Commit graph

201 commits

Author SHA1 Message Date
Elliott Hughes
8dc9f46a3f Fix setfsgid()/setfsuid() for LP32.
These are system calls where the "good" names are camped by
implementations that only work for 16-bit ids, and you need to say "32"
on LP32 to get sensible behavior.

Noticed when disabling CONFIG_UID16 in the kernel.

Bug: http://b/266732373
Test: llvm-objdump -d
Change-Id: Ib1b5822b030c4f86df755b129ec7b435a7f77cd3
2023-02-03 23:10:04 +00:00
Elliott Hughes
704772bda0 riscv64 syscall stub and seccomp filter generation.
These are sufficiently intertwined that they need to be done together.
riscv64 is our first primary-only architecture, so that required some
changes. The .bp changes are to support this --- we need to only show
the python scripts the architectures they'll actually be using, rather
than showing them everything and ignoring some of the results.

riscv64 is also the first architecture that post-dates the kernel's
64-bit time work, so there's a bit of extra fiddling needed to handle
the __NR3264_ indirection in the uapi headers.

Signed-off-by: Mao Han <han_mao@linux.alibaba.com>
Signed-off-by: Xia Lifang <lifang_xia@linux.alibaba.com>
Signed-off-by: Chen Guoyin <chenguoyin.cgy@linux.alibaba.com>
Signed-off-by: Wang Chen <wangchen20@iscas.ac.cn>
Signed-off-by: Lu Xufan <luxufan@iscas.ac.cn>
Test: local builds for x86-64 and riscv64
Change-Id: I74044744e80b312088f805c44fbd667c9bfcdc69
2022-10-13 23:41:53 +00:00
Elliott Hughes
6660d6c00b Rewrite renameat().
risc-v doesn't have renameat(2), only renameat2(2). Similar to other
architectures, let's make sure everyone's on the same code path by
having all implementations of renameat() go via renameat2().

I've also moved the existing rename()-in-terms-of-renameat() to be in
terms of renameat2() to cut out the middleman!

Test: treehugger
Change-Id: Ibe5e69aca5b39ea014001540bcd4fd3003e665cb
2022-10-04 20:13:49 +00:00
Evgenii Stepanov
3031a7e45e memtag_stack: vfork and longjmp support.
With memtag_stack, each function is responsible for cleaning up
allocation tags for its stack frame. Allocation tags for anything below
SP must match the address tag in SP.

Both vfork and longjmp implement non-local control transfer which
abandons part of the stack without proper cleanup. Update allocation
tags:
* For longjmp, we know both source and destination values of SP.
* For vfork, save the value of SP before exit() or exec*() - the only
  valid ways of ending the child process according to POSIX - and reset
  tags from there to SP-in-parent.

This is not 100% solid and can be confused by a number of hopefully
uncommon conditions:
* Segmented stacks.
* Longjmp from sigaltstack into the main stack.
* Some kind of userspace thread implementation using longjmp (that's UB,
  longjmp can only return to the caller on the current stack).
* and other strange things.

This change adds a sanity limit on the size of the tag cleanup. Also,
this logic is only activated in the binaries that carry the
NT_MEMTAG_STACK note (set by -fsanitize=memtag-stack) which is meant as
a debugging configuration, is not compatible with pre-armv9 CPUs, and
should not be set on production code.

Bug: b/174878242
Test: fvp_mini with ToT LLVM (more test in a separate change)

Change-Id: Ibef8b2fc5a6ce85c8e562dead1019964d9f6b80b
2022-05-27 13:19:34 -07:00
zijunzhao
c2e412e086 Add copy_file_range(2) syscall stub to bionic.
Test: treehugger
Bug: https://buganizer.corp.google.com/issues/227784687
Change-Id: I543306cd2234189401bf7c9d80d405eeb6e4d41d
2022-05-12 16:53:41 +00:00
Maciej Żenczykowski
b65e105047 add new Linux close_range() system call to bionic
See:
  https://man7.org/linux/man-pages/man2/close_range.2.html

Note: 'man close_range' documents 'flags' as unsigned int,
while glibc unistd.h as just 'int'.  Picking 'int' to match glibc,
though it probably doesn't matter.

