libminijail: Refactor `seccomp_filter_flags_available()`
This change creates a new function called
`seccomp_filter_flags_available()` so that it can also be called from
tests.
Bug: None
Test: make tests
Change-Id: Ie41ef0c7c457a39e4a46d5fcb6d6ff1dd29de890
diff --git a/Android.bp b/Android.bp
index 011e178..80a88b4 100644
--- a/Android.bp
+++ b/Android.bp
@@ -310,6 +310,7 @@
srcs: [
"bpf.c",
"syscall_filter.c",
+ "syscall_wrapper.c",
"util.c",
"syscall_filter_unittest.cc",
] + unittestSrcFiles,
@@ -338,6 +339,7 @@
host_supported: true,
srcs: [
+ "syscall_wrapper.c",
"system.c",
"util.c",
"system_unittest.cc",
diff --git a/libminijail.c b/libminijail.c
index d0a7574..2b8d767 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -48,31 +48,6 @@
# define PR_ALT_SYSCALL 0x43724f53
#endif
-/* Seccomp filter related flags. */
-#ifndef PR_SET_NO_NEW_PRIVS
-# define PR_SET_NO_NEW_PRIVS 38
-#endif
-
-#ifndef SECCOMP_MODE_FILTER
-#define SECCOMP_MODE_FILTER 2 /* Uses user-supplied filter. */
-#endif
-
-#ifndef SECCOMP_SET_MODE_STRICT
-# define SECCOMP_SET_MODE_STRICT 0
-#endif
-#ifndef SECCOMP_SET_MODE_FILTER
-# define SECCOMP_SET_MODE_FILTER 1
-#endif
-
-#ifndef SECCOMP_FILTER_FLAG_TSYNC
-# define SECCOMP_FILTER_FLAG_TSYNC 1
-#endif
-
-#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
-# define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1 << 2)
-#endif
-/* End seccomp filter related flags. */
-
/* New cgroup namespace might not be in linux-headers yet. */
#ifndef CLONE_NEWCGROUP
# define CLONE_NEWCGROUP 0x02000000
@@ -1001,9 +976,8 @@
}
if (j->flags.seccomp_filter_allow_speculation) {
/* Is the SPEC_ALLOW flag supported? */
- if (sys_seccomp(SECCOMP_SET_MODE_FILTER,
- SECCOMP_FILTER_FLAG_SPEC_ALLOW, NULL) == -1 &&
- errno == EINVAL) {
+ if (!seccomp_filter_flags_available(
+ SECCOMP_FILTER_FLAG_SPEC_ALLOW)) {
warn("allowing speculative execution on seccomp "
"processes not supported");
j->flags.seccomp_filter_allow_speculation = 0;
diff --git a/syscall_wrapper.h b/syscall_wrapper.h
index ffdf707..7769108 100644
--- a/syscall_wrapper.h
+++ b/syscall_wrapper.h
@@ -3,4 +3,42 @@
* found in the LICENSE file.
*/
+#ifndef _SYSCALL_WRAPPER_H_
+#define _SYSCALL_WRAPPER_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Seccomp filter related flags. */
+#ifndef PR_SET_NO_NEW_PRIVS
+# define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#ifndef SECCOMP_MODE_FILTER
+#define SECCOMP_MODE_FILTER 2 /* Uses user-supplied filter. */
+#endif
+
+#ifndef SECCOMP_SET_MODE_STRICT
+# define SECCOMP_SET_MODE_STRICT 0
+#endif
+#ifndef SECCOMP_SET_MODE_FILTER
+# define SECCOMP_SET_MODE_FILTER 1
+#endif
+
+#ifndef SECCOMP_FILTER_FLAG_TSYNC
+# define SECCOMP_FILTER_FLAG_TSYNC 1
+#endif
+
+#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
+# define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1 << 2)
+#endif
+/* End seccomp filter related flags. */
+
int sys_seccomp(unsigned int operation, unsigned int flags, void *args);
+
+#ifdef __cplusplus
+}; /* extern "C" */
+#endif
+
+#endif /* _SYSCALL_WRAPPER_H_ */
diff --git a/system.c b/system.c
index ae7f02c..52a07c5 100644
--- a/system.c
+++ b/system.c
@@ -22,6 +22,7 @@
#include <linux/securebits.h>
+#include "syscall_wrapper.h"
#include "util.h"
/*
@@ -534,3 +535,9 @@
return ret_kill_process_available;
}
+
+bool seccomp_filter_flags_available(unsigned int flags)
+{
+ return sys_seccomp(SECCOMP_SET_MODE_FILTER, flags, NULL) != -1 ||
+ errno != EINVAL;
+}
diff --git a/system.h b/system.h
index 6dbc6b8..b6a9a8d 100644
--- a/system.h
+++ b/system.h
@@ -59,6 +59,7 @@
int seccomp_ret_log_available(void);
int seccomp_ret_kill_process_available(void);
+bool seccomp_filter_flags_available(unsigned int flags);
#ifdef __cplusplus
}; /* extern "C" */
