1 /* 2 * Copyright (C) 2013 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 */ 17 18 #include "jni.h" 19 20 #include <errno.h> 21 #include <stdio.h> 22 #include <stdlib.h> 23 #include <string.h> 24 #include <unistd.h> 25 26 #include <linux/filter.h> 27 #include <linux/seccomp.h> 28 29 #include <sys/prctl.h> 30 #include <sys/types.h> 31 #include <sys/utsname.h> 32 #include <sys/wait.h> 33 34 jint android_os_cts_OSFeatures_prctlCapBsetRead(JNIEnv* env, jobject thiz, jint i) 35 { 36 return prctl(PR_CAPBSET_READ, i, 0, 0, 0); 37 } 38 39 #define DENY BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) 40 41 static void test_seccomp() { 42 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { 43 _exit(0); 44 } 45 46 struct sock_filter filter[] = { DENY }; 47 struct sock_fprog prog; 48 memset(&prog, 0, sizeof(prog)); 49 prog.len = sizeof(filter) / sizeof(filter[0]); 50 prog.filter = filter; 51 52 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0) { 53 _exit(0); 54 } 55 56 while(1) { 57 _exit(0); // should crash with SIGSYS 58 } 59 } 60 61 jboolean android_os_cts_OSFeatures_hasSeccompSupport(JNIEnv* env, jobject) 62 { 63 pid_t pid = fork(); 64 if (pid == -1) { 65 jclass cls = env->FindClass("java/lang/RuntimeException"); 66 env->ThrowNew(cls, "fork failed"); 67 return false; 68 } 69 if (pid == 0) { 70 // child 71 test_seccomp(); 72 _exit(0); 73 } 74 75 int status; 76 TEMP_FAILURE_RETRY(waitpid(pid, &status, 0)); 77 return WIFSIGNALED(status) && (WTERMSIG(status) == SIGSYS); 78 } 79 80 jboolean android_os_cts_OSFeatures_needsSeccompSupport(JNIEnv*, jobject) 81 { 82 #if !defined(ARCH_SUPPORTS_SECCOMP) 83 // Seccomp support is only available for ARM, x86, x86_64. 84 // This define is controlled by the Android.mk. 85 return false; 86 #endif 87 return true; 88 } 89 90 static JNINativeMethod gMethods[] = { 91 { "prctlCapBsetRead", "(I)I", 92 (void *) android_os_cts_OSFeatures_prctlCapBsetRead }, 93 { "hasSeccompSupport", "()Z", 94 (void *) android_os_cts_OSFeatures_hasSeccompSupport }, 95 { "needsSeccompSupport", "()Z", 96 (void *) android_os_cts_OSFeatures_needsSeccompSupport } 97 }; 98 99 int register_android_os_cts_OSFeatures(JNIEnv* env) 100 { 101 jclass clazz = env->FindClass("android/os/cts/OSFeatures"); 102 103 return env->RegisterNatives(clazz, gMethods, 104 sizeof(gMethods) / sizeof(JNINativeMethod)); 105 } 106