Commit graph

189 commits

Author SHA1 Message Date
Edgar Arriaga
128ef8e981 Add bionic headers for process_madvise
Test: atest bionic-unit-tests-static
Bug: 173258203
Change-Id: I396945b95de364055b87cc53321aed4fad4ebc70
2021-01-14 19:34:40 -08:00
Bram Bonné
95ca52a7d6 Reland: Soft-enable MAC address restrictions with allowlist.
Soft-limits apps from calling bind() on NETLINK_ROUTE sockets, and
getting link info through getifaddrs(), while still allowing apps on the
allowlist to temporarily perform these actions.

This is different from existing behavior, where apps targeting an API
level < 30 were exempted from this restriction.

Actual enforcement will happen through SELinux (as is currently the
case for apps targeting API >= 30). This temporary change will then be
reverted.

If you arrived at this change due to an app showing unexpected behavior,
please file a bug at go/netlink-bug.

Bug: 170188668
Bug: 170214442
Test: Call bind() on NETLINK_ROUTE for an app on the allowlist.
Test: Call bind() on NETLINK_ROUTE for an app not on the allowlist.
Test: Call getifaddrs() for an app on the allowlist.
Test: Call getifaddrs() for an app not on the allowlist.
Test: Call bind() on a AF_UNIX socket with its protocol set to
NETLINK_ROUTE, confirm it can succeed.
Test: Verify that previously broken apps are no longer broken.

Change-Id: I8738f7912fdc816e0d30205557728ff9e84bf7e6
2020-12-15 16:52:58 +01:00
Bram Bonné
9e97280414 Revert "Soft-enable MAC address restrictions with allowlist."
Revert "Updates CTS tests for MAC address restrictions."

Revert submission 1518603-soft-restrict-mac

Reason for revert: Missing type check
Reverted Changes:
I0488932de:Soft-enable MAC address restrictions with allowlis...
Idb9d940e4:Updates CTS tests for MAC address restrictions.
I9461f287e:Return anonymized MAC for apps targeting SDK < 30

Change-Id: I7e8e593518088ff5c8f6083b34e6966852475b9b
2020-12-14 14:14:23 +01:00
Bram Bonné
0ba499896a Soft-enable MAC address restrictions with allowlist.
Soft-limits apps from calling bind() on NETLINK_ROUTE sockets, and
getting link info through getifaddrs(), while still allowing apps on the
allowlist to temporarily perform these actions.

This is different from existing behavior, where apps targeting an API
level < 30 were exempted from this restriction.

Actual enforcement will happen through SELinux (as is currently the
case for apps targeting API >= 30). This temporary change will then be
reverted.

If you arrived at this change due to an app showing unexpected behavior,
please file a bug at go/netlink-bug.

Bug: 170188668
Bug: 170214442
Test: Call bind() on NETLINK_ROUTE for an app on the allowlist.
Test: Call bind() on NETLINK_ROUTE for an app not on the allowlist.
Test: Call getifaddrs() for an app on the allowlist.
Test: Call getifaddrs() for an app not on the allowlist.
Change-Id: I0488932deea2a7211e55a24bc33bfa3cfb16fba2
2020-12-10 11:55:45 +01:00
Josh Gao
b107eab5ef fdtrack: add wrapper for socketpair.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I8b25accf00dc01f6fab351f3ba612f6b0ff9d094
2020-04-29 17:21:16 -07:00
Josh Gao
7de412443d fdtrack: add wrapper for eventfd.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I59013f0c4da0debbcc50269c64ae9db0cdc4eaa0
2020-04-29 17:21:16 -07:00
Josh Gao
a38331d833 fdtrack: add wrappers for epoll_create, epoll_create1.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I6c881e5d67596c543526536541d5b8086e21d9e9
2020-04-29 17:21:16 -07:00
Josh Gao
1fad5283a0 fdtrack: add wrappers for pipe, pipe2.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I66826f312a65ab9f1bd8193bf684e330baa952dc
2020-04-29 17:21:16 -07:00
Elliott Hughes
733cedd1c4 Add a libc wrapper for statx(2).
Bug: http://b/127675384
Bug: http://b/146676114
Test: treehugger
Change-Id: I844edc12f62717e579870a040cf03dfe60dc280b
2020-02-23 11:36:53 -08:00
Elliott Hughes
2b499046f1 Clean up syscall stub/seccomp filter generation.
Test: treehugger
Change-Id: Iceb1c22d82b4d402166c3712b5b8b48a30937c6d
2020-02-13 14:21:55 -08:00
Josh Gao
97271920bf Add a tool to track down fd leaks.
Add a hook that's called upon file descriptor creation to libc, and a
library that uses it to capture backtraces for file descriptor creation,
to make it easier to hunt down file descriptor leaks.

