const char*, int) | all | | int swapoff(const char*) | all | | int setdomainname(const char*, size_t) | all | | int sethostname(const char*, size_t) | all | | int __reboot:reboot(int, int, int, void*) | all | +--------------------------------------------------------------------------------+------------+