Commit graph

194 commits

Author SHA1 Message Date
Elliott Hughes
2b499046f1 Clean up syscall stub/seccomp filter generation.
Test: treehugger
Change-Id: Iceb1c22d82b4d402166c3712b5b8b48a30937c6d
2020-02-13 14:21:55 -08:00
Elliott Hughes
c2faf235c0 Stop generating unused headers.
These just cause confusion because they often have different
values/layouts, but they're never actually used.

Test: treehugger
Change-Id: I424034088e017c919f62fcefa7d6d3f903f31cfb
2020-02-03 17:56:06 -08:00
John Cater
e86e505b85 Fix gensyscalls.py to actually use the input argument provided in
bionic/libc/Android.bp.

Test: Built and tested bionic.
Change-Id: Ibb25990b2b1b5c18edfdaaab4f1593fa8d95f338
2019-09-26 15:02:04 -04:00
Elliott Hughes
ae03b12925 Remove global seccomp list.
Never used, and incompatible with having bionic in a mainline module.

Test: builds
Change-Id: If377f66cc105fd3a1ec4d9c92330fa6a2d2c145c
2019-09-17 16:37:05 -07:00
Elliott Hughes
50080a29f7 Remove the ___ hack.
Plain __ for generated syscalls didn't mean it was a hidden symbol, it
just meant "please don't use this". We added ___ to signify that a
hidden symbol should be generated, but then we added the map files
anyway so you now have to explicitly export symbols. Given that, this
convention serves no particular purpose so we may as well just use the
nicer names have everything look the same.

Test: treehugger
Change-Id: If424e17a49c36f4be545f5d283c4561a6ea9c7ea
2019-06-19 15:38:42 -07:00
Elliott Hughes
584bc626b6 Move libdl and linker to static NOTICE files.
The libstdc++ directory has no copyright headers, so it was a no-op
anyway.

The interesting part will be switching libc and libm over to genrules...

Test: N/A
Change-Id: Iec92562af40c451fdcb4a7468984878ec5dba2ce
2019-04-19 14:18:07 -07:00
Elliott Hughes
782c485880 Generate assembler system call stubs via genrule.
There's no need to check in generated code.

Test: builds & boots
Change-Id: Ife368bca4349d4adeb0666db590356196b4fbd63
2019-04-16 12:31:00 -07:00
Elliott Hughes
d67b03734d libc: generate syscall stubs in one big file...
...all the better to switch to a genrule rather than checking in
generated source.

This also removes all the code in the script to deal with git,
rather than fix it. We won't need that where we're going.

Test: boots
Change-Id: I468ce019d4232a7ef27e5cb5cfd89f4c2fe4ecbd
2019-04-16 00:54:11 +00:00
Elliott Hughes
c4c2e24d5f <bits/glibc-syscalls.h>: only regenerate when we have new uapi headers.
Test: update_all.py
Change-Id: Iaa92dce263197f5a0e7d2dce5e00a31372dcb3e9
2019-04-11 14:19:17 -07:00
Christopher Ferris
d842e43e1d Update to v5.0 kernel headers.
Test: Builds and boots on taimen.
Change-Id: I13843bf1ab30ea89a50852adc88f2cba8401bded
2019-03-07 11:19:22 -08:00
Martijn Coenen
0c6de75a45 genfunctosyscallnrs: maps bionic functions to syscall numbers.
Bionic maps typical C functions like setresuid() to a syscall,
depending on the architecture used. This tool generates a .h
file that maps all bionic functions in SYSCALLS.txt to the
syscall number used on a particular architecture. It can then
be used to generate correct seccomp policy at runtime.

Example output in func_to_syscall_nrs.h:

Bug: 111434506
Test: manually inspect func_to_syscall_nrs.h
Change-Id: I8bc5c1cb17a2e7b5c534b2e0496411f2d419ad86
2019-01-19 09:09:30 +01:00
Elliott Hughes
d19b3c5274 Generate the per-arch .map files at build time.
We shouldn't be checking in these generated files...

