This commit allows users to create a link without soname filters between
two linker namespaces.
The motivation is to establish one-way shared library isolation. For
example, assume that there are two linker namespaces `default` and
`vndk`. We would like to limit the shared libraries that can be used by
the `default` namespace. In the meanwhile, we would like to allow the
`vndk` namespace to use shared libs from the `default` namespace if the
soname cannot be find in the search path or loaded sonames of the `vndk`
namespace.
shared_libs = %VNDK_CORE_LIBRARIES%
shared_libs += %VNDK_SAMEPROCESS_LIBRARIES%
vndk <-------------------------------------------- default
\_______________________________________________/^
allow_all_shared_libs = true
android_link_namespaces_all_libs() is added to libdl, but it is
versioned as LIBC_PRIVATE. android_link_namespaces_all_libs() is only
for unit tests.
Bug: 69824336
Test: adb shell /data/nativetest/linker-unit-tests/linker-unit-tests32
Test: adb shell /data/nativetest64/linker-unit-tests/linker-unit-tests64
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
Test: adb shell /data/nativetest64/bionic-unit-tests/bionic-unit-tests
Test: Update /system/etc/ld.config*.txt and check whether the vndk
linker namespace of the vendor process can access the shared libs from
the default linker namespace.
Change-Id: I2879f0c5f5af60c7e56f8f743ebd2872e552286b
There were a bunch more unreasonable/incorrect ones, but these ones
seemed legit. Nothing very interesting, though.
Bug: N/A
Test: ran tests, benchmarks
Change-Id: If66971194d4a7b4bf6d0251bedb88e8cdc88a76f
This change addresses multiple problems introduced by
02586a2a34
1. In the case of unsuccessful dlopen the failure guard is triggered
for two namespaces which leads to double unload.
2. In the case where load_tasks includes libraries from 3 and more
namespaces it results in incorrect linking of libraries shared between
second and third/forth and so on namespaces.
The root cause of these problems was recursive call to find_libraries.
It does not do what it is expected to do. It does not form new load_tasks
list and immediately jumps to linking local_group. Not only this skips
reference counting it also will include unlinked but accessible library
from third (and fourth and fifth) namespaces in invalid local group. The
best case scenario here is that for 3 or more namesapces this will
fail to link. The worse case scenario it will link the library
incorrectly with will lead to very hard to catch bugs.
This change removes recursive call and replaces it with explicit list of
local_groups which should be linked. It also revisits the way we do
reference counting - with this change the reference counts are updated after
after libraries are successfully loaded.
Also update soinfo_free to abort in case when linker tries to free same
soinfo for the second time - this makes linker behavior less undefined.
Test: bionic-unit-tests
Bug: http://b/69787209
Change-Id: Iea25ced181a98c6503cce6e2b832c91d697342d5
This reverts commit 58554ccb8a.
causes /vendor/bin/qseecomd to hit the new abort:
[ 8.983301] c5 603 DEBUG: Abort message: 'soinfo=0x7147894cd0 is not in soinfo_list (double unload?)'
Bug: http://b/69909887
Bug: http://b/69787209
Change-Id: Ied38f797e0a071a1acc5ed41adf1b45e855143c7
In the case of unsuccessful dlopen the failure guard is triggered
for two namespaces which leads to double unload.
Also update soinfo_free to abort in case when linker tries to free same
soinfo for the second time - this makes linker behavior less undefined.
Test: bionic-unit-tests
Bug: http://b/69787209
Change-Id: I886787ee021b050667f967bce7aa2708390886ea
Added a test to make sure linker produces correct error message
when user attempts to load a library in a linked namespace and fails.
Bug: http://b/67866190
Bug: http://b/64950640
Bug: http://b/64888291
Test: bionic-unit-test --gtest_filter=dlext*
Change-Id: I5b5c2070d1388eff123118350b2b5c8fc7571a29
The executable flag might not be present for the executable segment
if the code is being handled by native bridge implementation. This
commit changes the test to restore executable flag for first segment
if it was removed.
Test: bionic-unit-tests
Change-Id: Ie930539135edc4db3245574b5cbe476aa1ad49c7
dlext.ns_shared creates a child namespace, which is isolated & shared,
from the default namespace. It then checks whether a lib that was loaded
in the parent(=default) namespace *after* the child namespace is created
is not accessible to the child namespace. Because this test is using the
default namespace as a parent namespace, the test result is dependent on
the specific configuration of the default namespace, which isn't
desirable.
Specifically, since ANDROID_NAMESPACE_TYPE_SHARED now copies search
paths and permitted paths of the parent namespace to the child namespace,
a lib that is accessible to the former is also accessible to the latter
even if the lib hasn't been shared when creating the latter. So, the
result of the test varies depending on whether the default namespace has
permitted paths or not. (if it is configured as an isolated namespace
and has permitted paths, then the test fails).
