diff options
author | Danielle Roberts <daroberts@google.com> | 2017-02-28 21:26:59 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-02-28 21:26:59 +0000 |
commit | f5b6b9e40062a5ee9e42dac220484634f94b9970 (patch) | |
tree | 1da04bee564396e2ca6f9f2fbe7c566c2d8150d3 | |
parent | 360fdd4fc27edc65e2283757cef0cb3a202caf4a (diff) | |
parent | dbac7f22cddd2d44d11b68dbe41ae32ebedde507 (diff) | |
download | source.android.com-f5b6b9e40062a5ee9e42dac220484634f94b9970.tar.gz |
Merge "Docs: Updating kernel config content, formatting Fixing patch order and missing author, adding intros Test: make online-sac-docs - tested on staging instance 17 Bug: 35522446" am: 5c79595ce1 am: 50f6228501
am: dbac7f22cd
Change-Id: I6bcfff76f39694039d94b7577556bc98e68e53b3
-rw-r--r-- | src/devices/tech/config/kernel.jd | 574 |
1 files changed, 139 insertions, 435 deletions
diff --git a/src/devices/tech/config/kernel.jd b/src/devices/tech/config/kernel.jd index 81e9e51f..bc05a411 100644 --- a/src/devices/tech/config/kernel.jd +++ b/src/devices/tech/config/kernel.jd @@ -24,456 +24,160 @@ page.title=Kernel Configuration </div> </div> -<p>The kernel configuration settings in this document are meant to be used as a -base for an Android kernel configuration. All devices should have the options -in android-base configuration enabled. The options in -android-recommended configuration enable advanced Android -features. See <a href="{@docRoot}security/overview/kernel-security.html">System -and Kernel Security</a> for controls already undertaken to strengthen the -kernel on your devices. See the <a -href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition -Document (CDD)</a> for required settings.</p> +<p>Use the following configuration settings as a base for an Android kernel +configuration. Settings are organized into <code>android-base</code> and +<code>android-recommended</code> .cfg files: -<p> -Generating kernel config: Assuming you already have a minimalist defconfig for your device, a possible -way to enable these options would be:</p> +<ul> +<li><code>android-base</code>. These options enable core Android features and +should be enabled by all devices.</li> -<pre>ARCH=<arch> scripts/kconfig/merge_config.sh <path_to>/<device>_defconfig android/configs/android-base.cfg -android/configs/android-recommended.cfg</pre> -<p> -This will generate a .config that can then be used to save a new defconfig or -compile a new kernel with Android features enabled. -</p> -<h2 id="base">Base Configuration</h2> -<pre> -CONFIG_EXPERIMENTAL=y -CONFIG_SYSVIPC=y -CONFIG_CGROUPS=y -CONFIG_CGROUP_DEBUG=y -CONFIG_CGROUP_FREEZER=y -CONFIG_CGROUP_CPUACCT=y -CONFIG_RESOURCE_COUNTERS=y -CONFIG_CGROUP_SCHED=y -CONFIG_RT_GROUP_SCHED=y -CONFIG_BLK_DEV_INITRD=y -CONFIG_EMBEDDED=y -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y -CONFIG_PREEMPT=y -CONFIG_PM_AUTOSLEEP=y -CONFIG_PM_WAKELOCKS=y -CONFIG_BLK_DEV_DM=y -CONFIG_DM_CRYPT=y -CONFIG_NET=y -CONFIG_PACKET=y -CONFIG_UNIX=y -CONFIG_XFRM_USER=y -CONFIG_NET_KEY=y -CONFIG_INET=y -CONFIG_IP_ADVANCED_ROUTER=y -CONFIG_IP_MULTIPLE_TABLES=y -CONFIG_INET_ESP=y -# CONFIG_INET_LRO is not set -CONFIG_IPV6_PRIVACY=y -CONFIG_IPV6_ROUTER_PREF=y -CONFIG_IPV6_OPTIMISTIC_DAD=y -CONFIG_INET6_AH=y -CONFIG_INET6_ESP=y -CONFIG_INET6_IPCOMP=y -CONFIG_IPV6_MIP6=y -CONFIG_IPV6_MULTIPLE_TABLES=y -CONFIG_NETFILTER=y -CONFIG_NF_CONNTRACK=y -CONFIG_NF_CONNTRACK_EVENTS=y -CONFIG_NF_CT_PROTO_DCCP=y -CONFIG_NF_CT_PROTO_SCTP=y -CONFIG_NF_CT_PROTO_UDPLITE=y -CONFIG_NF_CONNTRACK_AMANDA=y -CONFIG_NF_CONNTRACK_FTP=y -CONFIG_NF_CONNTRACK_H323=y -CONFIG_NF_CONNTRACK_IRC=y -CONFIG_NF_CONNTRACK_NETBIOS_NS=y -CONFIG_NF_CONNTRACK_PPTP=y -CONFIG_NF_CONNTRACK_SANE=y -CONFIG_NF_CONNTRACK_TFTP=y -CONFIG_NF_CT_NETLINK=y -CONFIG_NETFILTER_TPROXY=y -CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y -CONFIG_NETFILTER_XT_TARGET_CONNMARK=y -CONFIG_NETFILTER_XT_TARGET_MARK=y -CONFIG_NETFILTER_XT_TARGET_NFLOG=y -CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y -CONFIG_NETFILTER_XT_TARGET_TPROXY=y -CONFIG_NETFILTER_XT_TARGET_TRACE=y -CONFIG_NETFILTER_XT_MATCH_COMMENT=y -CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y -CONFIG_NETFILTER_XT_MATCH_CONNMARK=y -CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y -CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y -CONFIG_NETFILTER_XT_MATCH_HELPER=y -CONFIG_NETFILTER_XT_MATCH_IPRANGE=y -CONFIG_NETFILTER_XT_MATCH_LENGTH=y -CONFIG_NETFILTER_XT_MATCH_LIMIT=y -CONFIG_NETFILTER_XT_MATCH_MAC=y -CONFIG_NETFILTER_XT_MATCH_MARK=y -CONFIG_NETFILTER_XT_MATCH_POLICY=y -CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y -CONFIG_NETFILTER_XT_MATCH_QTAGUID=y -CONFIG_NETFILTER_XT_MATCH_QUOTA=y -CONFIG_NETFILTER_XT_MATCH_QUOTA2=y -CONFIG_NETFILTER_XT_MATCH_QUOTA2_LOG=y -CONFIG_NETFILTER_XT_MATCH_SOCKET=y -CONFIG_NETFILTER_XT_MATCH_STATE=y -CONFIG_NETFILTER_XT_MATCH_STATISTIC=y -CONFIG_NETFILTER_XT_MATCH_STRING=y -CONFIG_NETFILTER_XT_MATCH_TIME=y -CONFIG_NETFILTER_XT_MATCH_U32=y -CONFIG_NF_CONNTRACK_IPV4=y -CONFIG_IP_NF_IPTABLES=y -CONFIG_IP_NF_MATCH_AH=y -CONFIG_IP_NF_MATCH_ECN=y -CONFIG_IP_NF_MATCH_TTL=y -CONFIG_IP_NF_FILTER=y -CONFIG_IP_NF_TARGET_REJECT=y -CONFIG_IP_NF_TARGET_REJECT_SKERR=y -CONFIG_NF_NAT=y -CONFIG_IP_NF_TARGET_MASQUERADE=y -CONFIG_IP_NF_TARGET_NETMAP=y -CONFIG_IP_NF_TARGET_REDIRECT=y -CONFIG_IP_NF_MANGLE=y -CONFIG_IP_NF_RAW=y -CONFIG_IP_NF_ARPTABLES=y -CONFIG_IP_NF_ARPFILTER=y -CONFIG_IP_NF_ARP_MANGLE=y -CONFIG_NF_CONNTRACK_IPV6=y -CONFIG_IP6_NF_IPTABLES=y -CONFIG_IP6_NF_FILTER=y -CONFIG_IP6_NF_TARGET_REJECT=y -CONFIG_IP6_NF_TARGET_REJECT_SKERR=y -CONFIG_IP6_NF_MANGLE=y -CONFIG_IP6_NF_RAW=y -CONFIG_NET_SCHED=y -CONFIG_NET_SCH_HTB=y -CONFIG_NET_CLS_U32=y -CONFIG_NET_EMATCH=y -CONFIG_NET_EMATCH_U32=y -CONFIG_NET_CLS_ACT=y -CONFIG_NETDEVICES=y -CONFIG_TUN=y -CONFIG_PPP=y -CONFIG_PPP_BSDCOMP=y -CONFIG_PPP_DEFLATE=y -CONFIG_PPP_MPPE=y -CONFIG_PPPOLAC=y -CONFIG_PPPOPNS=y -CONFIG_FB=y -CONFIG_SYNC=y -CONFIG_USB_GADGET=y -CONFIG_USB_G_ANDROID=y -CONFIG_USB_OTG_WAKELOCK=y -CONFIG_SWITCH=y -CONFIG_RTC_CLASS=y -CONFIG_STAGING=y -CONFIG_ANDROID=y -CONFIG_ANDROID_BINDER_IPC=y -CONFIG_ASHMEM=y -CONFIG_ANDROID_LOGGER=y -CONFIG_ANDROID_LOW_MEMORY_KILLER=y -CONFIG_ANDROID_INTF_ALARM_DEV=y -</pre> +<li><code>android-recommended</code>. These options enable advanced Android +features and are optional for devices.</li> +</ul> + +<p>Both the android-base.cfg and android-recommended.cfg files are located in +the android-common kernel repo at +<a href="https://android.googlesource.com/kernel/common/">https://android.googlesource.com/kernel/common/</a>. +<p>In version 4.8 of the upstream Linux kernel, a new location (kernel/configs) +was designated for kernel configuration fragments. The android base and +recommended config fragments are located in that directory for branches based on +4.8 or later. For kernel branches based on releases prior to 4.8, the config +fragments are located in the android/ directory.</p> + +<p>For details on controls already undertaken to strengthen the kernel on your +devices, see <a href="{@docRoot}security/overview/kernel-security.html">System +and Kernel Security</a>. For details on required settings, see the +<a href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition +Document (CDD)</a>.</p> -<h2 id="recommended">Recommended Configuration</h2> +<h2 id="generating">Generating kernel config</h2> +<p>For devices that have a minimalist defconfig, you can use the following to +enable options:</p> -<pre> -CONFIG_PANIC_TIMEOUT=5 -CONFIG_KALLSYMS_ALL=y -CONFIG_PERF_EVENTS=y -CONFIG_COMPACTION=y -# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set -CONFIG_PM_WAKELOCKS_LIMIT=0 -# CONFIG_PM_WAKELOCKS_GC is not set -CONFIG_PM_RUNTIME=y -CONFIG_PM_DEBUG=y -CONFIG_SUSPEND_TIME=y -CONFIG_BLK_DEV_LOOP=y -CONFIG_BLK_DEV_RAM=y -CONFIG_BLK_DEV_RAM_SIZE=8192 -CONFIG_UID_STAT=y -CONFIG_MD=y -CONFIG_DM_UEVENT=y -CONFIG_INPUT_EVDEV=y -CONFIG_INPUT_KEYRESET=y -# CONFIG_INPUT_MOUSE is not set -CONFIG_INPUT_JOYSTICK=y -CONFIG_JOYSTICK_XPAD=y -CONFIG_JOYSTICK_XPAD_FF=y -CONFIG_JOYSTICK_XPAD_LEDS=y -CONFIG_INPUT_TABLET=y -CONFIG_TABLET_USB_ACECAD=y -CONFIG_TABLET_USB_AIPTEK=y -CONFIG_TABLET_USB_GTCO=y -CONFIG_TABLET_USB_HANWANG=y -CONFIG_TABLET_USB_KBTAB=y -CONFIG_TABLET_USB_WACOM=y -CONFIG_INPUT_MISC=y -CONFIG_INPUT_KEYCHORD=y -CONFIG_INPUT_UINPUT=y -CONFIG_INPUT_GPIO=y -# CONFIG_VT is not set -# CONFIG_LEGACY_PTYS is not set -CONFIG_POWER_SUPPLY=y -CONFIG_BATTERY_ANDROID=y -CONFIG_MEDIA_SUPPORT=y -CONFIG_BACKLIGHT_LCD_SUPPORT=y -CONFIG_SOUND=y -CONFIG_SND=y -CONFIG_UHID=y -CONFIG_USB_HIDDEV=y -CONFIG_HID_A4TECH=y -CONFIG_HID_ACRUX=y -CONFIG_HID_ACRUX_FF=y -CONFIG_HID_APPLE=y -CONFIG_HID_BELKIN=y -CONFIG_HID_CHERRY=y -CONFIG_HID_CHICONY=y -CONFIG_HID_PRODIKEYS=y -CONFIG_HID_CYPRESS=y -CONFIG_HID_DRAGONRISE=y -CONFIG_DRAGONRISE_FF=y -CONFIG_HID_EMS_FF=y -CONFIG_HID_ELECOM=y -CONFIG_HID_EZKEY=y -CONFIG_HID_HOLTEK=y -CONFIG_HID_KEYTOUCH=y -CONFIG_HID_KYE=y -CONFIG_HID_UCLOGIC=y -CONFIG_HID_WALTOP=y -CONFIG_HID_GYRATION=y -CONFIG_HID_TWINHAN=y -CONFIG_HID_KENSINGTON=y -CONFIG_HID_LCPOWER=y -CONFIG_HID_LOGITECH=y -CONFIG_LOGITECH_FF=y -CONFIG_LOGIRUMBLEPAD2_FF=y -CONFIG_LOGIG940_FF=y -CONFIG_HID_MAGICMOUSE=y -CONFIG_HID_MICROSOFT=y -CONFIG_HID_MONTEREY=y -CONFIG_HID_MULTITOUCH=y -CONFIG_HID_NTRIG=y -CONFIG_HID_ORTEK=y -CONFIG_HID_PANTHERLORD=y -CONFIG_PANTHERLORD_FF=y -CONFIG_HID_PETALYNX=y -CONFIG_HID_PICOLCD=y -CONFIG_HID_PRIMAX=y -CONFIG_HID_ROCCAT=y -CONFIG_HID_SAITEK=y -CONFIG_HID_SAMSUNG=y -CONFIG_HID_SONY=y -CONFIG_HID_SPEEDLINK=y -CONFIG_HID_SUNPLUS=y -CONFIG_HID_GREENASIA=y -CONFIG_GREENASIA_FF=y -CONFIG_HID_SMARTJOYPLUS=y -CONFIG_SMARTJOYPLUS_FF=y -CONFIG_HID_TIVO=y -CONFIG_HID_TOPSEED=y -CONFIG_HID_THRUSTMASTER=y -CONFIG_HID_WACOM=y -CONFIG_HID_WIIMOTE=y -CONFIG_HID_ZEROPLUS=y -CONFIG_HID_ZYDACRON=y -CONFIG_USB_USBNET=y -CONFIG_USB_ANNOUNCE_NEW_DEVICES=y -CONFIG_USB_EHCI_HCD=y -CONFIG_ION=y -CONFIG_ANDROID_RAM_CONSOLE=y -CONFIG_ANDROID_TIMED_GPIO=y -CONFIG_EXT4_FS=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_FUSE_FS=y -CONFIG_MSDOS_FS=y -CONFIG_VFAT_FS=y -CONFIG_TMPFS=y -CONFIG_TMPFS_POSIX_ACL=y -CONFIG_SCHEDSTATS=y -CONFIG_TIMER_STATS=y -CONFIG_SCHED_TRACER=y -CONFIG_CPUSETS=y -CONFIG_PROC_PID_CPUSET=y -</pre> +<pre><code>ARCH=<em>arch</em> scripts/kconfig/merge_config.sh <em>path</em>/<em>device</em>_defconfig android/configs/android-base.cfg android/configs/android-recommended.cfg</code></pre> -<h2 id="audio">For USB host mode audio</h2> +<p>This generates a .config file you can use to save a new defconfig or +compile a new kernel with Android features enabled.</p> -<pre> -CONFIG_SND_USB=y +<h2 id="usb">Enabling USB host mode options</h2> + +<p>For USB host mode audio, enable the following options:</p> +<pre><code>CONFIG_SND_USB=y CONFIG_SND_USB_AUDIO=y # CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver -</pre> - -<h2 id="midi">For USB host mode MIDI</h2> +</code></pre> -<pre> -CONFIG_SND_USB_MIDI=y -</pre> +<p>For USB host mode MIDI, enable the following option:</p> +<pre><code>CONFIG_SND_USB_MIDI=y</code></pre> <h2 id="Seccomp-BPF-TSYNC">Seccomp-BPF with TSYNC</h2> -<p> -Seccomp-BPF is a kernel security technology that -enables the creation of sandboxes to restrict the system calls a process is -allowed to make. The TSYNC feature enables the use of Seccomp-BPF from -multithreaded programs. -</p> -<p> -This ability is limited to architectures that have seccomp support upstream: -ARM, ARM64, x86, and x86_64. -</p> +<p>Seccomp-BPF is a kernel security technology that enables the creation of +sandboxes to restrict the system calls a process is allowed to make. The TSYNC +feature enables the use of Seccomp-BPF from multithreaded programs. This ability +is limited to architectures that have seccomp support upstream: ARM, ARM64, x86, +and x86_64.</p> + <h3 id="backport-ARM-32">Backporting for Kernel 3.10 for ARM-32, X86, X86_64</h3> -<p> -First, ensure that <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the -Kconfig. This is already verified as of the Android 5.0 CTS. -</p> -<p> -Next, cherry-pick the following changes from the AOSP kernel/common:android-3.10 -repository: -</p> -<p> -<a -href="https://android.googlesource.com/kernel/common/+log/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28">9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28</a> + +<p>Ensure that <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the Kconfig +(verified as of the Android 5.0 CTS), then cherry-pick the following changes +from the AOSP kernel/common:android-3.10 repository: <a href="https://android. +googlesource.com/kernel/common/+log/9499cd23f9d05ba159 +fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28">9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28</a> </p> + <ul> -<li><a -href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428 - ARM: add seccomp syscall</a> -<li><a -href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd - seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell -<li><a -href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600 - seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter -Roeck -<li><a -href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db - seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7 - seccomp: allow mode setting across