2 files changed, 187 insertions, 21 deletions

diff --git a/src/devices/tech/config/kernel.jd b/src/devices/tech/config/kernel.jd
index e76a97ec..f21389c9 100644
--- a/src/devices/tech/config/kernel.jd
+++ b/src/devices/tech/config/kernel.jd
@@ -26,23 +26,25 @@ page.title=Kernel Configuration
 
 <p>The kernel configuration settings in this document are meant to be used as a
 base for an Android kernel configuration. All devices should have the options
-in android-base configuration enabled. While not mandatory, the options in
-android-recommended configuration enable advanced Android 
-features.</p>
+in android-base configuration enabled. The options in
+android-recommended configuration enable advanced Android
+features. See <a href="{@docRoot}security/overview/kernel-security.html">System
+and Kernel Security</a> for controls already undertaken to strengthen the
+kernel on your devices. See the <a
+href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition
+Document (CDD)</a> for required settings.</p>
 
 <p>
 Generating kernel config: Assuming you already have a minimalist defconfig for your device, a possible
 way to enable these options would be:</p>
 
-<pre>ARCH=<arch> scripts/kconfig/merge_config.sh <path_to>/<device>_defconfig android/configs/android-base.cfg 
+<pre>ARCH=<arch> scripts/kconfig/merge_config.sh <path_to>/<device>_defconfig android/configs/android-base.cfg
 android/configs/android-recommended.cfg</pre>
 <p>
 This will generate a .config that can then be used to save a new defconfig or
 compile a new kernel with Android features enabled.
 </p>
-<h3 id="base">
-Base Configuration
-</h3>
+<h2 id="base">Base Configuration</h2>
 <pre>
 CONFIG_EXPERIMENTAL=y
 CONFIG_SYSVIPC=y
@@ -180,7 +182,7 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
 CONFIG_ANDROID_INTF_ALARM_DEV=y
 </pre>
 
-<h3 id="recommended">Recommended Configuration</h3>
+<h2 id="recommended">Recommended Configuration</h2>
 
 <pre>
 CONFIG_PANIC_TIMEOUT=5
@@ -302,7 +304,7 @@ CONFIG_CPUSETS=y
 CONFIG_PROC_PID_CPUSET=y
 </pre>
 
-<h3 id="audio">For USB host mode audio</h3>
+<h2 id="audio">For USB host mode audio</h2>
 
 <pre>
 CONFIG_SND_USB=y
@@ -310,8 +312,168 @@ CONFIG_SND_USB_AUDIO=y
 # CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver
 </pre>
 
-<h3 id="midi">For USB host mode MIDI</h3>
+<h2 id="midi">For USB host mode MIDI</h2>
 
