奥利奥:如何在源代码中找到所有受限的系统调用?
Oreo: how to find all restricted syscalls at source code?
https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html
正如本文的 "seccomp filter" 部分所述,
Android O's seccomp filter blocks certain syscalls, such as swapon/swapoff, which have been implicated in some security attacks, and the key control syscalls, which are not useful to apps. In total, the filter blocks 17 of 271 syscalls in arm64 and 70 of 364 in arm.
现在,一些系统调用被阻止并抛出错误 signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr -------- Cause: seccomp prevented call to disallowed system call 55。
但是我找不到上面列出的 arm64 中的 17 个系统调用和 arm 中的 70 个系统调用。
哪些系统调用受到限制?我如何找到崩溃原因的系统调用?
已编辑:
看来这个错误信息是在这里产生的。
} else if (si->si_signo == SIGSYS && si->si_code == SYS_SECCOMP) {
cause = StringPrintf("seccomp prevented call to disallowed %s system call %d", ABI_STRING,
si->si_syscall);
}
哪些系统调用在 Android 8.0 Oreo 中受到限制?
系统调用过滤器 source files are autogenerated, but the text files from which the filters are generated are located in the next directory up. Here we find a list of all syscalls of interest, as well as a couple of whitelists and blacklists. Presumably the app blacklist 就是您要找的东西;我总结如下。
编辑:系统调用过滤背景
过滤本身是 Linux 内核提供的标准功能,称为 seccomp. All AOSP does is make use of this feature to filter the system calls listed in the app blacklist linked above. A script processes that blacklist into a platform-specific autogenerated filter that is then fed to seccomp for the process from which all Android apps are launched (ie Zygote). Once this filtering is active, making a matching syscall from the filtered process (ie any app) will result in a SIGKILL signal being delivered. See here 以获取有关 Linux 信号的一些一般信息。您链接的 AOSP 源打印的错误消息只是系统在注意到您的进程被终止时试图为您提供一些有用的信息 - 请注意方法名称是 dump_probable_cause.
阻止修改 ID 的系统调用
+--------------------------------------------------+--------------------------+
| Function | Blocked On |
+--------------------------------------------------+--------------------------+
| int setgid:setgid32(gid_t) | arm,x86 |
| int setgid:setgid(gid_t) | arm64,mips,mips64,x86_64 |
| int setuid:setuid32(uid_t) | arm,x86 |
| int setuid:setuid(uid_t) | arm64,mips,mips64,x86_64 |
| int setreuid:setreuid32(uid_t, uid_t) | arm,x86 |
| int setreuid:setreuid(uid_t, uid_t) | arm64,mips,mips64,x86_64 |
| int setresuid:setresuid32(uid_t, uid_t, uid_t) | arm,x86 |
| int setresuid:setresuid(uid_t, uid_t, uid_t) | arm64,mips,mips64,x86_64 |
| int setresgid:setresgid32(gid_t, gid_t, gid_t) | arm,x86 |
| int setresgid:setresgid(gid_t, gid_t, gid_t) | arm64,mips,mips64,x86_64 |
| int setfsgid(gid_t) | all |
| int setfsuid(uid_t) | all |
| int setgroups:setgroups32(int, const gid_t*) | arm,x86 |
| int setgroups:setgroups(int, const gid_t*) | arm64,mips,mips64,x86_64 |
+--------------------------------------------------+--------------------------+
阻止修改时间的系统调用
+--------------------------------------------------------------------+------------+
| Function | Blocked On |
+--------------------------------------------------------------------+------------+
| int adjtimex(struct timex*) | all |
| int clock_adjtime(clockid_t, struct timex*) | all |
| int clock_settime(clockid_t, const struct timespec*) | all |
| int settimeofday(const struct timeval*, const struct timezone*) | all |
| int acct(const char* filepath) | all |
| int klogctl:syslog(int, char*, int) | all |
| int capset(cap_user_header_t header, const cap_user_data_t data) | all |
| int chroot(const char*) | all |
+--------------------------------------------------------------------+------------+
阻止系统调用以更改各种机器配置
+--------------------------------------------------------------------------------+------------+
| Function | Blocked On |
+--------------------------------------------------------------------------------+------------+
| int init_module(void*, unsigned long, const char*) | all |
| int delete_module(const char*, unsigned int) | all |
| int mount(const char*, const char*, const char*, unsigned long, const void*) | all |
| int umount2(const char*, int) | all |
| int swapon(const char*, int) | all |
| int swapoff(const char*) | all |
| int setdomainname(const char*, size_t) | all |
| int sethostname(const char*, size_t) | all |
| int __reboot:reboot(int, int, int, void*) | all |
+--------------------------------------------------------------------------------+------------+
https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html
正如本文的 "seccomp filter" 部分所述,
Android O's seccomp filter blocks certain syscalls, such as swapon/swapoff, which have been implicated in some security attacks, and the key control syscalls, which are not useful to apps. In total, the filter blocks 17 of 271 syscalls in arm64 and 70 of 364 in arm.