Bug: N/A
Test: ran tests
Change-Id: Ib67c1ba839eacd7acebd713e1dcd4dd2c25d67f0
2018-12-17 12:26:42 -08:00
Elliott Hughes
8251d4419f Add lp32 and lp64 shorthands to SYSCALLS.TXT.
Bug: N/A
Test: updating the generated stubs is a no-op
Change-Id: I7f6f9bcfd8c054f0a2d7e5f488eacb88cefb8d15
2018-11-09 13:57:34 -08:00
Luis Hector Chavez
fa09b3c754 seccomp: Generate the policy files at compile time
This change avoids having to run the genseccomp.py script every time a
policy file is edited, and instead generates these files at
compile-time.

Bug: None
Test: m
Test: find out/soong/ -name x86_64_global_policy.cpp  # Shows files
Test: generated policies are equivalent to original policies
Change-Id: I12461fe0c5fb02c008c1b2503fbb994b8aa2f56b
2018-08-06 11:10:25 -07:00
Luis Hector Chavez
fd3f6d7126 genseccomp.py: Add a way to better find the clang prebuilt
This change makes it possible to invoke this tool without having to
fiddle with the path.

Bug: None
Test: ./bionic/libc/tools/genseccomp.py  # Succeeded
Change-Id: Ib24d70abc973fe774cda4209e46a5b66ae7617be
2018-08-03 12:57:21 -07:00
Elliott Hughes
ab52807685 Update to FreeBSD libm r336665.
This reverts commit 253a830631 and moves
us forward to a revision that contains fixes for the problem with the
previous attempt.

This also makes sincos(3)/sincosf(3)/sincosl(3) available to `_BSD_SOURCE`
as well as `_GNU_SOURCE`.

The new FreeBSD libm code requires the FreeBSD `__CONCAT` macro, and all
our existing callers are FreeBSD too, so update that.

There's also an assumption that <complex.h> drags in <math.h> which isn't
true for us, so work around that with `-include` in the makefile. This
then causes clang to recognize a bug -- returning from a void function --
in our fake (LP32) sincosl(3), so fix that too.

Bug: http://b/111710419
Change-Id: I84703ad844f8afde6ec6b11604ab3c096ccb62c3
Test: ran tests
2018-07-24 10:36:00 -07:00
Andreas Gampe
253a830631 Revert "Update to FreeBSD libm r336523."
This reverts commit f86ee10278.

Incorrect result for fmodf(3.0f, 0f) = 1.0f breaks ART tests.

Bug: 111710419
Test: art/test/testrunner/testrunner.py -b -t 436-rem-float --target
Change-Id: I7eae68fb92740db33415d16418447bcbbd98ecba
2018-07-21 12:23:03 -07:00
Elliott Hughes
f86ee10278 Update to FreeBSD libm r336523.
This includes an ld128 powl, plus the clog* and cpow* families.

Also teach the NOTICE generator to strip SPDX-License-Identifier lines.

Bug: N/A
Test: ran tests
Change-Id: Ic8289d1253666a19468a4088884cf7540f1ec66d
2018-07-19 16:17:06 -07:00
Victor Hsieh
2f23ceda44 Block bunch of privileged syscalls to apps
Test: build, run some app
Bug: 63944145
Change-Id: I13eb56f923732e110851dec02eaa11f6cb44535c
2018-01-22 22:30:17 -08:00
Victor Hsieh
4f02dd5755 Split zygote's seccomp filter into two
To pave the way to reducing app's kernel attack surface, this change
split the single filter into one for system and one for apps.  Note that
there is current no change between them.

Zygote will apply these filters appropriately to system server and apps.

Keep set_seccomp_filter() for now until the caller has switched to the
new API, which I will do immediately after this before the two filters
diverse.

