Merge "Docs: Add seccomp-bpf w/ TSYNC rquirement and howto."
diff --git a/src/devices/tech/config/kernel.jd b/src/devices/tech/config/kernel.jd
index e76a97e..f21389c 100644
--- a/src/devices/tech/config/kernel.jd
+++ b/src/devices/tech/config/kernel.jd
@@ -26,23 +26,25 @@
<p>The kernel configuration settings in this document are meant to be used as a
base for an Android kernel configuration. All devices should have the options
-in android-base configuration enabled. While not mandatory, the options in
-android-recommended configuration enable advanced Android
-features.</p>
+in android-base configuration enabled. The options in
+android-recommended configuration enable advanced Android
+features. See <a href="{@docRoot}security/overview/kernel-security.html">System
+and Kernel Security</a> for controls already undertaken to strengthen the
+kernel on your devices. See the <a
+href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition
+Document (CDD)</a> for required settings.</p>
<p>
Generating kernel config: Assuming you already have a minimalist defconfig for your device, a possible
way to enable these options would be:</p>
-<pre>ARCH=<arch> scripts/kconfig/merge_config.sh <path_to>/<device>_defconfig android/configs/android-base.cfg
+<pre>ARCH=<arch> scripts/kconfig/merge_config.sh <path_to>/<device>_defconfig android/configs/android-base.cfg
android/configs/android-recommended.cfg</pre>
<p>
This will generate a .config that can then be used to save a new defconfig or
compile a new kernel with Android features enabled.
</p>
-<h3 id="base">
-Base Configuration
-</h3>
+<h2 id="base">Base Configuration</h2>
<pre>
CONFIG_EXPERIMENTAL=y
CONFIG_SYSVIPC=y
@@ -180,7 +182,7 @@
CONFIG_ANDROID_INTF_ALARM_DEV=y
</pre>
-<h3 id="recommended">Recommended Configuration</h3>
+<h2 id="recommended">Recommended Configuration</h2>
<pre>
CONFIG_PANIC_TIMEOUT=5
@@ -302,7 +304,7 @@
CONFIG_PROC_PID_CPUSET=y
</pre>
-<h3 id="audio">For USB host mode audio</h3>
+<h2 id="audio">For USB host mode audio</h2>
<pre>
CONFIG_SND_USB=y
@@ -310,8 +312,168 @@
# CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver
</pre>
-<h3 id="midi">For USB host mode MIDI</h3>
+<h2 id="midi">For USB host mode MIDI</h2>
<pre>
CONFIG_SND_USB_MIDI=y
</pre>
+
+<h2 id="Seccomp-BPF-TSYNC">Seccomp-BPF with TSYNC Requirement</h2>
+<p>
+Seccomp-BPF is a kernel security technology that
+enables the creation of sandboxes to restrict the system calls a process is
+allowed to make. The TSYNC feature enables the use of seccomp-bpf from
+multithreaded programs.
+</p>
+<p>
+This requirement is limited to architectures that have seccomp support upstream:
+ARM, ARM64, x86, and x86_64.
+</p>
+<h3 id="backport-ARM-32">Backporting for Kernel 3.10 for ARM-32, X86, X86_64</h3>
+<p>
+First, ensure that <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the
+Kconfig. This is already verified as of the Android 5.0 CTS.
+</p>
+<p>
+Next, cherry-pick the following changes from the AOSP kernel/common:android-3.10
+repository:
+</p>
+<p>
+<a
+href="https://android.googlesource.com/kernel/common/+log/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28">9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28</a>
+</p>
+<ul>
+<li><a
+href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428
+ ARM: add seccomp syscall</a>
+<li><a
+href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd
+ seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600
+ seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter
+Roeck
+<li><a
+href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db
+ seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7
+ seccomp: allow mode setting across threads</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88
+ seccomp: introduce writer locking</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf
+ seccomp: split filter prep from check and apply</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69
+ sched: move no_new_privs into new atomic flags</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4
+ seccomp: add "seccomp" syscall</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde
+ seccomp: split mode setting routines</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff
+ seccomp: extract check/assign mode helpers</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43
+ seccomp: create internal mode-setting function</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/987a0f1102321853565c4bfecde6a5a58ac6db11">987a0f1
+ introduce for_each_thread() to replace the buggy while_each_thread()</a> by
+Oleg Nesterov
+<li><a
+href="https://android.googlesource.com/kernel/common/+/a03a2426ea9f1d9dada33cf4a824f63e8f916c9d">a03a242
+ arch: Introduce smp_load_acquire(), smp_store_release()</a> by Peter Zijlstra
+</ul>
+<p>
+Apply these patches in the inverse order that they are
+listed (<code>a9ba428</code> should be last).