BYPASS_INCLUSIVE_LANGUAGE_REASON=man is a cli command
Test: TreeHugger
Bug: 229913920
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1e2d1c8edc2ea28922d60f3ce3e534a784622cd1
2022-05-06 10:33:04 +00:00
Alessio Balsini
5afe3f8a6a Allow bpf() syscall
The implementation of FUSE BPF requires the FUSE daemon to access BPF
functionalities, i.e., to get the fd of a pinned BPF prog and to update
maps.
In Android the FUSE daemon is part of MediaProvider which, belonging to
the apps domain, can only access the subset of syscalls allowed by
seccomp, of which bpf() is currently blocked.

This patch removes this limitation by adding the bpf() syscall to the
allowed seccomp syscalls.

Allowing the bpf() syscall is safe as its usage is still gated by
selinux and regular apps are not allowed to use it.

Bug: 202785178
Test: m
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I5887e8d22906c386307e54d3131c679fee0d9f26
2021-12-01 21:32:08 +00:00
Elliott Hughes
cf59e19e22 Add preadv2/pwritev2 wrappers.
They're in glibc, though not in musl.

Also add basic doc comments to the whole of <sys/uio.h>.

Bug: http://b/203002492
Test: treehugger
Change-Id: Ic607f7f349e5b7c9bf66c25b7bd68f827da530d6
2021-10-18 12:58:47 -07:00
Elliott Hughes
de1cf85795 Use lp64 rather than explicitly saying "arm64,x86_64".
We'd missed a couple, but these seem to be the last...

Test: treehugger
Change-Id: Ic9808c5171b6c826d2d251c14687142280331efd
2021-09-07 09:17:14 -07:00
Bram Bonné
bca8a4474b Revert "Reland: Soft-enable MAC address restrictions with allowlist."
Revert "Updates CTS tests for MAC address restrictions."

Revert submission 1528409-mac-softrestrict

Reason for revert: App compatibility
Reverted Changes:
I74a50b990:Return anonymized MAC for apps targeting SDK < 30
I8738f7912:Reland: Soft-enable MAC address restrictions with ...
Id13670747:Updates CTS tests for MAC address restrictions.

Change-Id: I64e17cb04acf2862bc657e60694067a456b4f936
2021-04-08 11:39:33 +02:00
Elliott Hughes
39899f592b Fix return type of process_madvise().
Noticed this from
https://man7.org/linux/man-pages/man2/process_madvise.2.html but
independently confirmed by checking the kernel source.

Also fix the documentation.

Test: treehugger
Change-Id: I6beeeeb2178a58a22a36532e634917b3ae8767ee
2021-04-06 16:38:37 -07:00
Josh Gao
3de19151e5 Add wrappers for pidfd_{open,getfd,send_signal}.
Bug: http://b/172518739
Test: `/data/nativetest64/bionic-unit-tests/bionic-unit-tests --gtest_filter="*pidfd*"` on blueline
Change-Id: Ibae32bbedbcf26535a80a5cbfb55ce180906b610
2021-02-25 13:55:12 -08:00
Edgar Arriaga
128ef8e981 Add bionic headers for process_madvise
Test: atest bionic-unit-tests-static
Bug: 173258203
Change-Id: I396945b95de364055b87cc53321aed4fad4ebc70
2021-01-14 19:34:40 -08:00
Bram Bonné
95ca52a7d6 Reland: Soft-enable MAC address restrictions with allowlist.
Soft-limits apps from calling bind() on NETLINK_ROUTE sockets, and
getting link info through getifaddrs(), while still allowing apps on the
allowlist to temporarily perform these actions.

This is different from existing behavior, where apps targeting an API
level < 30 were exempted from this restriction.

Actual enforcement will happen through SELinux (as is currently the
case for apps targeting API >= 30). This temporary change will then be
reverted.

If you arrived at this change due to an app showing unexpected behavior,
please file a bug at go/netlink-bug.

Bug: 170188668
Bug: 170214442
Test: Call bind() on NETLINK_ROUTE for an app on the allowlist.
Test: Call bind() on NETLINK_ROUTE for an app not on the allowlist.
Test: Call getifaddrs() for an app on the allowlist.
Test: Call getifaddrs() for an app not on the allowlist.
Test: Call bind() on a AF_UNIX socket with its protocol set to
NETLINK_ROUTE, confirm it can succeed.
Test: Verify that previously broken apps are no longer broken.

Change-Id: I8738f7912fdc816e0d30205557728ff9e84bf7e6
2020-12-15 16:52:58 +01:00
Bram Bonné
9e97280414 Revert "Soft-enable MAC address restrictions with allowlist."
Revert "Updates CTS tests for MAC address restrictions."