In order to make this test be independent from how the default namespace
is configured, a parent namespace is explicitly created and the child
namespaces are created from the parent namespace, not from the default
namespace.
Bug: 65189955
Test: bionic-unit-tests --gtest_filter=dlext.ns_shared successful
Test: the same test successful when the default namespace is configured
as follows
namespace.default.isolated = true
namespace.default.permitted_paths = ...:/data
Change-Id: Ifa33c6c42f8c327b2b1c380c7abba8e8f1afee82
Strictly, the mode isn't really meaningful unless you supply O_EXCL,
but the kernel will take it and fstat will return it even if you
never give the file a name.
Also warn for O_TMPFILE without a mode at compile time where possible.
Bug: N/A
Test: ran tests
Change-Id: I729b6d6e6190676fd017a1190b6200bf9abdbfd8
With this, stack frame 0 is the abort, not tgkill.
arm:
#00 pc 0001a41c /system/lib/libc.so (abort+63)
arm64:
#00 pc 000000000001d75c /system/lib64/libc.so (abort+120)
Also "include what you use" for <sys/syscall.h>.
Bug: N/A
Test: ran `crasher abort` and `crasher64 abort`
Change-Id: I6517ac67b39b4133e890d52efc115071c812958b
greylist is needed only for application namepaces. Since we started using
linker-namesapces for vendors and other platform apps linker should not
enable greylist workaround by default.
Bug: http://b/37731053
Bug: https://issuetracker.google.com/38146125
Test: sailfish builds and boots
Test: bionic-unit-tests and linker-unit-tests pass
Change-Id: Iee83db6fb1ae754f5ade18491321d9bca3b5ead4
(cherry picked from commit e8ffe56a9c)
Make shared namespace inherit namespace links and
search/permitted paths from the parent namespace.
Bug: http://b/37854032
Test: bionic_unit_tests --gtest_filter=dl*:Dl*
Change-Id: I174661d4a1dd0cbe4a378179073719aa955f3592
(cherry picked from commit ec43dd6c36)
DlExtRelroSharingTest.VerifyMemorySaving verifies whether
android_dlopen_ext(ANDROID_DLEXT_USE_RELRO) really saves memory.
This patch compares Pss of the tested library rather than total
Pss of the process, in case different behavior of dlopen() and
android_dlopen_ext() introduces random Pss usage.
Test: DlExtRelroSharingTest.VerifyMemorySaving
Change-Id: I696eca736018fca5d9ec9385ac1c79ced280281d
This change adds two tests for dlopen from temporary files.
1. One Uses memfd_create() can be used to load libraries directly
from memory. This requires relaxing namespace accessibility check
in order to make this work in isolated namespaces.
2. Another checks that open with O_TMPFILE works.
Bug: http://b/37245203
Test: bionic-unit-tests --gtest_filter=dl*:Dl*
Change-Id: I3be1d7198ca17e7f1ba022a0d86c64d59a493506
(cherry picked from commit bb8b22a087)
Do not load second copy of libraries that are supposed to
be provided by linked namespaces. Also do not print
error in the log if caller tries to open shared library
using absolute path for apps targeting N+.
Bug: http://b/35454141
Bug: http://b/26833548
Bug: http://b/35338922
Test: run bionic-unit-tests --gtest_filter=dl*
Change-Id: Icf3aeedff18d287d2ba0b3df3808b100f3ef5f7a
This commit updates interface of libdl.c.
1. android_init_namespaces is replaces with android_init_anonymous_namespace
2. added 2 arguments to android_create_namespace to specify linked namespace
and the list of shared libraries sonames.
3. symbol lookup does not get past boundary libraries (added check and test for it).
Bug: http://b/26833548
Bug: http://b/21879602
Test: bionic-unit-tests --gtest_filter=dl*:Dl*
Change-Id: I32921da487a02e5bd0d2fc528904d1228394bfb9
Replace public library list with shared lib sonames
which are property of a link between namespaces
This change does not touch any external interfaces
so from outside it behaves almost as it was before
One significant difference is that there is no longer
need to preload public libraries.
Bug: http://b/26833548
Test: bionic-unit-tests --gtest_filter=dl*:Dl*
Change-Id: I57e44e18a9b4f07dcd6556436346be52f52b79d7
Also add another test for dlsym(RTLD_NEXT, ..)
Bug: http://b/33106624
Test: run bionic-unit-tests-glibc and bionic-unit-tests
Change-Id: I340165d66bf2360b0e3273d3561a08cb5e7bd025
Replace references to ANDROID_DATA enviroment variable with references
to g_testlib_root.