 <pre>
 CONFIG_SND_USB_MIDI=y
 </pre>
+
+<h2 id="Seccomp-BPF-TSYNC">Seccomp-BPF with TSYNC Requirement</h2>
+<p>
+Seccomp-BPF is a kernel security technology that
+enables the creation of sandboxes to restrict the system calls a process is
+allowed to make. The TSYNC feature enables the use of seccomp-bpf from
+multithreaded programs.
+</p>
+<p>
+This requirement is limited to architectures that have seccomp support upstream:
+ARM, ARM64, x86, and x86_64.
+</p>
+<h3 id="backport-ARM-32">Backporting for Kernel 3.10 for ARM-32, X86, X86_64</h3>
+<p>
+First, ensure that <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the
+Kconfig. This is already verified as of the Android 5.0 CTS.
+</p>
+<p>
+Next, cherry-pick the following changes from the AOSP kernel/common:android-3.10
+repository:
+</p>
+<p>
+<a
+href="https://android.googlesource.com/kernel/common/+log/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28">9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28</a>
+</p>
+<ul>
+<li><a
+href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428
+ ARM: add seccomp syscall</a>
+<li><a
+href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd
+ seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600
+ seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter
+Roeck
+<li><a
+href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db
+ seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7
+ seccomp: allow mode setting across threads</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88
+ seccomp: introduce writer locking</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf
+ seccomp: split filter prep from check and apply</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69
+ sched: move no_new_privs into new atomic flags</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4
+ seccomp: add "seccomp" syscall</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde
+ seccomp: split mode setting routines</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff
+ seccomp: extract check/assign mode helpers</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43
+ seccomp: create internal mode-setting function</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/987a0f1102321853565c4bfecde6a5a58ac6db11">987a0f1
+ introduce for_each_thread() to replace the buggy while_each_thread()</a> by
+Oleg Nesterov
+<li><a
+href="https://android.googlesource.com/kernel/common/+/a03a2426ea9f1d9dada33cf4a824f63e8f916c9d">a03a242
+ arch: Introduce smp_load_acquire(), smp_store_release()</a> by Peter Zijlstra
+</ul>
+<p>
+Apply these patches in the inverse order that they are
+listed (<code>a9ba428</code> should be last).
+</p>
+<p>
+<h3 id="backport-ARM-64">Backporting for Kernel 3.10 for ARM-64</h3>
+</p>
+<p>
+First, ensure that<code> CONFIG_SECCOMP_FILTER=y </code>is enabled in the
+Kconfig. This is already verified as of the Android 5.0 CTS.
+</p>
+<p>
+Next, cherry-pick the following changes from the AOSP kernel/common:android-3.10
+repository:
+</p>
+<ul>
+<li><a
+href="https://android.googlesource.com/kernel/common/+/210957c2bb3b4d111963bb296e2c42beb8721929">210957c
+ arm64: add seccomp support</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/77227239d20ac6381fb1aee7b7cc902f0d14cd85">7722723
+ arm64: add SIGSYS siginfo for compat task</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/4f12b53f28a751406a27ef7501a22f9e32a9c30b">4f12b53
+ add seccomp syscall for compat task</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/dab10731da65a0deba46402ca9fadf6974676cc8">dab1073
+ asm-generic: add generic seccomp.h for secure computing mode 1</a> by AKASHI
+Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/feb28436457d33fef9f264635291432df4b74122">feb2843
+ arm64: ptrace: allow tracer to skip a system call</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/abbfed9ed1a78701ef3db74f5287958feb897035">abbfed9
+ arm64: ptrace: add PTRACE_SET_SYSCALL</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/41900903483eb96602dd72e719a798c208118aad">4190090
+ ARM: 8087/1: ptrace: reload syscall number after secure_computing() check</a>
+by Will Deacon
+<li><a
+href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428
+ ARM: add seccomp syscall</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd
+ seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600
+ seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter
+Roeck
+<li><a
+href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db
+ seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7
+ seccomp: allow mode setting across threads</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88
+ seccomp: introduce writer locking</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf
+ seccomp: split filter prep from check and apply</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69
+ sched: move no_new_privs into new atomic flags</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4
+ seccomp: add "seccomp" syscall</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde
+ seccomp: split mode setting routines</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff
+ seccomp: extract check/assign mode helpers</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43
+ seccomp: create internal mode-setting function</a> by Kees Cook
+<li><a
+href="https://android.googlesource.com/kernel/common/+/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76">9499cd2
+ syscall_get_arch: remove useless function arguments</a> by Eric Paris
+<li><a
+href="https://android.googlesource.com/kernel/common/+/3e21c0bb663a23436e0eb3f61860d4fedc233bab">3e21c0b
+ arm64: audit: Add audit hook in syscall_trace_enter/exit()</a> by JP Abgrall
+<li><a
+href="https://android.googlesource.com/kernel/common/+/bf11863d45eb3dac0d0cf1f818ded11ade6e28d3">bf11863
+ arm64: Add audit support</a> by AKASHI Takahiro
+<li><a