Currently, this doesn't capture all of the ways of creating a file
descriptor, but completeness isn't required for this to be useful as
long as leaked file descriptors are created with a function that is
tracked. The primary unhandled case is binder, which receives file
descriptors as a payload in a not-trivially-parsable byte blob, but
there's a chance that the leak we're currently trying to track down
isn't of a file descriptor received over binder, so leave that for
later.

Bug: http://b/140703823
Test: manual
Change-Id: I308a14c2e234cdba4207157b634ab6b8bc539dd9
(cherry picked from commit b7eccd4b15)
2020-01-30 13:55:10 -08:00
Elliott Hughes
51d158f38d Fix a few incorrect types in SYSCALLS.TXT.
Nothing that actually affected the generated code.

Test: treehugger
Change-Id: I14b3a5f4608d9f446beb1d039bc434a214632a6b
2020-01-06 14:29:06 -08:00
Elliott Hughes
3d24d2b088 Add memfd_create(2) and mlock2(2).
These are old enough now that the latest devices will have kernels that
support them.

Also add basic doc comments to <sys/mman.h>.

Test: treehugger
Change-Id: I1b5ff5db0b6270f5c374287cac1d6a751a0259f5
2019-08-05 16:31:08 -07:00
Elliott Hughes
05b675e8bf Add renameat2.
Bug: http://b/127675384
Test: new tests
Change-Id: Ia2e3d5679180391ca98e62fa429fa11cbf167507
2019-08-02 09:09:59 -07:00
Elliott Hughes
b2bd7c575e Merge "libnetd_client: support hooking sendto/sendmsg/sendmmsg too." 2019-06-24 15:04:25 +00:00
Elliott Hughes
5c6a3f9fbc libnetd_client: support hooking sendto/sendmsg/sendmmsg too.
Samsung has asked for this for KNOX.

Test: treehugger
Change-Id: Iffaace9f8cb265ce8c911472989c9829cbf91a42
2019-06-20 08:32:24 -07:00
Elliott Hughes
50080a29f7 Remove the ___ hack.
Plain __ for generated syscalls didn't mean it was a hidden symbol, it
just meant "please don't use this". We added ___ to signify that a
hidden symbol should be generated, but then we added the map files
anyway so you now have to explicitly export symbols. Given that, this
convention serves no particular purpose so we may as well just use the
nicer names have everything look the same.

Test: treehugger
Change-Id: If424e17a49c36f4be545f5d283c4561a6ea9c7ea
2019-06-19 15:38:42 -07:00
Elliott Hughes
782c485880 Generate assembler system call stubs via genrule.
There's no need to check in generated code.

Test: builds & boots
Change-Id: Ife368bca4349d4adeb0666db590356196b4fbd63
2019-04-16 12:31:00 -07:00
Elliott Hughes
8251d4419f Add lp32 and lp64 shorthands to SYSCALLS.TXT.
Bug: N/A
Test: updating the generated stubs is a no-op
Change-Id: I7f6f9bcfd8c054f0a2d7e5f488eacb88cefb8d15
2018-11-09 13:57:34 -08:00
Elliott Hughes
5905d6f879 Add sigset64_t and accompanying functions.
This doesn't address `struct sigaction` and `sigaction`. That will
come later.

Bug: http://b/72493232
Test: ran tests
Change-Id: I4134346757ce3a4dac6feae413361cec16223386
2018-01-30 18:47:16 -08:00
Elliott Hughes
2180978c88 Fix SYSCALLS.TXT now clock_getres comes from the vdso.
Bug: N/A
Test: ran tests
Change-Id: I122066992e1ab1aa38beed256103c3a22fd05a6f
2017-12-11 11:40:40 -08:00
Elliott Hughes
8465e968a8 Add <sys/random.h>.
iOS 10 has <sys/random.h> with getentropy, glibc >= 2.25 has
<sys/random.h> with getentropy and getrandom. (glibc also pollutes
<unistd.h>, but that seems like a bad idea.)

