CTS-on-gsi test, CtsSecurityHostTestCases--android.security.cts.ProcessMustUseSeccompTest#testMediaextractorHasSeccompFilter --android.security.cts.ProcessMustUseSeccompTest#testOmxHalHasSeccompFilter failed [Android Version]: Android8.1.0_r2 [CTS pachage version] Suite / Plan VTS / cts-on-gsi Suite / Build 8.1_R3 / 4632653 [device](Any device config may relate this failure) spreadtrum's iSharkL2 size:1080*1920 [bugzilla bugid] 79158930 [CTS Test Pre–Condition] 1.Language set to EN; 2.Keyguard set to none; 3.Enable GPS, Wifi network, USB debugging, Stay awake, Allow mock locations. 4.CTS version is VTS / cts-on-gsi 8.1_R3 [CTS Test Step]: 1 ./vts-tradefed 2 run cts-on-gsi [Expected Result ]: This case will pass. [Testing Result]: case failed: CtsSecurityHostTestCases --android.security.cts.ProcessMustUseSeccompTest#testMediaextractorHasSeccompFilter --android.security.cts.ProcessMustUseSeccompTest#testOmxHalHasSeccompFilter [13. Analysis]: junit.framework.AssertionFailedError: media.extractor must have a seccomp filter enabled. The "Seccomp" field of media.extractor's /proc/3292/status file should be set to "2" at junit.framework.Assert.fail(Assert.java:57) at junit.framework.Assert.assertTrue(Assert.java:22) For iSharkL2 device, TARGET_ARCH=x86_64, but in the following Android.mk, there is no x86_64 option and mediaextractor-x86_64.policy, so mediaextractor.polily will not be generated in the $(TARGET_OUT)/etc/seccomp_policy. Frameworks/av/services/mediaextractor/Android.mk: # service seccomp filter ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86)) include $(CLEAR_VARS) LOCAL_MODULE := mediaextractor.policy LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy LOCAL_SRC_FILES := seccomp_policy/mediaextractor-$(TARGET_ARCH).policy include $(BUILD_PREBUILT) endif [Analysize]: There is no mediaextractor-x86_64.policy file in the frameworks/av/services/mediaextractor/seccomp_policy/, so we can't write this mediaextractor-x86_64.policy And mediaextractor-x86_64.policy is got based on the mediaextractor-x86.policy and added the differences between mediaextractor-arm.policy and mediaextractor-arm64.policy. But there is a problem of the arrangement order of syscalls in mediaextractor-x86_64.policy, maybe it need Google engineer to refine it. [Conclusion]: 1. Add a new mediaextractor-x86_x64.policy 2. Modify the Android.mk file below in the frameworks/av/services/mediaextractor/ seccomp_policy 3. Because current google AOSP don’t consider x86_64 arch for mediaextractor policy, and iSharkL2 device use x86_64 arch, so we need to support it in the frameworks/av/services/mediaextractor/ seccomp_policy/. We will request to waive for this. [Patch Link]: https://android-review.googlesource.com/c/platform/frameworks/av/+/676982 Change-Id: Icd14cc62d6a2b8989ae3e2a1650af3749198522f

commit: 9f60b56976e7bad73890914b486092cad6632253 [log] [tgz]
author: Melvin Xu (徐敏) <melvin.xu@spreadtrum.com> Wed May 02 17:45:14 2018 +0800
committer: Melvin Xu <melvin.xu@spreadtrum.com> Thu May 10 02:52:15 2018 +0000
tree: ec45bafa3d2c5a928546de2ac2916abe3b4f3661
parent: 334e5dff4751eb77ade396f4c32404ca2b2892b3 [diff]
diff --git a/services/mediaextractor/Android.mk b/services/mediaextractor/Android.mk
index d41da39..3b883e7 100644
--- a/services/mediaextractor/Android.mk
+++ b/services/mediaextractor/Android.mk

@@ -26,7 +26,7 @@
 include $(BUILD_EXECUTABLE)
 
 # service seccomp filter
-ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86))
+ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64 x86 x86_64))
 include $(CLEAR_VARS)
 LOCAL_MODULE := mediaextractor.policy
 LOCAL_MODULE_CLASS := ETC

diff --git a/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy b/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy
new file mode 100755
index 0000000..63c7780
--- /dev/null
+++ b/services/mediaextractor/seccomp_policy/mediaextractor-x86_64.policy

@@ -0,0 +1,57 @@
+# Organized by frequency of systemcall - in descending order for
+# best performance.
+ioctl: 1
+futex: 1
+prctl: 1
+write: 1
+getpriority: 1
+close: 1
+dup: 1
+munmap: 1
+mmap: 1
+madvise: 1
+openat: 1
+clock_gettime: 1
+writev: 1
+brk: 1
+mprotect: 1
+read: 1
+lseek: 1
+clone: 1
+getuid: 1
+setpriority: 1
+sigaltstack: 1
+newfstatat: 1
+restart_syscall: 1
+exit: 1
+exit_group: 1
+rt_sigreturn: 1
+faccessat: 1
+sched_setscheduler: 1
+getrlimit: 1
+nanosleep: 1
+
+# for FileSource
+readlinkat: 1
+
+# for attaching to debuggerd on process crash
+tgkill: 1
+socket: arg0 == 1
+connect: 1
+fcntl: 1
+rt_sigprocmask: 1
+rt_sigaction: 1
+rt_tgsigqueueinfo: 1
+geteuid: 1
+getgid: 1
+getegid: 1
+getgroups: 1
+getdents64: 1
+pipe2: 1
+ppoll: 1
+
+# Required by AddressSanitizer
+gettid: 1
+sched_yield: 1
+getpid: 1
+gettid: 1
commit	9f60b56976e7bad73890914b486092cad6632253	[log] [tgz]
author	Melvin Xu (徐敏) <melvin.xu@spreadtrum.com>	Wed May 02 17:45:14 2018 +0800
committer	Melvin Xu <melvin.xu@spreadtrum.com>	Thu May 10 02:52:15 2018 +0000
tree	ec45bafa3d2c5a928546de2ac2916abe3b4f3661
parent	334e5dff4751eb77ade396f4c32404ca2b2892b3 [diff]