+href="https://android.googlesource.com/kernel/common/+/cfc7e99e9e3900056028a7d90072e9ea0d886f8d">cfc7e99e9
+ arm64: Add __NR_* definitions for compat syscalls</a> by JP Abgrall
+</ul>
diff --git a/src/security/overview/kernel-security.jd b/src/security/overview/kernel-security.jd
index f84b6528..f41016af 100644
--- a/src/security/overview/kernel-security.jd
+++ b/src/security/overview/kernel-security.jd
@@ -30,8 +30,12 @@ page.title=System and kernel security
   native code is constrained by the Application Sandbox.  Whether that code is
   the result of included application behavior or a exploitation of an application
   vulnerability, the system would prevent the rogue application from harming
-  other applications, the Android system, or the device itself.</p>
-<h3 id="linux-security">Linux Security</h3>
+  other applications, the Android system, or the device itself. See <a
+  href="{@docRoot}devices/tech/config/kernel.html">Kernel Configuration</a> for
+  measures you can take to strengthen the kernel on your devices. See the <a
+  href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition
+  Document (CDD)</a> for required settings.</p>
+<h2 id="linux-security">Linux Security</h2>
 <p>The foundation of the Android platform is the Linux kernel. The Linux kernel
   itself has been in widespread use for years, and is used in millions of
   security-sensitive environments. Through its history of constantly being
@@ -56,7 +60,7 @@ page.title=System and kernel security
   <li>Ensures that user A does not exhaust user B's devices (e.g. telephony, GPS,
     bluetooth)</li>
 </ul>
-<h3 id="the-application-sandbox">The Application Sandbox</h3>
+<h2 id="the-application-sandbox">The Application Sandbox</h2>
 <p>The Android platform takes advantage of the Linux user-based protection as a
   means of identifying and isolating application resources.  The Android system
   assigns a unique user ID (UID) to each Android application and runs it as that user
@@ -91,33 +95,33 @@ page.title=System and kernel security
 <p>Like all security features, the Application Sandbox is not unbreakable.
   However, to break out of the Application Sandbox in a properly configured
   device, one must compromise the security of the Linux kernel.</p>
-<h3 id="system-partition-and-safe-mode">System Partition and Safe Mode</h3>
+<h2 id="system-partition-and-safe-mode">System Partition and Safe Mode</h2>
 <p>The system partition contains Android's kernel as well as the operating system
   libraries, application runtime, application framework, and applications.  This
   partition is set to read-only. When a user boots the device into Safe Mode,
   third-party applications may be launched manually by the device owner but are
   not launched by default on start up.</p>
-<h3 id="filesystem-permissions">Filesystem Permissions</h3>
+<h2 id="filesystem-permissions">Filesystem Permissions</h2>
 <p>In a UNIX-style environment, filesystem permissions ensure that one user cannot
   alter or read another user's files. In the case of Android, each application
   runs as its own user. Unless the developer explicitly exposes files to other
   applications, files created by one application cannot be read or altered by
   another application.</p>
-<h3 id="se-linux">Security-Enhanced Linux</h3>
+<h2 id="se-linux">Security-Enhanced Linux</h2>
 <p>Android uses Security-Enhanced
   Linux (SELinux) to apply access control policies and establish an environment of
   mandatory access control (mac). See <a
 href="{@docRoot}security/selinux/index.html">Validating
     Security-Enhanced Linux in
     Android</a> for details.</p>
-<h3 id="crypto">Cryptography</h3>
+<h2 id="crypto">Cryptography</h2>
 <p> Android provides a set of cryptographic APIs for use by applications. These
   include  implementations of standard and commonly used cryptographic primitives
   such as AES, RSA, DSA, and SHA. Additionally, APIs are provided for higher level
   protocols such as SSL and HTTPS. </p>
 <p> Android 4.0 introduced the <a href="http://developer.android.com/reference/android/security/KeyChain.html">KeyChain</a> class to allow applications to use the system credential storage for private
   keys and certificate chains. </p>
-<h3>Rooting of Devices</h3>
+<h2 id="rooting-devices">Rooting of Devices</h2>
 <p> By default, on Android only the kernel and a small subset of the core
   applications run with root permissions. Android does not prevent a user or
   application with root permissions from modifying the operating system, kernel,
@@ -151,8 +155,8 @@ href="{@docRoot}security/selinux/index.html">Validating
   devices uses the device password to protect the encryption key, so modifying
   the bootloader or operating system is not sufficient to access user data
   without the user’s device password. </p>
-<h3>User Security Features</h3>
-<h4 id="filesystem-encryption">Filesystem Encryption</h4>
+<h2 id="user-security">User Security Features</h2>
+<h3 id="filesystem-encryption">Filesystem Encryption</h3>
 <p>Android 3.0 and later provides full filesystem encryption, so all user data can
   be encrypted in the kernel using the dmcrypt implementation of AES128 with CBC
   and ESSIV:SHA256. The encryption key is protected by AES128 using a key
@@ -173,7 +177,7 @@ href="{@docRoot}security/encryption/index.html">Encryption</a>.</p>
   this password protects the cryptographic key for full filesystem encryption.</p>
 <p>Use of a password and/or password complexity rules can be required by a device
   administrator.</p>
-<h3 id="device-administration">Device Administration</h3>
+<h2 id="device-administration">Device Administration</h2>
 <p>Android 2.2 and later provide the Android Device Administration API, which
   provides device administration features at the system level. For example, the
   built-in Android Email application uses the APIs to improve Exchange support.