Also, all supported devices now have kernels with the getrandom system
call.

We've had these available internally for a while, but it seems like the
time is ripe to expose them.

Bug: http://b/67014255
Test: ran tests
Change-Id: I76dde1e3a2d0bc82777eea437ac193f96964f138
2017-09-29 05:31:35 +00:00
Elliott Hughes
896362eb0e Add syncfs(2).
GMM calls this system call directly at the moment. That's silly.

Bug: http://b/36405699
Test: ran tests
Change-Id: I1e14c0e5ce0bc2aa888d884845ac30dc20f13cd5
2017-08-24 16:31:49 -07:00
Miodrag Dinic
a301e73475 MIPS64: move fstat64/fstatat64/_flush_cache syscalls to SECCOMP_WHITELIST.TXT
fstat64/fstatat64/_flush_cache were accidentally put in SYSCALLS.TXT in:
    https://android-review.googlesource.com/#/c/390454/

This patch just moves them to SECCOMP_WHITELIST.TXT because we do not
want stubs accidenatally generated for the mentioned syscalls using
gensyscalls.py script.

This commit does not introduce any functional changes to mips64_policy.cpp.

Test: Run genseccomp.py -> File seccomp/mips64_policy.cpp not changed.
Test: Run gensyscalls.py -> INFO:root:no changes detected!

Change-Id: I3b527b3d9f18715c44a4e6ddc6db6e49f48f4890
Signed-off-by: Miodrag Dinic <miodrag.dinic@imgtec.com>
2017-06-15 10:25:09 +02:00
Goran Ferenc
996f6decfa MIPS: 32/64-bit VDSO support
File libc/SYSCALLS.TXT is updated to generate bionic's system call wrappers
for clock_gettime() & gettimeofday() that will be called if kernel vdso
implementations fail to execute.
The system call wrappers are generated using a python script gensyscalls.py.

Since all architectures support vdso now, there is no more need for conditional
statements regarding supported architectures in libc/bionic/vdso.cpp &
libc/private/bionic_vdso.h files.

Test: builds
Change-Id: I7213f29c179a7929851499d78a72900638ae861a
Signed-off-by: Goran Ferenc <goran.ferenc@imgtec.com>
2017-06-01 08:50:57 -07:00
Lazar Trsic
dd5bd456fb [MIPS64] Enable necessary mips64 syscalls in seccomp whitelist
Allow execution of: newfstatat, fstat and cacheflush syscalls
for mips64 arch.

Test: Boot mips64 emulator to homescreen with 3.18 kernel.
emulator -kernel prebuilts/qemu-kernel/mips64/3.18/kernel-qemu2

Change-Id: Ib5d6b0060f3e17b64d86fc944aa83a5240d512f8
2017-05-05 15:37:11 +02:00
Treehugger Robot
04a3b24d7e Merge "Correct the return types of readv and writev." 2016-11-30 19:26:06 +00:00
Elliott Hughes
8f0e42fda6 Fix getpriority/setpriority types.
Bug: N/A
Test: builds
Change-Id: Ica099bae04a0260871783452811a54672094ba4a
2016-11-29 15:14:11 -08:00
Josh Gao
753361a981 Correct the return types of readv and writev.
readv and writev should return ssize_t, not int.

Bug: none
Test: `m checkbuild` on bullhead
Change-Id: I934c2e8cb7bf76384b63cedfeab88e2f6b65971a
2016-11-29 14:26:15 -08:00
Elliott Hughes
2b9605fec4 Fix various <sys/socket.h> prototypes.
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_socket.h.html

Interestingly, recvmmsg/sendmmsg do actually return int, unlike their
recv/recvmsg/sendv/sendvmsg siblings.

The generated assembler stubs don't actually change.

Change-Id: If71cd02431903774de9bbce77fbedf6b03f90c0f
2016-08-16 13:37:24 -07:00
Elliott Hughes
4ce902c30e Support 32-bit ARM vdso.
Linux 4.1 added this.

Bug: http://b/19198045
Change-Id: I28be802ff403a61dd6733a001411b3ff05fef5a5
2016-07-12 13:55:51 -07:00
Elliott Hughes
8963dd337e Make all rt_sigtimedwait signatures match.
There's no change to the generated stubs, because the script only cares
that this is a pointer type, not what it's a pointer to.