Also remove get_seccomp_filter() since it doesn't seem to be used
anyway.

Test: diff the generated code, no difference except the variable names
Test: cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145

Change-Id: Id8ba05a87332c92ec697926af77bc5742eb04b23
2018-01-04 12:28:40 -08:00
Elliott Hughes
4075e21ba8 Merge "Be more specific about POSIX obsolescence." 2017-10-20 16:50:28 +00:00
Elliott Hughes
90e3f44293 Be more specific about POSIX obsolescence.
Bug: N/A
Test: N/A
Change-Id: Iacc741d18fedbca7c6e8da9d2c64f3d86f9d136b
2017-10-19 21:52:51 -07:00
Elliott Hughes
61c9c80275 Ignore sockatmark.
I was unable to find a single use of this anywhere, and the networking
folks point out https://tools.ietf.org/html/rfc6093:

    """
    5.  Advice to New Applications Employing TCP

      As a result of the issues discussed in Section 3.2 and Section 3.4,
      new applications SHOULD NOT employ the TCP urgent mechanism.
    """

Applications that think they want to do these tricksy things should be
referred to section 3.4, wherein it's noted that these semantics are
effectively dead and it's middleboxes what killed 'em:

    """
    3.4.  Interaction of Middleboxes with TCP Urgent Indications

      As a result of the publication of Network Intrusion Detection System
      (NIDS) evasion techniques based on TCP urgent indications [phrack],
      some middleboxes clear the urgent indications by clearing the URG
      flag and setting the Urgent Pointer to zero.  This causes the "urgent
      data" to become "in line" (that is, accessible by the read(2) call or
      the recv(2) call without the MSG_OOB flag) in the case of those TCP
      implementations that interpret the TCP urgent mechanism as a facility
      for delivering "out-of-band" data (as described in Section 3.1).  An
      example of such a middlebox is the Cisco PIX firewall [Cisco-PIX].
      This should discourage applications from depending on urgent
      indications for their correct operation, as urgent indications may
      not be reliable in the current Internet.
    """

Bug: N/A
Test: N/A
Change-Id: I73280db1d803bb7bd93954c13c653fa0cd3daff9
2017-10-19 15:37:54 -07:00
Elliott Hughes
01a57d1eb6 Call fmtmsg/getdate/getdate_err useless.
They're POSIX, and they're implemented in iOS and glibc, but they're
not actually used in any codebase I have access to. They're *defined*
in several places, and some of those places have a handful of tests,
but I couldn't find a single genuine caller.

Bug: N/A
Test: N/A
Change-Id: Id3e2c36183fcff323aa5a2e3a3dabaa8378fae56
2017-10-19 15:45:04 +00:00
Elliott Hughes
ab413c535c Fix mip64 build.
Fallout from the unified sysroot work.

Bug: N/A
Test: builds
Change-Id: If0595a241b9ce0d8c8c7137ddaf8fca932487b7c
2017-10-13 13:22:24 -07:00
Elliott Hughes
62446279f3 Ignore pthread_getconcurrency/pthread_setconcurrency.
They're marked obsolescent in POSIX, don't clearly mean anything, aren't
portable because the values don't mean anything, and are no-ops in other
C libraries that do "implement" them.

Bug: N/A
Test: N/A
Change-Id: I07342a0a6a5f6616a8432bfea24ed944c7971d27
2017-10-13 10:21:37 -07:00
Elliott Hughes
d036a8dd17 Ignore endutxent.
We have no utmp, and we're ignoring getutxent/setutxent, and endutxent
belongs in the same group.

Bug: N/A
Test: N/A
Change-Id: Ide032960a0f95750f3bb8f2e62a25e5e7d25c7b6
2017-10-12 20:32:22 -07:00
Elliott Hughes
d4ca231ae2 Unified sysroot: kill arch-specific include dirs.
<machine/asm.h> was internal use only.

<machine/fenv.h> is quite large, but can live in <bits/...>.