Bug: http://b/22182538
Test: build and run bionic-unit-tests --gtest_filter=dl*:Dl*
Test: make cts && cts-tradefed run singleCommand cts --skip-preconditions -m CtsBionicTestCases
Change-Id: I5667e991551cec55b9b664f2f0063039671ff34b
Instead of creating symlinks in build time and then relying
on usage of adb sync (adb push follows symlinks) - create
them in test run time.
Test: mm && run bionic-unit-tests --gtest_filter=dl*:Dl*
Bug: http://b/22182538
Change-Id: I9d2a873e3ba303533c14ba5e3b779e4a67925462
Move libraries used in bionic-unit-tests out of system partition to
/data/nativetests../bionic-loader-test-libs
Bug: http://b/22182538
Test: build bionic and run bionic-unit-tests
Change-Id: I170177bef782839d0b4970ae4418bf54d0a77836
This CL adds initialization of inode for the main executable
which enables linker to resolve the correct soinfo when
application calls dlopen with absolute path to the
main executable.
Bug: http://b/28420266
Change-Id: I102e07bde454bd44c6e46075e3faeeb5092830d8
This change enables apps to share libraries opened
with RTLD_GLOBAL between different classloader namespaces.
The new parameter to create_namespace allows native_loader
to instruct the linker to share libraries belonging to
global group from a specified namespace instead of
using the caller_ns.
Bug: http://b/28560538
Bug: https://code.google.com/p/android/issues/detail?id=208458
Change-Id: I5d0c62730bbed19cdeb16c7559c74aa262a2475f
They are intended for platform use only and we shouldn't have them
in the public header file.
Bug: http://b/28174921
Change-Id: Ib9b3d0fa9442cfa2e784a693ad567d1444d774e5
linker didn't remove link to the soinfo from shared
namespaces on soinfo_unload, because it didn't keep
record of all namespaces the library is added to.
This change adds test for this and also fixes the
problem by introducing list of secondary namespaces
to soinfo, which is used to remove soinfo in
soinfo::remove_all_links().
Bug: http://b/28115950
Change-Id: Ifbf6e54f92fa6e88f86b6a8dd6dc22d4553afd22
Handle no longer is a pointer to soinfo of
a corresponding library. This is done to
prevent access to linker internal fields.
Bug: http://b/25593965
Change-Id: I62bff0d0e5b2dc842e6bf0babb30fcc4c000be24
Print properties of the namespace on "library is not accessible"
error to better diagnose problems with native library accessiblity
Bug: http://b/27406143
Change-Id: Icf3d6c604f09dfa015de863fdb1267d343930d2a
(cherry picked from commit 350bdad61c)
dlclose used to unmap the part of the reserved region
for ANDROID_DLEXT_RESERVED_ADDRESS that was neccessary
to map PT_LOAD segments. With this change dlclose
replaces mapped PT_LOAD segments with a PROT_NONE,
MAP_ANONYMOUS | MAP_NORESERVE.
Previously caller was unmapping the reserved region after
the failed dlclose which led to race condition when someone
else reused the region freed by dlclose but before the unmap
by the chromium code.
Bug: http://code.google.com/p/chromium/issues/detail?id=568880
Change-Id: I0f5eaa2bf6641f83dde469b631c518482acc59a2
Roll our own version of zipalign so that we can break the dependency
on the build tools zipalign. This breaks the transitive dependency
on androidfw so that building bionic unit tests in brillo works again.
Also modify the DlExtTest.ExtInfoUseFdWithOffset test so it dynamically
gets the offset of the shared library inside of the zip instead of
hard-coding the value.
Bug: 25446938
Change-Id: Idfb5d3089960a94eefa2c76e03da1ad2f4d7fb2f
Shared namespaces clone the list of loaded native
libraries from the caller namespace. This allows
classloaders for bundled apps to share already loaded
libraries with default namespace.
Bug: http://b/22548808
Bug: http://b/26165097
Change-Id: I8949d45937fdb38e1f586ff0679003adac0d9dad
(cherry picked from commit e78deef364)
The permitted_when_isolated_path is a way to white-list
directories not present in search-path. It is ignored for
not isolated namespaces.
Bug: http://b/25853516
Bug: http://b/22548808
Change-Id: Ib1538037268eea69323ea49968a34a4a1d1938a5
dlopen on isolated namespaces should be able to open
public libraries using absolute path not only soname.
Bug: http://b/25853820
Change-Id: If574a67853dc51226f0f376e9e2d108316002f84
The anonymous namespace is introduced to
handle cases when linker can not find the
caller. This usually happens when caller
code was not loaded by dynamic linker;
for example mono-generated code.
Bug: http://b/25844435
Bug: http://b/22548808
Change-Id: I9e5b1d23c1c75bc78548d68e79216a6a943a33cf
This fixes the bug with using the libraries loaded
prior to android_set_target_sdk_version call.
Bug: http://b/22548808
Change-Id: I3ca2d367b0fa930a437bbb65f780834803d2ef0a