Revert submission 1518603-soft-restrict-mac

Reason for revert: Missing type check
Reverted Changes:
I0488932de:Soft-enable MAC address restrictions with allowlis...
Idb9d940e4:Updates CTS tests for MAC address restrictions.
I9461f287e:Return anonymized MAC for apps targeting SDK < 30

Change-Id: I7e8e593518088ff5c8f6083b34e6966852475b9b
2020-12-14 14:14:23 +01:00
Bram Bonné
0ba499896a Soft-enable MAC address restrictions with allowlist.
Soft-limits apps from calling bind() on NETLINK_ROUTE sockets, and
getting link info through getifaddrs(), while still allowing apps on the
allowlist to temporarily perform these actions.

This is different from existing behavior, where apps targeting an API
level < 30 were exempted from this restriction.

Actual enforcement will happen through SELinux (as is currently the
case for apps targeting API >= 30). This temporary change will then be
reverted.

If you arrived at this change due to an app showing unexpected behavior,
please file a bug at go/netlink-bug.

Bug: 170188668
Bug: 170214442
Test: Call bind() on NETLINK_ROUTE for an app on the allowlist.
Test: Call bind() on NETLINK_ROUTE for an app not on the allowlist.
Test: Call getifaddrs() for an app on the allowlist.
Test: Call getifaddrs() for an app not on the allowlist.
Change-Id: I0488932deea2a7211e55a24bc33bfa3cfb16fba2
2020-12-10 11:55:45 +01:00
Josh Gao
b107eab5ef fdtrack: add wrapper for socketpair.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I8b25accf00dc01f6fab351f3ba612f6b0ff9d094
2020-04-29 17:21:16 -07:00
Josh Gao
7de412443d fdtrack: add wrapper for eventfd.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I59013f0c4da0debbcc50269c64ae9db0cdc4eaa0
2020-04-29 17:21:16 -07:00
Josh Gao
a38331d833 fdtrack: add wrappers for epoll_create, epoll_create1.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I6c881e5d67596c543526536541d5b8086e21d9e9
2020-04-29 17:21:16 -07:00
Josh Gao
1fad5283a0 fdtrack: add wrappers for pipe, pipe2.
Bug: https://issuetracker.google.com/154450436
Test: bionic-unit-tests
Change-Id: I66826f312a65ab9f1bd8193bf684e330baa952dc
2020-04-29 17:21:16 -07:00
Elliott Hughes
733cedd1c4 Add a libc wrapper for statx(2).
Bug: http://b/127675384
Bug: http://b/146676114
Test: treehugger
Change-Id: I844edc12f62717e579870a040cf03dfe60dc280b
2020-02-23 11:36:53 -08:00
Elliott Hughes
2b499046f1 Clean up syscall stub/seccomp filter generation.
Test: treehugger
Change-Id: Iceb1c22d82b4d402166c3712b5b8b48a30937c6d
2020-02-13 14:21:55 -08:00
Josh Gao
97271920bf Add a tool to track down fd leaks.
Add a hook that's called upon file descriptor creation to libc, and a
library that uses it to capture backtraces for file descriptor creation,
to make it easier to hunt down file descriptor leaks.

Currently, this doesn't capture all of the ways of creating a file
descriptor, but completeness isn't required for this to be useful as
long as leaked file descriptors are created with a function that is
tracked. The primary unhandled case is binder, which receives file
descriptors as a payload in a not-trivially-parsable byte blob, but
there's a chance that the leak we're currently trying to track down
isn't of a file descriptor received over binder, so leave that for
later.

Bug: http://b/140703823
Test: manual
Change-Id: I308a14c2e234cdba4207157b634ab6b8bc539dd9
(cherry picked from commit b7eccd4b15)
2020-01-30 13:55:10 -08:00
Elliott Hughes
51d158f38d Fix a few incorrect types in SYSCALLS.TXT.
Nothing that actually affected the generated code.

Test: treehugger
Change-Id: I14b3a5f4608d9f446beb1d039bc434a214632a6b
2020-01-06 14:29:06 -08:00
Elliott Hughes
3d24d2b088 Add memfd_create(2) and mlock2(2).
These are old enough now that the latest devices will have kernels that
support them.

Also add basic doc comments to <sys/mman.h>.

Test: treehugger
Change-Id: I1b5ff5db0b6270f5c374287cac1d6a751a0259f5
2019-08-05 16:31:08 -07:00
Elliott Hughes
05b675e8bf Add renameat2.
Bug: http://b/127675384
Test: new tests
Change-Id: Ia2e3d5679180391ca98e62fa429fa11cbf167507
2019-08-02 09:09:59 -07:00
Elliott Hughes
b2bd7c575e Merge "libnetd_client: support hooking sendto/sendmsg/sendmmsg too." 2019-06-24 15:04:25 +00:00
Elliott Hughes
5c6a3f9fbc libnetd_client: support hooking sendto/sendmsg/sendmmsg too.
Samsung has asked for this for KNOX.