<machine/regdef.h> is trivially replaced by saying $x instead of x in
our assembler.

<machine/setjmp.h> is trivially inlined into <setjmp.h>.

<sgidefs.h> is unused.

Bug: N/A
Test: builds
Change-Id: Id05dbab43a2f9537486efb8f27a5ef167b055815
2017-10-12 13:19:51 -07:00
Stephen Crane
77bb564dc7 Use env to invoke python
/usr/bin/python may be python3. We should respect PATH to find the python
executable so it can be locally overridden to be python2.

Test: Build libc, repo upload
Change-Id: Iaddd7cd4a1c2177c32786e4fa0fc664ab0ad36de
2017-08-31 15:11:50 -07:00
Elliott Hughes
0bfcbaf4d0 Add new status document, based on internal wiki.
Also start breaking up the monolithic top level README.md, pulling the
32-bit ABI stuff out into its own file, and moving the remaining benchmark
documentation in with the rest of the benchmark documentation.

Bug: N/A
Test: N/A
Change-Id: Ic1b9995e27b5044199ed34883cc0b8faa894df0e
2017-08-29 11:07:36 -07:00
Elliott Hughes
abf510a39f Add three more functions to the list of POSIX cruft.
It will never make sense to implement confstr, gethostid, or ulimit.

Bug: N/A
Test: N/A
Change-Id: I9cc18b8a0dbe066f0f76b842c5a5be6b8d5da436
2017-08-22 15:21:39 -07:00
dimitry
daebd05739 Fix pattern to account for '_' prefix in syscalls
Bug: http://b/64549471
Test: make
Change-Id: I7ba856a2cad29adbb028f150aeaabb9894e84d6e
2017-08-10 11:11:00 +02:00
Steve Muckle
aa3f96c9c4 Create global seccomp policy.
Enabling seccomp across all processes, rather than just zygote, is
useful for auditing the syscall usage of AOSP. Create a global seccomp
policy that can optionally be enabled by init.

Bug: 37960259
Test: confirm global seccomp by removing finit_module from policy and
      observing modprobe fail, confirm regular seccomp unchanged by
      comparing length of installed bpf
Change-Id: Iac53a42fa26a80b05126f262dd9525f4f66df558
2017-07-21 20:30:21 -07:00
Elliott Hughes
aac7c3affa Allow passing filenames to generate-NOTICE.py.
For the libandroid_support NOTICE file, we need to combine all the files
in that directory, plus the specific files pulled from bionic.

Also cleaned up some of the Python style.

Bug: N/A
Test: used for libandroid_support
Change-Id: If433e3a0f0478f06d99a9b3556e99dde06a7e5e1
2017-07-14 15:41:11 -07:00
Paul Lawrence
3dd3d55af2 Add seccomp blacklist, and exclude swap functions
Bug: 37253880
Test: Make sure device boots
      Run pylint on genseccomp.py, test_genseccomp.py
      Run test_genseccomp.py
      Run new CTS test
      cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.SeccompTest

Change-Id: I833a5364a1481d65173e77654da1798dc45a3f9d
2017-04-12 19:34:33 +00:00
Alessio Balsini
93d4f8b2fa Fix missing parse_open_file method.
gensyscalls.py was failing to execute because of a missing "self"
keyword when calling parse_open_file.

Test: manual test running gensyscalls.py.

Change-Id: I78db2cba704c5ca56a730019e36601a7ccd069f8
2017-04-11 18:27:29 +02:00
Paul Lawrence
65b47c9fe0 Fix problem that we don't block syscalls below min value
The check that we are not below the lowest permitted syscall was
off by one, so we always allowed them, rather than always denying
them

Test: Check arm64 boots, chrome and maps work
      mips and mips64 emulators boot
      Note that arm, x86 and x86_64 already allow syscall 0 so there
      will be no functional change there

Change-Id: I85873f1d04124e634e648bd47c027f280f1d6dbd
2017-03-22 09:48:17 -07:00
Paul Lawrence
89fa81fda3 Support all architectures in seccomp
Test: Make sure arm, x86, x86_64, mips, mips64 emulators boot
      Make sure sailfish still boots
      Ran CTS test from
      https://android-review.googlesource.com/#/c/348671/3 and it passed
      The instructions for how to run mips emulators above worked, but
      the CTS tests did not seem to actually run.