+</p>
+<p>
+<h3 id="backport-ARM-64">Backporting for Kernel 3.10 for ARM-64</h3>
+</p>
+<p>
+First, ensure that<code> CONFIG_SECCOMP_FILTER=y </code>is enabled in the
+Kconfig. This is already verified as of the Android 5.0 CTS.
+</p>
+<p>
+Next, cherry-pick the following changes from the AOSP kernel/common:android-3.10
+repository:
+</p>
+<ul>
+<li><a
+href="https://android.googlesource.com/kernel/common/+/210957c2bb3b4d111963bb296e2c42beb8721929">210957c
+ arm64: add seccomp support</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/77227239d20ac6381fb1aee7b7cc902f0d14cd85">7722723
+ arm64: add SIGSYS siginfo for compat task</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/4f12b53f28a751406a27ef7501a22f9e32a9c30b">4f12b53
+ add seccomp syscall for compat task</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/dab10731da65a0deba46402ca9fadf6974676cc8">dab1073
+ asm-generic: add generic seccomp.h for secure computing mode 1</a> by AKASHI
+Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/feb28436457d33fef9f264635291432df4b74122">feb2843
+ arm64: ptrace: allow tracer to skip a system call</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/abbfed9ed1a78701ef3db74f5287958feb897035">abbfed9
+ arm64: ptrace: add PTRACE_SET_SYSCALL</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/41900903483eb96602dd72e719a798c208118aad">4190090
+ ARM: 8087/1: ptrace: reload syscall number after secure_computing() check</a>
+by Will Deacon
+<li><a
+href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428
+ ARM: add seccomp syscall</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd
+ seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600
+ seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter
+Roeck
+<li><a
+href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db
+ seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7
+ seccomp: allow mode setting across threads</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88
+ seccomp: introduce writer locking</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf
+ seccomp: split filter prep from check and apply</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69
+ sched: move no_new_privs into new atomic flags</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4
+ seccomp: add "seccomp" syscall</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde
+ seccomp: split mode setting routines</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff
+ seccomp: extract check/assign mode helpers</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43
+ seccomp: create internal mode-setting function</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76">9499cd2
+ syscall_get_arch: remove useless function arguments</a> by Eric Paris
+<li><a
+href="https://android.googlesource.com/kernel/common/+/3e21c0bb663a23436e0eb3f61860d4fedc233bab">3e21c0b
+ arm64: audit: Add audit hook in syscall_trace_enter/exit()</a> by JP Abgrall
+<li><a
+href="https://android.googlesource.com/kernel/common/+/bf11863d45eb3dac0d0cf1f818ded11ade6e28d3">bf11863
+ arm64: Add audit support</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/cfc7e99e9e3900056028a7d90072e9ea0d886f8d">cfc7e99e9
+ arm64: Add __NR_* definitions for compat syscalls</a> by JP Abgrall
+</ul>
diff --git a/src/security/overview/kernel-security.jd b/src/security/overview/kernel-security.jd
index f84b652..f41016a 100644
--- a/src/security/overview/kernel-security.jd
+++ b/src/security/overview/kernel-security.jd
@@ -30,8 +30,12 @@
native code is constrained by the Application Sandbox. Whether that code is
the result of included application behavior or a exploitation of an application
vulnerability, the system would prevent the rogue application from harming
- other applications, the Android system, or the device itself.</p>
-<h3 id="linux-security">Linux Security</h3>
+ other applications, the Android system, or the device itself. See <a
+ href="{@docRoot}devices/tech/config/kernel.html">Kernel Configuration</a> for
+ measures you can take to strengthen the kernel on your devices. See the <a
+ href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition
+ Document (CDD)</a> for required settings.</p>
+<h2 id="linux-security">Linux Security</h2>
<p>The foundation of the Android platform is the Linux kernel. The Linux kernel
itself has been in widespread use for years, and is used in millions of
security-sensitive environments. Through its history of constantly being
@@ -56,7 +60,7 @@
<li>Ensures that user A does not exhaust user B's devices (e.g. telephony, GPS,
bluetooth)</li>
</ul>
-<h3 id="the-application-sandbox">The Application Sandbox</h3>
+<h2 id="the-application-sandbox">The Application Sandbox</h2>
<p>The Android platform takes advantage of the Linux user-based protection as a
means of identifying and isolating application resources. The Android system
assigns a unique user ID (UID) to each Android application and runs it as that user
@@ -91,33 +95,33 @@
<p>Like all security features, the Application Sandbox is not unbreakable.