Test: treehugger
Change-Id: Iffaace9f8cb265ce8c911472989c9829cbf91a42
2019-06-20 08:32:24 -07:00
Elliott Hughes
50080a29f7 Remove the ___ hack.
Plain __ for generated syscalls didn't mean it was a hidden symbol, it
just meant "please don't use this". We added ___ to signify that a
hidden symbol should be generated, but then we added the map files
anyway so you now have to explicitly export symbols. Given that, this
convention serves no particular purpose so we may as well just use the
nicer names have everything look the same.

Test: treehugger
Change-Id: If424e17a49c36f4be545f5d283c4561a6ea9c7ea
2019-06-19 15:38:42 -07:00
Elliott Hughes
782c485880 Generate assembler system call stubs via genrule.
There's no need to check in generated code.

Test: builds & boots
Change-Id: Ife368bca4349d4adeb0666db590356196b4fbd63
2019-04-16 12:31:00 -07:00
Elliott Hughes
8251d4419f Add lp32 and lp64 shorthands to SYSCALLS.TXT.
Bug: N/A
Test: updating the generated stubs is a no-op
Change-Id: I7f6f9bcfd8c054f0a2d7e5f488eacb88cefb8d15
2018-11-09 13:57:34 -08:00
Elliott Hughes
5905d6f879 Add sigset64_t and accompanying functions.
This doesn't address `struct sigaction` and `sigaction`. That will
come later.

Bug: http://b/72493232
Test: ran tests
Change-Id: I4134346757ce3a4dac6feae413361cec16223386
2018-01-30 18:47:16 -08:00
Elliott Hughes
2180978c88 Fix SYSCALLS.TXT now clock_getres comes from the vdso.
Bug: N/A
Test: ran tests
Change-Id: I122066992e1ab1aa38beed256103c3a22fd05a6f
2017-12-11 11:40:40 -08:00
Elliott Hughes
8465e968a8 Add <sys/random.h>.
iOS 10 has <sys/random.h> with getentropy, glibc >= 2.25 has
<sys/random.h> with getentropy and getrandom. (glibc also pollutes
<unistd.h>, but that seems like a bad idea.)

Also, all supported devices now have kernels with the getrandom system
call.

We've had these available internally for a while, but it seems like the
time is ripe to expose them.

Bug: http://b/67014255
Test: ran tests
Change-Id: I76dde1e3a2d0bc82777eea437ac193f96964f138
2017-09-29 05:31:35 +00:00
Elliott Hughes
896362eb0e Add syncfs(2).
GMM calls this system call directly at the moment. That's silly.

Bug: http://b/36405699
Test: ran tests
Change-Id: I1e14c0e5ce0bc2aa888d884845ac30dc20f13cd5
2017-08-24 16:31:49 -07:00
Miodrag Dinic
a301e73475 MIPS64: move fstat64/fstatat64/_flush_cache syscalls to SECCOMP_WHITELIST.TXT
fstat64/fstatat64/_flush_cache were accidentally put in SYSCALLS.TXT in:
    https://android-review.googlesource.com/#/c/390454/

This patch just moves them to SECCOMP_WHITELIST.TXT because we do not
want stubs accidenatally generated for the mentioned syscalls using
gensyscalls.py script.

This commit does not introduce any functional changes to mips64_policy.cpp.

Test: Run genseccomp.py -> File seccomp/mips64_policy.cpp not changed.
Test: Run gensyscalls.py -> INFO:root:no changes detected!

Change-Id: I3b527b3d9f18715c44a4e6ddc6db6e49f48f4890
Signed-off-by: Miodrag Dinic <miodrag.dinic@imgtec.com>
2017-06-15 10:25:09 +02:00
Goran Ferenc
996f6decfa MIPS: 32/64-bit VDSO support
File libc/SYSCALLS.TXT is updated to generate bionic's system call wrappers
for clock_gettime() & gettimeofday() that will be called if kernel vdso
implementations fail to execute.
The system call wrappers are generated using a python script gensyscalls.py.

Since all architectures support vdso now, there is no more need for conditional
statements regarding supported architectures in libc/bionic/vdso.cpp &
libc/private/bionic_vdso.h files.