Change-Id: Iddee5acdb19ed32c7bd4657573313ca439cf6a49
2017-03-13 18:26:50 +00:00
Treehugger Robot
d9e52fed2a Merge "Move seccomp policy to bionic" 2017-02-28 15:36:08 +00:00
Paul Lawrence
dfe8434a62 Move seccomp policy to bionic
Test: Built and checked booted
Change-Id: Iaec1265fe5a55c4df90ab9e45b010ef36faf6bba
2017-02-27 12:42:39 -08:00
Christopher Ferris
5f41ce25c6 Merge "Update to kernel headers v4.10." 2017-02-27 20:09:54 +00:00
Paul Lawrence
98a53b7c74 Revert "Move seccomp policy to bionic"
This reverts commit 06a32206c5.

Reverting build-breaking change

Change-Id: Ib3698bca8f905033a9c7f22bc2fa9f7e7bf75873
2017-02-27 16:36:18 +00:00
Paul Lawrence
06a32206c5 Move seccomp policy to bionic
Test: Built and checked booted

Change-Id: If777eed75d5280c7a390399261e97125c04767b2
2017-02-24 12:52:19 -08:00
Paul Lawrence
7ea4090c65 Autogenerate single policy from syscalls and whitelist
Bug: 35392119
Bug: 34465958
Test: Check boots and same syscalls are blocked as before

Change-Id: I9efa97032c59aebbbfd32e6f0d2d491f6254f0a2
2017-02-23 10:46:56 -08:00
Christopher Ferris
48af7cb2e2 Update to kernel headers v4.10.
Test: Built angler, booted on angler, ran bionic unit tests.
Change-Id: Ia24511e74106116ea84b44ab724865ec492de8f9
2017-02-21 14:42:34 -08:00
Paul Lawrence
be8a2af2aa Create seccomp policy without TRAP for further processing
Bug: 34946764
Test: Make sure boots, seccomp still blocks, and is faster
Change-Id: Ib4abf4307ae545ee69a3fb9328f62c760a1b40f7
2017-02-03 09:36:45 -08:00
Paul Lawrence
3d9fc696a5 Use trap not kill in seccomp filter
Bug: 34647665
Test: Make sure boots, check that causing a seccomp failure creates a
      crash dump

Change-Id: I5ab2fe3e8322a3c38318c97d343834baa874af8d
2017-01-24 11:07:04 -08:00
Paul Lawrence
eabc352651 Add seccomp support library
Policy library which exports an autogenerated policy from SYSCALLS.TXT
blocking any other calls.

Test: Generate policy, install onto Sailfish, check boots, Chrome runs,
calls are blocked.
Bug: 32313202

Change-Id: Ib590704e50122f077eeae26561eb9b0a70386551
2017-01-19 13:38:47 -08:00
Elliott Hughes
4da06c0d64 Don't scan .swp files for copyright headers.
These are binary files, so that's not a good idea.

Bug: N/A
Test: N/A
Change-Id: If5e98df4bbbbac8a15a953be043df7d05c2b409a
2016-10-24 17:34:42 -07:00
Elliott Hughes
5ffed9b856 Move brillo closer to Android.
Hiding our legacy cruft seemed like a good idea, but in practice it will only
mean worse interoperability.

Plus we got it wrong, as the recent `putw` example showed.

Change-Id: I167c7168eff133889028089c22a7a0dfb8d6d0cf
2016-08-10 14:08:31 -07:00