现在,一些系统调用被阻止并抛出错误 signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr -------- Cause: seccomp prevented call to disallowed system call 55。
但是我找不到上面列出的 arm64 中的 17 个系统调用和 arm 中的 70 个系统调用。 哪些系统调用受到限制?我如何找到崩溃原因的系统调用?
已编辑:
看来这个错误信息是在这里产生的。
} else if (si->si_signo == SIGSYS && si->si_code == SYS_SECCOMP) {
cause = StringPrintf("seccomp prevented call to disallowed %s system call %d", ABI_STRING,
si->si_syscall);
}
哪些系统调用在 Android 8.0 Oreo 中受到限制?
系统调用过滤器 source files are autogenerated, but the text files from which the filters are generated are located in the next directory up. Here we find a list of all syscalls of interest, as well as a couple of whitelists and blacklists. Presumably the app blacklist 就是您要找的东西;我总结如下。
编辑:系统调用过滤背景
过滤本身是 Linux 内核提供的标准功能,称为 seccomp. All AOSP does is make use of this feature to filter the system calls listed in the app blacklist linked above. A script processes that blacklist into a platform-specific autogenerated filter that is then fed to seccomp for the process from which all Android apps are launched (ie Zygote). Once this filtering is active, making a matching syscall from the filtered process (ie any app) will result in a SIGKILL signal being delivered. See here 以获取有关 Linux 信号的一些一般信息。您链接的 AOSP 源打印的错误消息只是系统在注意到您的进程被终止时试图为您提供一些有用的信息 - 请注意方法名称是 dump_probable_cause.
阻止修改 ID 的系统调用
+--------------------------------------------------+--------------------------+ | Function | Blocked On | +--------------------------------------------------+--------------------------+ | int setgid:setgid32(gid_t) | arm,x86 | | int setgid:setgid(gid_t) | arm64,mips,mips64,x86_64 | | int setuid:setuid32(uid_t) | arm,x86 | | int setuid:setuid(uid_t) | arm64,mips,mips64,x86_64 | | int setreuid:setreuid32(uid_t, uid_t) | arm,x86 | | int setreuid:setreuid(uid_t, uid_t) | arm64,mips,mips64,x86_64 | | int setresuid:setresuid32(uid_t, uid_t, uid_t) | arm,x86 | | int setresuid:setresuid(uid_t, uid_t, uid_t) | arm64,mips,mips64,x86_64 | | int setresgid:setresgid32(gid_t, gid_t, gid_t) | arm,x86 | | int setresgid:setresgid(gid_t, gid_t, gid_t) | arm64,mips,mips64,x86_64 | | int setfsgid(gid_t) | all | | int setfsuid(uid_t) | all | | int setgroups:setgroups32(int, const gid_t*) | arm,x86 | | int setgroups:setgroups(int, const gid_t*) | arm64,mips,mips64,x86_64 | +--------------------------------------------------+--------------------------+
阻止修改时间的系统调用
+--------------------------------------------------------------------+------------+ | Function | Blocked On | +--------------------------------------------------------------------+------------+ | int adjtimex(struct timex*) | all | | int clock_adjtime(clockid_t, struct timex*) | all | | int clock_settime(clockid_t, const struct timespec*) | all | | int settimeofday(const struct timeval*, const struct timezone*) | all | | int acct(const char* filepath) | all | | int klogctl:syslog(int, char*, int) | all | | int capset(cap_user_header_t header, const cap_user_data_t data) | all | | int chroot(const char*) | all | +--------------------------------------------------------------------+------------+
阻止系统调用以更改各种机器配置
+--------------------------------------------------------------------------------+------------+ | Function | Blocked On | +--------------------------------------------------------------------------------+------------+ | int init_module(void*, unsigned long, const char*) | all | | int delete_module(const char*, unsigned int) | all | | int mount(const char*, const char*, const char*, unsigned long, const void*) | all | | int umount2(const char*, int) | all | | int swapon(const char*, int) | all | | int swapoff(const char*) | all | | int setdomainname(const char*, size_t) | all | | int sethostname(const char*, size_t) | all | | int __reboot:reboot(int, int, int, void*) | all | +--------------------------------------------------------------------------------+------------+