https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html
As "seccomp filter" section of this article saids,
Android O's seccomp filter blocks certain syscalls, such as swapon/swapoff, which have been implicated in some security attacks, and the key control syscalls, which are not useful to apps. In total, the filter blocks 17 of 271 syscalls in arm64 and 70 of 364 in arm.
Now, some syscalls are blocked and throws error signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr -------- Cause: seccomp prevented call to disallowed system call 55.
But I cannot find the above list of 17 syscalls in arm64 and 70 syscalls in arm. Which syscalls are restricted? How can I find the syscalls for cause of crash?
Edited:
It seems that this error message is generated in here.
} else if (si->si_signo == SIGSYS && si->si_code == SYS_SECCOMP) {
cause = StringPrintf("seccomp prevented call to disallowed %s system call %d", ABI_STRING,
si->si_syscall);
}
The syscall filter source files are autogenerated, but the text files from which the filters are generated are located in the next directory up. Here we find a list of all syscalls of interest, as well as a couple of whitelists and blacklists. Presumably the app blacklist is what you are looking for; I've summarized it below.
The filtering itself is a standard feature provided by the Linux kernel, called seccomp. All AOSP does is make use of this feature to filter the system calls listed in the app blacklist linked above. A script processes that blacklist into a platform-specific autogenerated filter that is then fed to seccomp for the process from which all Android apps are launched (ie Zygote). Once this filtering is active, making a matching syscall from the filtered process (ie any app) will result in a SIGSYS signal being delivered. See here for some general information on Linux signals. The error message printed by the AOSP source that you linked is just the system trying to give you some useful information when it notices that your process was killed - notice that the method name is dump_probable_cause.
+--------------------------------------------------+--------------------------+ | Function | Blocked On | +--------------------------------------------------+--------------------------+ | int setgid:setgid32(gid_t) | arm,x86 | | int setgid:setgid(gid_t) | arm64,mips,mips64,x86_64 | | int setuid:setuid32(uid_t) | arm,x86 | | int setuid:setuid(uid_t) | arm64,mips,mips64,x86_64 | | int setreuid:setreuid32(uid_t, uid_t) | arm,x86 | | int setreuid:setreuid(uid_t, uid_t) | arm64,mips,mips64,x86_64 | | int setresuid:setresuid32(uid_t, uid_t, uid_t) | arm,x86 | | int setresuid:setresuid(uid_t, uid_t, uid_t) | arm64,mips,mips64,x86_64 | | int setresgid:setresgid32(gid_t, gid_t, gid_t) | arm,x86 | | int setresgid:setresgid(gid_t, gid_t, gid_t) | arm64,mips,mips64,x86_64 | | int setfsgid(gid_t) | all | | int setfsuid(uid_t) | all | | int setgroups:setgroups32(int, const gid_t*) | arm,x86 | | int setgroups:setgroups(int, const gid_t*) | arm64,mips,mips64,x86_64 | +--------------------------------------------------+--------------------------+
+--------------------------------------------------------------------+------------+ | Function | Blocked On | +--------------------------------------------------------------------+------------+ | int adjtimex(struct timex*) | all | | int clock_adjtime(clockid_t, struct timex*) | all | | int clock_settime(clockid_t, const struct timespec*) | all | | int settimeofday(const struct timeval*, const struct timezone*) | all | | int acct(const char* filepath) | all | | int klogctl:syslog(int, char*, int) | all | | int capset(cap_user_header_t header, const cap_user_data_t data) | all | | int chroot(const char*) | all | +--------------------------------------------------------------------+------------+
+--------------------------------------------------------------------------------+------------+ | Function | Blocked On | +--------------------------------------------------------------------------------+------------+ | int init_module(void*, unsigned long, const char*) | all | | int delete_module(const char*, unsigned int) | all | | int mount(const char*, const char*, const char*, unsigned long, const void*) | all | | int umount2(const char*, int) | all | | int swapon(const char*, int) | all | | int swapoff(const char*) | all | | int setdomainname(const char*, size_t) | all | | int sethostname(const char*, size_t) | all | | int __reboot:reboot(int, int, int, void*) | all | +--------------------------------------------------------------------------------+------------+