BestHub
search
Sign in
Information Security 6 min read

Understanding Android O seccomp Filters and Illegal System Calls

The article explains how Android O uses seccomp filters in the zygote process to block unused or dangerous system calls, how developers can detect and avoid illegal calls that cause crashes, and how to test or disable the filter on development builds.

Hujiang Technology
Hujiang Technology
Hujiang Technology
Understanding Android O seccomp Filters and Illegal System Calls

seccomp Filters

Android O installs a seccomp filter in the zygote process, affecting all applications. The filter permits only system calls defined in bionic, those required for Android startup, and those used by Google’s compatibility test suite.

Developers

On devices running Android O, invoking a disallowed system call causes the app to crash, and the log shows a SIGSYS signal indicating seccomp prevented the call.

03-09 16:39:32.122 15107 15107 I crash_dump32: performing dump of process 14942 (target tid = 14971)
03-09 16:39:32.127 15107 15107 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-09 16:39:32.127 15107 15107 F DEBUG   : Build fingerprint: 'google/sailfish/sailfish:O/OPP1.170223.013/3795621:userdebug/dev-keys'
03-09 16:39:32.127 15107 15107 F DEBUG   : Revision: '0'
03-09 16:39:32.127 15107 15107 F DEBUG   : ABI: 'arm'
03-09 16:39:32.127 15107 15107 F DEBUG   : pid: 14942, tid: 14971, name: WorkHandler  >>> com.redacted <<<
03-09 16:39:32.127 15107 15107 F DEBUG   : signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr --------
03-09 16:39:32.127 15107 15107 F DEBUG   : Cause: seccomp prevented call to disallowed system call 55
03-09 16:39:32.127 15107 15107 F DEBUG   :   r0 00000091  r1 00000007  r2 ccd8c008  r3 00000001
03-09 16:39:32.127 15107 15107 F DEBUG   :   r4 00000000  r5 00000000  r6 00000000  r7 00000037

Developers should adjust their applications to avoid invoking illegal system calls.

Testing seccomp Filters

On userdebug and eng builds, you can disable the seccomp policy by setting SELinux to permissive and restarting the device:

adb shell setenforce 0 && adb stop && adb start

Because the policy cannot be removed from a running process, a reboot is required for the change to take effect.

Device Manufacturers

The seccomp filter is included in //bionic/libc/seccomp , so manufacturers do not need additional implementation. CTS contains a test that verifies add_key and keyctl are blocked, openat is allowed, and other app‑specific calls behave as expected.

Related Source Files

SYSCALLS.TXT

SECCOMP_BLACKLIST.TXT

SECCOMP_WHITELIST.TXT

AndroidKernelsecuritysystem callsseccomp
Hujiang Technology
Written by

Hujiang Technology

We focus on the real-world challenges developers face, delivering authentic, practical content and a direct platform for technical networking among developers.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment