Makes sure to set up the mediaextractor x86_64 seccomp policy. Three fixes (1) Sets LOCAL_REQUIRED_MODULES_x86_64. Otherwise the policy file won't be in the system image at all. (2) Drops the executable bit (chmod a-x) of the policy file. (3) Incorporates the changes done on x86.policy between O and P. The previous patch seems to be a cherry-pick from AOSP, which does not take the P changes into account. (Hence mediaextractor just crashes if the previous policy file is applied to P.) Bug: 79158930 Bug: 69073312 Test: ProcessMustUseSeccompTest#testMediaextractorHasSeccompFilter Test: CtsMediaTestCases runs without mediaextractor/minijail error Change-Id: Iada4c75883de03b5a44a06df33de428c2ceef3d5

commit: 9200bf9bbed390954cf824aa42ad2603dfcb6bcb [log] [tgz]
author: Kazuhiro Inaba <kinaba@google.com> Thu Jun 07 13:59:11 2018 +0900
committer: Kazuhiro Inaba <kinaba@google.com> Thu Jun 07 16:47:34 2018 +0900
tree: 24c33d065b70dfd8b327f27ab3d32c752a3efac9
parent: 7e19897b405318df20eccb1d697a8ecccd70fbc7 [diff]
diff --git a/services/mediaextractor/Android.mk b/services/mediaextractor/Android.mk
index 37d6cc9..73c9535 100644
--- a/services/mediaextractor/Android.mk
+++ b/services/mediaextractor/Android.mk

@@ -18,6 +18,7 @@
 LOCAL_REQUIRED_MODULES_arm := crash_dump.policy mediaextractor.policy
 LOCAL_REQUIRED_MODULES_arm64 := crash_dump.policy mediaextractor.policy
 LOCAL_REQUIRED_MODULES_x86 := crash_dump.policy mediaextractor.policy
+LOCAL_REQUIRED_MODULES_x86_64 := crash_dump.policy mediaextractor.policy
 
 # extractor libraries
 LOCAL_REQUIRED_MODULES += \

diff --git a/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy b/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy
old mode 100755
new mode 100644
index 63c7780..6d9ed6f
--- a/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy
+++ b/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy

@@ -21,6 +21,7 @@
 getuid: 1
 setpriority: 1
 sigaltstack: 1
+fstatfs: 1
 newfstatat: 1
 restart_syscall: 1
 exit: 1
@@ -30,28 +31,21 @@
 sched_setscheduler: 1
 getrlimit: 1
 nanosleep: 1
+getrandom: 1
+
+# for dynamically loading extractors
+getdents64: 1
+readlinkat: 1
+pread64: 1
+mremap: 1
 
 # for FileSource
 readlinkat: 1
 
-# for attaching to debuggerd on process crash
-tgkill: 1
-socket: arg0 == 1
-connect: 1
-fcntl: 1
-rt_sigprocmask: 1
-rt_sigaction: 1
-rt_tgsigqueueinfo: 1
-geteuid: 1
-getgid: 1
-getegid: 1
-getgroups: 1
-getdents64: 1
-pipe2: 1
-ppoll: 1
-
 # Required by AddressSanitizer
 gettid: 1
 sched_yield: 1
 getpid: 1
 gettid: 1
+
+@include /system/etc/seccomp_policy/crash_dump.x86_64.policy
commit	9200bf9bbed390954cf824aa42ad2603dfcb6bcb	[log] [tgz]
author	Kazuhiro Inaba <kinaba@google.com>	Thu Jun 07 13:59:11 2018 +0900
committer	Kazuhiro Inaba <kinaba@google.com>	Thu Jun 07 16:47:34 2018 +0900
tree	24c33d065b70dfd8b327f27ab3d32c752a3efac9
parent	7e19897b405318df20eccb1d697a8ecccd70fbc7 [diff]