|author||Nick Kralevich <firstname.lastname@example.org>||Sat Jan 31 19:57:46 2015 -0800|
|committer||Nick Kralevich <email@example.com>||Mon Feb 02 13:17:17 2015 -0800|
Add fchmodat(AT_SYMLINK_NOFOLLOW) and fchmod O_PATH support Many libc functions have an option to not follow symbolic links. This is useful to avoid security sensitive code from inadvertantly following attacker supplied symlinks and taking inappropriate action on files it shouldn't. For example, open() has O_NOFOLLOW, chown() has lchown(), stat() has lstat(), etc. There is no such equivalent function for chmod(), such as lchmod(). To address this, POSIX introduced fchmodat(AT_SYMLINK_NOFOLLOW), which is intended to provide a way to perform a chmod operation which doesn't follow symlinks. Currently, the Linux kernel doesn't implement AT_SYMLINK_NOFOLLOW. In GLIBC, attempting to use the AT_SYMLINK_NOFOLLOW flag causes fchmodat to return ENOTSUP. Details are in "man fchmodat". Bionic currently differs from GLIBC in that AT_SYMLINK_NOFOLLOW is silently ignored and treated as if the flag wasn't present. This patch provides a userspace implementation of AT_SYMLINK_NOFOLLOW for bionic. Using open(O_PATH | O_NOFOLLOW), we can provide a way to atomically change the permissions on files without worrying about race conditions. As part of this change, we add support for fchmod on O_PATH file descriptors, because it's relatively straight forward and could be useful in the future. The basic idea behind this implementation comes from https://sourceware.org/bugzilla/show_bug.cgi?id=14578 , specifically comment #10. Change-Id: I1eba0cdb2c509d9193ceecf28f13118188a3cfa7
The C library. Stuff like
The math library. Traditionally Unix systems kept stuff like
cos(3) in a separate library to save space in the days before shared libraries.
The dynamic linker interface library. This is actually just a bunch of stubs that the dynamic linker replaces with pointers to its own implementation at runtime. This is where stuff like
The C++ ABI support functions. The C++ compiler doesn't know how to implement thread-safe static initialization and the like, so it just calls functions that are supplied by the system. Stuff like
__cxa_pure_virtual live here.
The dynamic linker. When you run a dynamically-linked executable, its ELF file has a
DT_INTERP entry that says “use the following program to start me”. On Android, that‘s either
linker64 (depending on whether it’s a 32-bit or 64-bit executable). It's responsible for loading the ELF executable into memory and resolving references to symbols (so that when your code tries to jump to
fopen(3), say, it lands in the right place).
tests/ directory contains unit tests. Roughly arranged as one file per publicly-exported header file.
benchmarks/ directory contains benchmarks.
Adding a system call usually involves:
As mentioned above, this is currently a two-step process:
This is fully automated:
If you make a change that is likely to have a wide effect on the tree (such as a libc header change), you should run
make checkbuild. A regular
make will not build the entire tree; just the minimum number of projects that are required for the device. Tests, additional developer tools, and various other modules will not be built. Note that
make checkbuild will not be complete either, as
make tests covers a few additional modules, but generally speaking
make checkbuild is enough.
The tests are all built from the tests/ directory.
$ mma $ adb sync $ adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests32 $ adb shell \ /data/nativetest/bionic-unit-tests-static/bionic-unit-tests-static32 # Only for 64-bit targets $ adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests64 $ adb shell \ /data/nativetest/bionic-unit-tests-static/bionic-unit-tests-static64
The host tests require that you have
lunched either an x86 or x86_64 target.
$ mma # 64-bit tests for 64-bit targets, 32-bit otherwise. $ mm bionic-unit-tests-run-on-host # Only exists for 64-bit targets. $ mm bionic-unit-tests-run-on-host32
As a way to check that our tests do in fact test the correct behavior (and not just the behavior we think is correct), it is possible to run the tests against the host's glibc.
$ mma $ bionic-unit-tests-glibc32 # already in your path $ bionic-unit-tests-glibc64
For either host or target coverage, you must first:
$ export NATIVE_COVERAGE=true
$ mma $ adb sync $ adb shell \ GCOV_PREFIX=/data/local/tmp/gcov \ GCOV_PREFIX_STRIP=`echo $ANDROID_BUILD_TOP | grep -o / | wc -l` \ /data/nativetest/bionic-unit-tests/bionic-unit-tests32 $ acov
acov will pull all coverage information from the device, push it to the right directories, run
lcov, and open the coverage report in your browser.
First, build and run the host tests as usual (see above).
$ croot $ lcov -c -d $ANDROID_PRODUCT_OUT -o coverage.info $ genhtml -o covreport coverage.info # or lcov --list coverage.info
The coverage report is now available at
This probably belongs in the NDK documentation rather than here, but these are the known ABI bugs in LP32:
time_t is 32-bit. http://b/5819737
off_t is 32-bit. There is
off64_t, but no
_FILE_OFFSET_BITS support. Many of the
off64_t functions are missing in older releases, and stdio uses 32-bit offsets, so there's no way to fully implement
sigset_t is too small on ARM and x86 (but correct on MIPS), so support for real-time signals is broken. http://b/5828899