Google Git
Sign in
android / platform / bionic / 6bb01b6
commit6bb01b6e6365ced7ca23c9ebecfaf1ea159d5ae2[log] [tgz]
authorNick Kralevich <nnk@google.com>Sat Mar 07 13:37:05 2015 -0800
committerNick Kralevich <nnk@google.com>Sat Mar 07 13:37:05 2015 -0800
treebe106991c6ce3e8521ae75e465a45e1430f7f079
parent9afb08dd0984acea49da5aae21b41522cb805dac [diff]
linker: Allow an app to update it's own LD_LIBRARY_PATH

When the kernel executes a program which is setuid, setgid, has
file capabilities, or causes an SELinux domain transition, the
AT_SECURE flag is set. This flag instructs the dynamic linker to
prune any dangerous environment variables passed across security
boundaries.

For SELinux in particular, whether this flag is set depends on the
the "noatsecure" process permission. If that permission does not
exist, then AT_SECURE=1 whenever a domain transition occurs.

In https://android-review.googlesource.com/129971 , Android stopped
using noatsecure when executing init services. In
https://android-review.googlesource.com/130610 , init was flipped
back into SELinux enforcing mode, making ag/129971 active. The
combination of those two changes ensured that AT_SECURE=1 was
set when executing init spawned services.

In particular, AT_SECURE=1 is set when init executes zygote. Due to
the forking nature of zygote, AT_SECURE remains untouched when
executing zygote's children.

This causes problems for the code added in
https://android-review.googlesource.com/48409 . Specifically, if
AT_SECURE=1, an attempt to call android_update_LD_LIBRARY_PATH()
is silently ignored. This causes problems when art tries to adjust
the LD_LIBRARY_PATH for Android apps. Ultimately, apps are unable
to find shared libraries they depend on.

As discussed in bug 7896159, there's no security reason for
preventing an application from updating it's own LD_LIBRARY_PATH.
We only need to prune LD_LIBRARY_PATH when transitioning across
security boundaries, but not when we're entirely within a security
boundary.

Remove the AT_SECURE check within do_android_update_LD_LIBRARY_PATH().
It's unneeded and prevents an application from modifying it's own
LD_LIBRARY_PATH. This allows an application to specify a location
where it's dlopen()ed shared libraries should be loaded from.

There is no change to AT_SECURE handling in
__sanitize_environment_variables(). We continue to honor it there
to prevent using security sensitive environment variables across
an exec boundary.

Bug: 19559835
Change-Id: If4af2ee8e84265aaa0c93de8b281208b20d7942a
1 file changed
tree: be106991c6ce3e8521ae75e465a45e1430f7f079
  1. benchmarks/
  2. build/
  3. libc/
  4. libdl/
  5. libm/
  6. libstdc++/
  7. linker/
  8. tests/
  9. tools/
  10. .gitignore
  11. Android.mk
  12. CleanSpec.mk
  13. CPPLINT.cfg
  14. README.md
README.md

Working on bionic

What are the big pieces of bionic?

libc/ --- libc.so, libc.a

The C library. Stuff like fopen(3) and kill(2).

libm/ --- libm.so, libm.a

The math library. Traditionally Unix systems kept stuff like sin(3) and cos(3) in a separate library to save space in the days before shared libraries.

libdl/ --- libdl.so

The dynamic linker interface library. This is actually just a bunch of stubs that the dynamic linker replaces with pointers to its own implementation at runtime. This is where stuff like dlopen(3) lives.

libstdc++/ --- libstdc++.so

The C++ ABI support functions. The C++ compiler doesn't know how to implement thread-safe static initialization and the like, so it just calls functions that are supplied by the system. Stuff like __cxa_guard_acquire and __cxa_pure_virtual live here.

linker/ --- /system/bin/linker and /system/bin/linker64

The dynamic linker. When you run a dynamically-linked executable, its ELF file has a DT_INTERP entry that says “use the following program to start me”. On Android, that‘s either linker or linker64 (depending on whether it’s a 32-bit or 64-bit executable). It's responsible for loading the ELF executable into memory and resolving references to symbols (so that when your code tries to jump to fopen(3), say, it lands in the right place).

tests/ --- unit tests

The tests/ directory contains unit tests. Roughly arranged as one file per publicly-exported header file.

benchmarks/ --- benchmarks

The benchmarks/ directory contains benchmarks.

