mediacodec: add seccomp filter for arm/arm64
mediacodec always runs in 32 bit mode so the arm seccomp filter is also
used on arm64 devices.
Tests: mediaserver CTS for bullhead, volantis and shamu
Add policy to log blocked syscalls to syslog and allow debuggerd attach
on mediacodec crash.
Bug: 27066802, 27064966
Change-Id: I4bdbba25b8847afa98d89b4b4ca863829fa19754
diff --git a/services/mediacodec/minijail/minijail.cpp b/services/mediacodec/minijail/minijail.cpp
new file mode 100644
index 0000000..72bb1af
--- /dev/null
+++ b/services/mediacodec/minijail/minijail.cpp
@@ -0,0 +1,50 @@
+/*
+**
+** Copyright 2016, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You may obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+
+#include <cutils/log.h>
+#include <libminijail.h>
+
+#include "minijail.h"
+
+namespace android {
+
+/* Must match location in Android.mk */
+static const char kSeccompFilePath[] = "/system/etc/seccomp_policy/mediacodec-seccomp.policy";
+
+int MiniJail()
+{
+ /* no seccomp policy for this architecture */
+ if (access(kSeccompFilePath, R_OK) == -1) {
+ ALOGW("No seccomp filter defined for this architecture.");
+ return 0;
+ }
+
+ struct minijail *jail = minijail_new();
+ if (jail == NULL) {
+ ALOGW("Failed to create minijail.");
+ return -1;
+ }
+
+ minijail_no_new_privs(jail);
+ minijail_log_seccomp_filter_failures(jail);
+ minijail_use_seccomp_filter(jail);
+ minijail_parse_seccomp_filters(jail, kSeccompFilePath);
+ minijail_enter(jail);
+ minijail_destroy(jail);
+ return 0;
+}
+}