Change-Id: I766720965f0f3d201fc90677a076b26870485377
2016-05-23 11:20:19 -07:00
Elliott Hughes
eafad49bd6 Add <sys/quota.h>.
It turns out that at least the Nexus 9 kernel is built without CONFIG_QUOTA.
If we decide we're going to mandate quota functionality, I'm happy for us to
be a part of CTS that ensures that happens, but I don't want to be first, so
there's not much to test here other than "will it compile?". The strace
output looks right though.

Bug: http://b/27948821
Bug: http://b/27952303
Change-Id: If667195eee849ed17c8fa9110f6b02907fc8fc04
2016-04-06 11:06:09 -07:00
Elliott Hughes
7f72ad4d6c Add sync_file_range to <fcntl.h>.
Bug: http://b/27952303
Change-Id: Idadfacd657ed415abc11684b9471e4e24c2fbf05
2016-04-05 12:17:22 -07:00
Greg Hackmann
e2faf07d65 Add {get,set}domainname(2)
{get,set}domainname aren't in POSIX but are widely-implemented
extensions.

The Linux kernel provides a setdomainname syscall but not a symmetric
getdomainname syscall, since it expects userspace to get the domain name
from uname(2).

Change-Id: I96726c242f4bb646c130b361688328b0b97269a0
Signed-off-by: Greg Hackmann <ghackmann@google.com>
2016-03-25 14:16:58 -07:00
Elliott Hughes
5f26c6bc91 Really add adjtimex(2), and add clock_adjtime(2) too.
Change-Id: I81fde2ec9fdf787bb19a784ad13df92d33a4f852
2016-02-03 13:19:10 -08:00
Greg Hackmann
3f3f6c526b Add adjtimex
Change-Id: Ia92d35b1851e73c9f157a749dba1e98f68309a8d
Signed-off-by: Greg Hackmann <ghackmann@google.com>
2016-01-28 13:41:22 -08:00
Daniel Micay
4200e260d2 fix the mremap signature
The mremap definition was incorrect (unsigned long instead of int) and
it was missing the optional new_address parameter.

Change-Id: Ib9d0675aaa098c21617cedc9b2b8cf267be3aec4
2015-11-06 13:14:43 -08:00
Elliott Hughes
6f4594d5dc Add preadv/pwritev.
Bug: http://b/12612572
Change-Id: I38ff2684d69bd0fe3f21b1d371b88fa60d5421cb
2015-08-26 14:48:55 -07:00
Elliott Hughes
5891abdc66 Invalidate cached pid in vfork.
Bug: http://b/23008979
Change-Id: I1dd900ac988cdbe10aad3abc53240c5d352891d5
2015-08-07 19:44:12 -07:00
Robert Jarzmik
10726d52ac libc: arch-x86: implement kernel vdso time functions
This patch give the possibility of time vdso support on 32bit kernel.
If the 32bit x86 kernel provides gettimeofday() and clock_gettime()
primitives in vdso. In this case make bionic use them. If the kernel
doesn't provide them, fallback to the legacy system call versions.

Change-Id: I87b772a9486fa356903e1f98f486ab9eb0b6f6f7
Signed-off-by: Robert Jarzmik <robert.jarzmik@intel.com>
Signed-off-by: Mingwei Shi <mingwei.shi@intel.com>
2015-07-22 01:31:38 +00:00
Elliott Hughes
b1304935b6 Hide accidentally-exposed __clock_nanosleep.
Bug: http://b/21858067
Change-Id: Iaa83a5e17cfff796aed4f641d0d14427614d9399
2015-06-15 19:39:04 -07:00
Elliott Hughes
be57a40d29 Add process_vm_readv and process_vm_writev.
Bug: http://b/21761353
Change-Id: Ic8ef3f241d62d2a4271fbc783c8af50257bac498
2015-06-10 17:24:20 -07:00
Nick Kralevich
e1d0810cd7 Add O_PATH support for flistxattr()
A continuation of commit 2825f10b7f.

Add O_PATH compatibility support for flistxattr(). This allows
a process to list out all the extended attributes associated with
O_PATH file descriptors.

