Home | History | Annotate | Download | only in jni 
      1 /*
      2  * Copyright (C) 2013 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  *
     16  */
     17 
     18 #include "jni.h"
     19 
     20 #include <errno.h>
     21 #include <stdio.h>
     22 #include <stdlib.h>
     23 #include <string.h>
     24 #include <unistd.h>
     25 
     26 #include <linux/filter.h>
     27 #include <linux/seccomp.h>
     28 
     29 #include <sys/prctl.h>
     30 #include <sys/types.h>
     31 #include <sys/utsname.h>
     32 #include <sys/wait.h>
     33 
     34 jint android_os_cts_OSFeatures_getNoNewPrivs(JNIEnv* env, jobject thiz)
     35 {
     36     return prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
     37 }
     38 
     39 jint android_os_cts_OSFeatures_prctlCapBsetRead(JNIEnv* env, jobject thiz, jint i)
     40 {
     41     return prctl(PR_CAPBSET_READ, i, 0, 0, 0);
     42 }
     43 
     44 #define DENY BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
     45 
     46 static void test_seccomp() {
     47     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
     48         _exit(0);
     49     }
     50 
     51     struct sock_filter filter[] = { DENY };
     52     struct sock_fprog prog;
     53     memset(&prog, 0, sizeof(prog));
     54     prog.len = sizeof(filter) / sizeof(filter[0]);
     55     prog.filter = filter;
     56 
     57     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) {
     58         _exit(0);
     59     }
     60 
     61     while(1) {
     62         _exit(0);  // should crash with SIGSYS
     63     }
     64 }
     65 
     66 jboolean android_os_cts_OSFeatures_hasSeccompSupport(JNIEnv* env, jobject)
     67 {
     68     pid_t pid = fork();
     69     if (pid == -1) {
     70         jclass cls = env->FindClass("java/lang/RuntimeException");
     71         env->ThrowNew(cls, "fork failed");
     72         return false;
     73     }
     74     if (pid == 0) {
     75         // child
     76         test_seccomp();
     77         _exit(0);
     78     }
     79 
     80     int status;
     81     TEMP_FAILURE_RETRY(waitpid(pid, &status, 0));
     82     return WIFSIGNALED(status) && (WTERMSIG(status) == SIGSYS);
     83 }
     84 
     85 jboolean android_os_cts_OSFeatures_needsSeccompSupport(JNIEnv*, jobject)
     86 {
     87 #if !defined(ARCH_SUPPORTS_SECCOMP)
     88     // Seccomp support is only available for ARM, x86, x86_64.
     89     // This define is controlled by the Android.mk.
     90     return false;
     91 #endif
     92     return true;
     93 }
     94 
     95 static JNINativeMethod gMethods[] = {
     96     {  "getNoNewPrivs", "()I",
     97             (void *) android_os_cts_OSFeatures_getNoNewPrivs  },
     98     {  "prctlCapBsetRead", "(I)I",
     99             (void *) android_os_cts_OSFeatures_prctlCapBsetRead },
    100     {  "hasSeccompSupport", "()Z",
    101             (void *) android_os_cts_OSFeatures_hasSeccompSupport  },
    102     {  "needsSeccompSupport", "()Z",
    103             (void *) android_os_cts_OSFeatures_needsSeccompSupport  }
    104 };
    105 
    106 int register_android_os_cts_OSFeatures(JNIEnv* env)
    107 {
    108     jclass clazz = env->FindClass("android/os/cts/OSFeatures");
    109 
    110     return env->RegisterNatives(clazz, gMethods,
    111             sizeof(gMethods) / sizeof(JNINativeMethod));
    112 }
    113