Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Modify system property handling so that we get the properties
from a root owned properties file, rather than using an
environment variable.
Related to bug: 8029617
Change-Id: I5717e51f20f9e4339ed0a1fdf2fc797e52670fbb
Don't do the fortify_source checks if we can determine, at
compile time, that the provided operation is safe.
This avoids silliness like calling fortify source on things like:
size_t len = strlen("asdf");
printf("%d\n", len);
and allows the compiler to optimize this code to:
printf("%d\n", 4);
Defer to gcc's builtin functions instead of pointing our code
to the libc implementation.
Change-Id: I5e1dcb61946461c4afaaaa983e39f07c7a0df0ae
The linker is essentially a shared library, and incorporates
it's own copy of libc. Even though it's unnecessary, currently
/system/bin/linker is exporting various libc symbols (only to
apps which explicitly dlopen /system/bin/linker)
Add --exclude-libs,ALL, which tells the static linker to mark
all of the imported libc symbols as hidden. This reduces the
size of /system/bin/linker from 92K to 67K with no obvious
loss in functionality.
$ adb shell ls -l /system/bin/linker
-rwxrwxrwx root root 92260 2013-01-16 16:52 linker
$ adb shell ls -l /system/bin/linker
-rwxrwxrwx root root 67660 2013-01-16 16:49 linker
Documentation on exclude-libs can be found at
http://sourceware.org/binutils/docs-2.21/ld/Options.html
Change-Id: I4508287770e4b7a845def2e6b4af969f9c866c6a
The AT_RANDOM changes broke setuid / setgid executables
such as "ping". When the linker executes a setuid program,
it cleans the environment, removing any invalid environment
entries, and adding "NULL"s to the end of the environment
array for each removed variable. Later on, we try to determine
the location of the aux environment variable, and get tripped
up by these extra NULLs.
Reverting this patch will get setuid executables working again,
but getauxval() is still broken for setuid programs because of
this bug.
This reverts commit e3a49a8661.
Change-Id: I05c58a896b1fe32cfb5d95d43b096045cda0aa4a
Populate the stack canaries from the kernel supplied
AT_RANDOM value, which doesn't involve any system calls.
This is slightly faster (6 fewer syscalls) and avoids
unnecessarily reading /dev/urandom, which depletes entropy.
Bug: 7959813
Change-Id: If2b43100a2a9929666df3de56b6139fed969e0f1
When executing a setuid executable, filter out ANDROID_PROPERTY_WORKSPACE
from the environment. Some applications implicitly trust the property
space and don't realize that it's passed by an environment variable
which can be modified by the caller.
Change-Id: I3e3a98941f0a1f249a2ff983ecbcfe1278aa9159
This reverts commit f4b34b6c39.
The revert was only meant to apply to the jb-mr1 branch, but accidentally
leaked out into AOSP. This revert-revert gets AOSP master and internal
master back in sync.
e6e60065ff modified strerror_r to
treat errno as signed. However, the change to the test code
modified the "strerror" test, not the "strerror_r" test.
Make the same change for the strerror_r code.
Change-Id: Ia236a53df5745935e229a4446a74da8bed0cfd7b