Test: builds
Change-Id: I7213f29c179a7929851499d78a72900638ae861a
Signed-off-by: Goran Ferenc <goran.ferenc@imgtec.com>
2017-06-01 08:50:57 -07:00
Lazar Trsic
dd5bd456fb [MIPS64] Enable necessary mips64 syscalls in seccomp whitelist
Allow execution of: newfstatat, fstat and cacheflush syscalls
for mips64 arch.

Test: Boot mips64 emulator to homescreen with 3.18 kernel.
emulator -kernel prebuilts/qemu-kernel/mips64/3.18/kernel-qemu2

Change-Id: Ib5d6b0060f3e17b64d86fc944aa83a5240d512f8
2017-05-05 15:37:11 +02:00
Treehugger Robot
04a3b24d7e Merge "Correct the return types of readv and writev." 2016-11-30 19:26:06 +00:00
Elliott Hughes
8f0e42fda6 Fix getpriority/setpriority types.
Bug: N/A
Test: builds
Change-Id: Ica099bae04a0260871783452811a54672094ba4a
2016-11-29 15:14:11 -08:00
Josh Gao
753361a981 Correct the return types of readv and writev.
readv and writev should return ssize_t, not int.

Bug: none
Test: `m checkbuild` on bullhead
Change-Id: I934c2e8cb7bf76384b63cedfeab88e2f6b65971a
2016-11-29 14:26:15 -08:00
Elliott Hughes
2b9605fec4 Fix various <sys/socket.h> prototypes.
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_socket.h.html

Interestingly, recvmmsg/sendmmsg do actually return int, unlike their
recv/recvmsg/sendv/sendvmsg siblings.

The generated assembler stubs don't actually change.

Change-Id: If71cd02431903774de9bbce77fbedf6b03f90c0f
2016-08-16 13:37:24 -07:00
Elliott Hughes
4ce902c30e Support 32-bit ARM vdso.
Linux 4.1 added this.

Bug: http://b/19198045
Change-Id: I28be802ff403a61dd6733a001411b3ff05fef5a5
2016-07-12 13:55:51 -07:00
Elliott Hughes
8963dd337e Make all rt_sigtimedwait signatures match.
There's no change to the generated stubs, because the script only cares
that this is a pointer type, not what it's a pointer to.

Change-Id: I766720965f0f3d201fc90677a076b26870485377
2016-05-23 11:20:19 -07:00
Elliott Hughes
eafad49bd6 Add <sys/quota.h>.
It turns out that at least the Nexus 9 kernel is built without CONFIG_QUOTA.
If we decide we're going to mandate quota functionality, I'm happy for us to
be a part of CTS that ensures that happens, but I don't want to be first, so
there's not much to test here other than "will it compile?". The strace
output looks right though.

Bug: http://b/27948821
Bug: http://b/27952303
Change-Id: If667195eee849ed17c8fa9110f6b02907fc8fc04
2016-04-06 11:06:09 -07:00
Elliott Hughes
7f72ad4d6c Add sync_file_range to <fcntl.h>.
Bug: http://b/27952303
Change-Id: Idadfacd657ed415abc11684b9471e4e24c2fbf05
2016-04-05 12:17:22 -07:00
Greg Hackmann
e2faf07d65 Add {get,set}domainname(2)
{get,set}domainname aren't in POSIX but are widely-implemented
extensions.

The Linux kernel provides a setdomainname syscall but not a symmetric
getdomainname syscall, since it expects userspace to get the domain name
from uname(2).

Change-Id: I96726c242f4bb646c130b361688328b0b97269a0
Signed-off-by: Greg Hackmann <ghackmann@google.com>
2016-03-25 14:16:58 -07:00
Elliott Hughes
5f26c6bc91 Really add adjtimex(2), and add clock_adjtime(2) too.
Change-Id: I81fde2ec9fdf787bb19a784ad13df92d33a4f852
2016-02-03 13:19:10 -08:00
Greg Hackmann
3f3f6c526b Add adjtimex
Change-Id: Ia92d35b1851e73c9f157a749dba1e98f68309a8d
Signed-off-by: Greg Hackmann <ghackmann@google.com>
2016-01-28 13:41:22 -08:00
Daniel Micay
4200e260d2 fix the mremap signature
The mremap definition was incorrect (unsigned long instead of int) and
it was missing the optional new_address parameter.

Change-Id: Ib9d0675aaa098c21617cedc9b2b8cf267be3aec4
2015-11-06 13:14:43 -08:00