What's in libc/?

Adding system calls

Adding a system call usually involves:

  1. Add entries to SYSCALLS.TXT. See SYSCALLS.TXT itself for documentation on the format.
  2. Run the gensyscalls.py script.
  3. Add constants (and perhaps types) to the appropriate header file. Note that you should check to see whether the constants are already in kernel uapi header files, in which case you just need to make sure that the appropriate POSIX header file in libc/include/ includes the relevant file or files.
  4. Add function declarations to the appropriate header file.
  5. Add at least basic tests. Even a test that deliberately supplies an invalid argument helps check that we're generating the right symbol and have the right declaration in the header file. (And strace(1) can confirm that the correct system call is being made.)

Updating kernel header files

As mentioned above, this is currently a two-step process:

  1. Use generate_uapi_headers.sh to go from a Linux source tree to appropriate contents for external/kernel-headers/.
  2. Run update_all.py to scrub those headers and import them into bionic.

Updating tzdata

This is fully automated:

  1. Run update-tzdata.py.

Verifying changes

If you make a change that is likely to have a wide effect on the tree (such as a libc header change), you should run make checkbuild. A regular make will not build the entire tree; just the minimum number of projects that are required for the device. Tests, additional developer tools, and various other modules will not be built. Note that make checkbuild will not be complete either, as make tests covers a few additional modules, but generally speaking make checkbuild is enough.

Running the tests

The tests are all built from the tests/ directory.

Device tests

$ mma
$ adb sync
$ adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests32
$ adb shell \
    /data/nativetest/bionic-unit-tests-static/bionic-unit-tests-static32
# Only for 64-bit targets
$ adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests64
$ adb shell \
    /data/nativetest/bionic-unit-tests-static/bionic-unit-tests-static64

Host tests

The host tests require that you have lunched either an x86 or x86_64 target.

$ mma
# 64-bit tests for 64-bit targets, 32-bit otherwise.
$ mm bionic-unit-tests-run-on-host
# Only exists for 64-bit targets.
$ mm bionic-unit-tests-run-on-host32

Against glibc

As a way to check that our tests do in fact test the correct behavior (and not just the behavior we think is correct), it is possible to run the tests against the host's glibc.

$ mma
$ bionic-unit-tests-glibc32 # already in your path
$ bionic-unit-tests-glibc64

Gathering test coverage

For either host or target coverage, you must first:

  • $ export NATIVE_COVERAGE=true
    • Note that the build system is ignorant to this flag being toggled, i.e. if you change this flag, you will have to manually rebuild bionic.
  • Set bionic_coverage=true in libc/Android.mk and libm/Android.mk.

Coverage from device tests

$ mma
$ adb sync
$ adb shell \
    GCOV_PREFIX=/data/local/tmp/gcov \
    GCOV_PREFIX_STRIP=`echo $ANDROID_BUILD_TOP | grep -o / | wc -l` \
    /data/nativetest/bionic-unit-tests/bionic-unit-tests32
$ acov

acov will pull all coverage information from the device, push it to the right directories, run lcov, and open the coverage report in your browser.

Coverage from host tests

First, build and run the host tests as usual (see above).

$ croot
$ lcov -c -d $ANDROID_PRODUCT_OUT -o coverage.info
$ genhtml -o covreport coverage.info # or lcov --list coverage.info

The coverage report is now available at covreport/index.html.

LP32 ABI bugs

This probably belongs in the NDK documentation rather than here, but these are the known ABI bugs in LP32:

  • time_t is 32-bit. http://b/5819737

  • off_t is 32-bit. There is off64_t, but no _FILE_OFFSET_BITS support. Many of the off64_t functions are missing in older releases, and stdio uses 32-bit offsets, so there's no way to fully implement _FILE_OFFSET_BITS.

  • sigset_t is too small on ARM and x86 (but correct on MIPS), so support for real-time signals is broken. http://b/5828899