However, to break out of the Application Sandbox in a properly configured
device, one must compromise the security of the Linux kernel.</p>
-<h3 id="system-partition-and-safe-mode">System Partition and Safe Mode</h3>
+<h2 id="system-partition-and-safe-mode">System Partition and Safe Mode</h2>
<p>The system partition contains Android's kernel as well as the operating system
libraries, application runtime, application framework, and applications. This
partition is set to read-only. When a user boots the device into Safe Mode,
third-party applications may be launched manually by the device owner but are
not launched by default on start up.</p>
-<h3 id="filesystem-permissions">Filesystem Permissions</h3>
+<h2 id="filesystem-permissions">Filesystem Permissions</h2>
<p>In a UNIX-style environment, filesystem permissions ensure that one user cannot
alter or read another user's files. In the case of Android, each application
runs as its own user. Unless the developer explicitly exposes files to other
applications, files created by one application cannot be read or altered by
another application.</p>
-<h3 id="se-linux">Security-Enhanced Linux</h3>
+<h2 id="se-linux">Security-Enhanced Linux</h2>
<p>Android uses Security-Enhanced
Linux (SELinux) to apply access control policies and establish an environment of
mandatory access control (mac). See <a
href="{@docRoot}security/selinux/index.html">Validating
Security-Enhanced Linux in
Android</a> for details.</p>
-<h3 id="crypto">Cryptography</h3>
+<h2 id="crypto">Cryptography</h2>
<p> Android provides a set of cryptographic APIs for use by applications. These
include implementations of standard and commonly used cryptographic primitives
such as AES, RSA, DSA, and SHA. Additionally, APIs are provided for higher level
protocols such as SSL and HTTPS. </p>
<p> Android 4.0 introduced the <a href="http://developer.android.com/reference/android/security/KeyChain.html">KeyChain</a> class to allow applications to use the system credential storage for private
keys and certificate chains. </p>
-<h3>Rooting of Devices</h3>
+<h2 id="rooting-devices">Rooting of Devices</h2>
<p> By default, on Android only the kernel and a small subset of the core
applications run with root permissions. Android does not prevent a user or
application with root permissions from modifying the operating system, kernel,
@@ -151,8 +155,8 @@
devices uses the device password to protect the encryption key, so modifying
the bootloader or operating system is not sufficient to access user data
without the user’s device password. </p>
-<h3>User Security Features</h3>
-<h4 id="filesystem-encryption">Filesystem Encryption</h4>
+<h2 id="user-security">User Security Features</h2>
+<h3 id="filesystem-encryption">Filesystem Encryption</h3>
<p>Android 3.0 and later provides full filesystem encryption, so all user data can
be encrypted in the kernel using the dmcrypt implementation of AES128 with CBC
and ESSIV:SHA256. The encryption key is protected by AES128 using a key
@@ -173,7 +177,7 @@
this password protects the cryptographic key for full filesystem encryption.</p>
<p>Use of a password and/or password complexity rules can be required by a device
administrator.</p>
-<h3 id="device-administration">Device Administration</h3>
+<h2 id="device-administration">Device Administration</h2>
<p>Android 2.2 and later provide the Android Device Administration API, which
provides device administration features at the system level. For example, the
built-in Android Email application uses the APIs to improve Exchange support.
