From 926337f331af0ae1ad2adaa35812e165676f8efa Mon Sep 17 00:00:00 2001
From: Hendra Manudinata <hendra32os@gmail.com>
Date: Tue, 9 Mar 2021 09:07:38 +0700
Subject: [PATCH] universal7570: seccomp: Update for exynos 7570

Change-Id: I79681f70e7c56bff6081a4fd81d2a7ad1cdb5081
---
 seccomp/crash_dump.arm.policy                 | 37 ++++++++
 ...codec-seccomp.policy => mediacodec.policy} |  3 +-
 seccomp/mediaextractor-seccomp.policy         |  4 -
 seccomp/mediaextractor.policy                 | 52 +++++++++++
 seccomp/mediaextractor_sec.policy             |  2 +
 seccomp/mediaswcodec.policy                   | 88 ++++++++++++++++++-
 6 files changed, 180 insertions(+), 6 deletions(-)
 create mode 100644 seccomp/crash_dump.arm.policy
 rename seccomp/{mediacodec-seccomp.policy => mediacodec.policy} (62%)
 delete mode 100644 seccomp/mediaextractor-seccomp.policy
 create mode 100644 seccomp/mediaextractor.policy
 create mode 100644 seccomp/mediaextractor_sec.policy

diff --git a/seccomp/crash_dump.arm.policy b/seccomp/crash_dump.arm.policy
new file mode 100644
index 0000000..254330d
--- /dev/null
+++ b/seccomp/crash_dump.arm.policy
@@ -0,0 +1,37 @@
+read: 1
+write: 1
+exit: 1
+rt_sigreturn: 1
+sigreturn: 1
+exit_group: 1
+clock_gettime: 1
+gettimeofday: 1
+futex: 1
+getrandom: 1
+getpid: 1
+gettid: 1
+ppoll: 1
+pipe2: 1
+openat: 1
+dup: 1
+close: 1
+lseek: 1
+getdents64: 1
+faccessat: 1
+recvmsg: 1
+process_vm_readv: 1
+tgkill: 1
+rt_sigprocmask: 1
+rt_sigaction: 1
+rt_tgsigqueueinfo: 1
+prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == 0x53564d41
+madvise: 1
+mprotect: arg2 in 0x1|0x2
+munmap: 1
+getuid32: 1
+fstat64: 1
+mmap2: arg2 in 0x1|0x2
+geteuid32: 1
+getgid32: 1
+getegid32: 1
+getgroups32: 1
diff --git a/seccomp/mediacodec-seccomp.policy b/seccomp/mediacodec.policy
similarity index 62%
rename from seccomp/mediacodec-seccomp.policy
rename to seccomp/mediacodec.policy
index 16e2644..6f32f62 100644
--- a/seccomp/mediacodec-seccomp.policy
+++ b/seccomp/mediacodec.policy
@@ -1,3 +1,4 @@
+
 # for H/W Codec
 uname: 1
-getdents64: 1
\ No newline at end of file
+getdents64: 1
diff --git a/seccomp/mediaextractor-seccomp.policy b/seccomp/mediaextractor-seccomp.policy
deleted file mode 100644
index 63716c3..0000000
--- a/seccomp/mediaextractor-seccomp.policy
+++ /dev/null
@@ -1,4 +0,0 @@
-nanosleep: 1
-_llseek: 1
-pread64: 1
-readlinkat: 1
\ No newline at end of file
diff --git a/seccomp/mediaextractor.policy b/seccomp/mediaextractor.policy
new file mode 100644
index 0000000..964acf4
--- /dev/null
+++ b/seccomp/mediaextractor.policy
@@ -0,0 +1,52 @@
+# Organized by frequency of systemcall - in descending order for
+# best performance.
+ioctl: 1
+futex: 1
+prctl: 1
+write: 1
+getpriority: 1
+mmap2: 1
+close: 1
+munmap: 1
+dup: 1
+mprotect: 1
+getuid32: 1
+setpriority: 1
+sigaltstack: 1
+openat: 1
+open: 1
+clone: 1
+read: 1
+clock_gettime: 1
+lseek: 1
+writev: 1
+fstatat64: 1
+fstatfs64: 1
+fstat64: 1
+restart_syscall: 1
+exit: 1
+exit_group: 1
+rt_sigreturn: 1
+faccessat: 1
+madvise: 1
+brk: 1
+sched_setscheduler: 1
+gettid: 1
+rt_sigprocmask: 1
+sched_yield: 1
+ugetrlimit: 1
+geteuid32: 1
+getgid32: 1
+getegid32: 1
+getgroups32: 1
+nanosleep: 1
+getrandom: 1
+
+# for dynamically loading extractors
+pread64: 1
+
+# for FileSource
+readlinkat: 1
+_llseek: 1
+
+@include /system/etc/seccomp_policy/crash_dump.arm.policy
diff --git a/seccomp/mediaextractor_sec.policy b/seccomp/mediaextractor_sec.policy
new file mode 100644
index 0000000..c652b47
--- /dev/null
+++ b/seccomp/mediaextractor_sec.policy
@@ -0,0 +1,2 @@
+# sound extractor
+set_tid_address: 1
diff --git a/seccomp/mediaswcodec.policy b/seccomp/mediaswcodec.policy
index 2a0edca..31ab22c 100644
--- a/seccomp/mediaswcodec.policy
+++ b/seccomp/mediaswcodec.policy
@@ -1,2 +1,88 @@
-madvise :1
+# Copyright (C) 2019 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
+futex: 1
+# ioctl calls are filtered via the selinux policy.
+ioctl: 1
+sched_yield: 1
+close: 1
+dup: 1
+ppoll: 1
+mprotect: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+mmap2: arg2 in ~PROT_EXEC || arg2 in ~PROT_WRITE
+memfd_create: 1
+ftruncate: 1
+ftruncate64: 1
+
+# mremap: Ensure |flags| are (MREMAP_MAYMOVE | MREMAP_FIXED) TODO: Once minijail
+# parser support for '<' is in this needs to be modified to also prevent
+# |old_address| and |new_address| from touching the exception vector page, which
+# on ARM is statically loaded at 0xffff 0000. See
+# http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0211h/Babfeega.html
+# for more details.
+mremap: arg3 == 3
+munmap: 1
+prctl: 1
+getuid32: 1
+writev: 1
+sigaltstack: 1
+clone: 1
+exit: 1
+lseek: 1
+rt_sigprocmask: 1
+openat: 1
+open: 1
+fstat64: 1
+write: 1
+nanosleep: 1
+setpriority: 1
+set_tid_address: 1
+getdents64: 1
+readlinkat: 1
+readlink: 1
+read: 1
+pread64: 1
+fstatfs64: 1
+gettimeofday: 1
+faccessat: 1
+_llseek: 1
+fstatat64: 1
+ugetrlimit: 1
+exit_group: 1
+restart_syscall: 1
+rt_sigreturn: 1
+getrandom: 1
+
+eventfd2: 1
+madvise: 1
+
+# crash dump policy additions
+sigreturn: 1
+clock_gettime: 1
+futex: 1
+getpid: 1
+gettid: 1
+pipe2: 1
+recvmsg: 1
+process_vm_readv: 1
+tgkill: 1
+rt_sigaction: 1
+rt_tgsigqueueinfo: 1
+#prctl: arg0 == PR_GET_NO_NEW_PRIVS || arg0 == 0x53564d41
+#mprotect: arg2 in 0x1|0x2
+#mmap2: arg2 in 0x1|0x2
+geteuid32: 1
+getgid32: 1
+getegid32: 1
+getgroups32: 1