Change-Id: Ie2285ac7ad2e4eac427ddba6c2d182d41b130f75
2015-06-06 11:25:41 -07:00
Nick Kralevich
2825f10b7f libc: Add O_PATH support for fgetxattr / fsetxattr
Support O_PATH file descriptors when handling fgetxattr and fsetxattr.
This avoids requiring file read access to pull extended attributes.

This is needed to support O_PATH file descriptors when calling
SELinux's fgetfilecon() call. In particular, this allows the querying
and setting of SELinux file context by using something like the following
code:

  int dirfd = open("/path/to/dir", O_DIRECTORY);
  int fd = openat(dirfd, "file", O_PATH | O_NOFOLLOW);
  char *context;
  fgetfilecon(fd, &context);

This change was motivated by a comment in
https://android-review.googlesource.com/#/c/152680/1/toys/posix/ls.c

Change-Id: Ic0cdf9f9dd0e35a63b44a4c4a08400020041eddf
2015-06-01 15:51:56 -07:00
Dan Albert
c05554ec5c Fix error handling for negative size in ftruncate.
Bug: 21309901
Change-Id: I54692ab8105dd09db6af7a2c0894a17bdd118aa0
2015-05-20 14:20:33 -07:00
Yabin Cui
40a8f214a5 Hide rt_sigqueueinfo.
Bug: 19358804
Change-Id: I38a53ad64c81d0eefdd1d24599e769fd8a477a56
2015-05-18 11:29:20 -07:00
Elliott Hughes
3391a9ff13 Simplify close(2) EINTR handling.
This doesn't affect code like Chrome that correctly ignores EINTR on
close, makes code that tries TEMP_FAILURE_RETRY work (where before it might
have closed a different fd and appeared to succeed, or had a bogus EBADF),
and makes "goto fail" code work (instead of mistakenly assuming that EINTR
means that the close failed).

Who loses? Anyone actively trying to detect that they caught a signal while
in close(2). I don't think those people exist, and I think they have better
alternatives available.

Bug: https://code.google.com/p/chromium/issues/detail?id=269623
Bug: http://b/20501816
Change-Id: I11e2f66532fe5d1b0082b2433212e24bdda8219b
2015-04-23 08:41:45 -07:00
Elliott Hughes
fa495d51b0 Hide statfs/fstatfs' ST_VALID flag from userspace.
Spotted while debugging the strace 4.10 upgrade.

Change-Id: I1af1be9c9440151f55f74a835e1df71529b0e4fe
2015-03-18 15:46:48 -07:00
Nick Kralevich
35778253a5 Fix "faccessat ignores flags"
The kernel system call faccessat() does not have any flags arguments,
so passing flags to the kernel is currently ignored.

Fix the kernel system call so that no flags argument is passed in.

Ensure that we don't support AT_SYMLINK_NOFOLLOW. This non-POSIX
(http://pubs.opengroup.org/onlinepubs/9699919799/functions/access.html)
flag is a glibc extension, and has non-intuitive, error prone behavior.

For example, consider the following code:

  symlink("foo.is.dangling", "foo");
  if (faccessat(AT_FDCWD, "foo", R_OK, AT_SYMLINK_NOFOLLOW) == 0) {
    int fd = openat(AT_FDCWD, "foo", O_RDONLY | O_NOFOLLOW);
  }

The faccessat() call in glibc will return true, but an attempt to
open the dangling symlink will end up failing. GLIBC documents this
as returning the access mode of the symlink itself, which will
always return true for any symlink on Linux.

Some further discussions of this are at:

  * http://lists.landley.net/pipermail/toybox-landley.net/2014-September/003617.html
  * http://permalink.gmane.org/gmane.linux.lib.musl.general/6952

AT_SYMLINK_NOFOLLOW seems broken by design. I suspect this is why this
function was never added to POSIX. (note that "access" is pretty much
broken by design too, since it introduces a race condition between
check and action). We shouldn't support this until it's clearly
documented by POSIX or we can have it produce intuitive results.

Don't support AT_EACCESS for now. Implementing it is complicated, and
pretty much useless on Android, since we don't have setuid binaries.
See http://git.musl-libc.org/cgit/musl/commit/?id=0a05eace163cee9b08571d2ff9d90f5e82d9c228
for how an implementation might look.

Bug: 18867827
Change-Id: I25b86c5020f3152ffa3ac3047f6c4152908d0e04
2015-02-24 13:40:43 -08:00