threads</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88 - seccomp: introduce writer locking</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf - seccomp: split filter prep from check and apply</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69 - sched: move no_new_privs into new atomic flags</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4 - seccomp: add "seccomp" syscall</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde - seccomp: split mode setting routines</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff - seccomp: extract check/assign mode helpers</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43 - seccomp: create internal mode-setting function</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/987a0f1102321853565c4bfecde6a5a58ac6db11">987a0f1 - introduce for_each_thread() to replace the buggy while_each_thread()</a> by -Oleg Nesterov -<li><a -href="https://android.googlesource.com/kernel/common/+/a03a2426ea9f1d9dada33cf4a824f63e8f916c9d">a03a242 - arch: Introduce smp_load_acquire(), smp_store_release()</a> by Peter Zijlstra +<li><a href="https://android.googlesource.com/kernel/common/+/a03a2426ea9f1d9dada33cf4a824f63e8f916c9d">a03 +a242 arch: Introduce smp_load_acquire(), smp_store_release()</a> by Peter +Zijlstra</li> +<li><a href="https://android.googlesource.com/kernel/common/+/987a0f1102321853565c4bfecde6a5a58ac6db11">987a0f +1 introduce for_each_thread() to replace the buggy while_each_thread()</a> by + Oleg Nesterov</li> + <li><a href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43 +seccomp: create internal mode-setting function</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+ +/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff +seccomp: extract check/assign mode helpers</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde +seccomp: split mode setting routines</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4 seccomp: add +"seccomp" syscall</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/9d0ff +694bc22fb458acb763811a677696c60725b">9d0ff69 +sched: move no_new_privs into new atomic flags</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf +seccomp: split filter prep from check and apply</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88 +seccomp: introduce writer locking</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7 +seccomp: allow mode setting across threads</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db +seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/9ac860041db +860a59bfd6ac82b31d6b6f76ebb52">9ac8600 +seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter +Roeck</li> +<li><a href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd +seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell</li> +<li><a href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428 +ARM: add seccomp syscall</a> by Kees Cook</li> </ul> -<p> -Apply these patches in the inverse order that they are -listed (<code>a9ba428</code> should be last). -</p> -<p> + <h3 id="backport-ARM-64">Backporting for Kernel 3.10 for ARM-64</h3> -</p> -<p> -First, ensure that<code> CONFIG_SECCOMP_FILTER=y </code>is enabled in the -Kconfig. This is already verified as of the Android 5.0 CTS. -</p> -<p> -Next, cherry-pick the following changes from the AOSP kernel/common:android-3.10 -repository: -</p> +<p>Ensure <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the Kconfig +(verified as of the Android 5.0 CTS), then cherry-pick the following changes +from the AOSP kernel/common:android-3.10 repository:</p> <ul> -<li><a -href="https://android.googlesource.com/kernel/common/+/210957c2bb3b4d111963bb296e2c42beb8721929">210957c - arm64: add seccomp support</a> by AKASHI Takahiro -<li><a -href="https://android.googlesource.com/kernel/common/+/77227239d20ac6381fb1aee7b7cc902f0d14cd85">7722723 - arm64: add SIGSYS siginfo for compat task</a> by AKASHI Takahiro -<li><a -href="https://android.googlesource.com/kernel/common/+/4f12b53f28a751406a27ef7501a22f9e32a9c30b">4f12b53 - add seccomp syscall for compat task</a> by AKASHI Takahiro -<li><a -href="https://android.googlesource.com/kernel/common/+/dab10731da65a0deba46402ca9fadf6974676cc8">dab1073 - asm-generic: add generic seccomp.h for secure computing mode 1</a> by AKASHI -Takahiro -<li><a -href="https://android.googlesource.com/kernel/common/+/feb28436457d33fef9f264635291432df4b74122">feb2843 - arm64: ptrace: allow tracer to skip a system call</a> by AKASHI Takahiro -<li><a -href="https://android.googlesource.com/kernel/common/+/abbfed9ed1a78701ef3db74f5287958feb897035">abbfed9 - arm64: ptrace: add PTRACE_SET_SYSCALL</a> by AKASHI Takahiro -<li><a -href="https://android.googlesource.com/kernel/common/+/41900903483eb96602dd72e719a798c208118aad">4190090 - ARM: 8087/1: ptrace: reload syscall number after secure_computing() check</a> -by Will Deacon -<li><a -href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428 - ARM: add seccomp syscall</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd - seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell -<li><a -href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600 - seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter -Roeck -<li><a -href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db - seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7 - seccomp: allow mode setting across threads</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88 - seccomp: introduce writer locking</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf - seccomp: split filter prep from check and apply</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69 - sched: move no_new_privs into new atomic flags</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4 - seccomp: add "seccomp" syscall</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde - seccomp: split mode setting routines</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff - seccomp: extract check/assign mode helpers</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43 - seccomp: create internal mode-setting function</a> by Kees Cook -<li><a -href="https://android.googlesource.com/kernel/common/+/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76">9499cd2 - syscall_get_arch: remove useless function arguments</a> by Eric Paris -<li><a -href="https://android.googlesource.com/kernel/common/+/3e21c0bb663a23436e0eb3f61860d4fedc233bab">3e21c0b - arm64: audit: Add audit hook in syscall_trace_enter/exit()</a> by JP Abgrall -<li><a -href="https://android.googlesource.com/kernel/common/+/bf11863d45eb3dac0d0cf1f818ded11ade6e28d3">bf11863 - arm64: Add audit support</a> by AKASHI Takahiro -<li><a -href="https://android.googlesource.com/kernel/common/+/cfc7e99e9e3900056028a7d90072e9ea0d886f8d">cfc7e99e9 - arm64: Add __NR_* definitions for compat syscalls</a> by JP Abgrall +<li><a href="https://android.googlesource.com/kernel/common/+/cfc7e99e9e3900056028a7d90072e9ea0d886f8d">cfc7e99e9 +arm64: Add __NR_* definitions for compat syscalls</a> by JP Abgrall</li> +<li><a href="https://android.googlesource.com/kernel/common/+/bf11863d45eb3dac0d0cf1f818ded11ade6e28d3">bf11863 +arm64: Add audit support</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/3 +e21c0bb663a23436e0eb3f61860d4fedc233bab">3e21c0b +arm64: audit: Add audit hook in syscall_trace_enter/exit()</a> by JP Abgrall</li> +<li><a href="https://android.googlesource.com/kernel +/common/+/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76">9499cd2 +syscall_get_arch: remove useless function arguments</a> by Eric Paris</li> +<li><a href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43 +seccomp: create internal mode-setting function</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9 +cff seccomp: extract check/assign mode helpers</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde +seccomp: split mode setting routines</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4 +seccomp: add "seccomp" syscall</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69 +sched: move no_new_privs into new atomic flags</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf +seccomp: split filter prep from check and apply</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88 +seccomp: introduce writer locking</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7 +seccomp: allow mode setting across threads</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db +seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600 +seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter +Roeck</li> +<li><a href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd +seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell</li> +<li><a href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428 +ARM: add seccomp syscall</a> by Kees Cook</li> +<li><a href="https://android.googlesource.com/kernel/common/+/41900903483eb96602dd72e719a798c208118aad">4190090 +ARM: 8087/1: ptrace: reload syscall number after secure_computing() check</a> by +Will Deacon</li> +<li><a href="https://android.googlesource.com/kernel/common/+/abbfed9ed1a78701ef3db74f5287958feb897035">abbfed9 +arm64: ptrace: add PTRACE_SET_SYSCALL</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/feb28436457d33fef9f264635291432df4b74122">feb2843 +arm64: ptrace: allow tracer to skip a system call</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/dab10731da65a0deba46402ca9fadf6974676cc8">dab1073 +asm-generic: add generic seccomp.h for secure computing mode 1</a> by AKASHI +Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/4f12b53f28a751406a27ef7501a22f9e32a9c30b">4f1 +2b53 add seccomp syscall for compat task</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/77227239d20ac6381fb1aee7b7cc902f0d14cd85">7722723 +arm64: add SIGSYS siginfo for compat task</a> by AKASHI Takahiro</li> +<li><a href="https://android.googlesource.com/kernel/common/+/210957c2bb3b4d111963bb296e2c42beb8721929">210957c +arm64: add seccomp support</a> by AKASHI Takahiro</li> </ul> |