| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
When using memfd for cross process communication, we always need to seal
the file size, otherwise remote process and shrink the size we memory
mapped and thus crash the originate process causing a DoS
Bug: 294609150
Test: Build
Ignore-AOSP-First: security
Change-Id: Ibc263c4f78df897e884378e3d984a188ca8772c7
|
| |
|
|
|
|
|
|
| |
Fix the build errors like https://android-build.googleplex.com/builds/pending/P56005836/aosp_arm64-userdebug/latest/view/logs/build.log
Bugs: b/245972273
Test: mm -j
Change-Id: I8edeace5afddc2cf6783899c889a3f2a542156a3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MemoryHeapBase currently logs fatal on passing invalid flags.
Since we control flags combinations as compile time constants within an
enum, we can enforce that all the enum values pass valid flag combos in
order to remove the fatal flag checks.
This avoids aborts in fuzzers consuming the enum value. If a user passes
MEMFD_ALLOW_SEALING_FLAG without FORCE_MEMFD set (not possible if using
the enum values), then the flag is silently ignored.
Test: atest binderUnitTest
Bug: 224667194
Change-Id: Iab90c8b0926ac32f01bb1489bf954c136dd2953f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default behavior of MemoryHeapBase is to request memory from
ashmem in libcutils. This library is being used to migrate from
ashmem to memfd, but on supported devices, memfd is still debug
only in order to sanitize expectations of callees of the library.
As such, we add a flag to explicitly request memfd files, as well
as to opt into file sealing of memfd files.
Note: the calling process will have to modify selinux permissions
to allow tmpfs access to the domains accessing the shared buffer.
This is more secure than ashmem as granular acess can be specified.
See audioserver_tmpfs in system/selinux for examples.
Test: Expected mappings recieved in Audioflinger for flag combos.
atest binderMemoryHeapBaseUnitTest
Change-Id: I893f7846f4d16b8ccc7f407fb957dccd9ebe62d7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating a MemoryHeapBase around a file descriptor provided by a
different process, either via an fd or a device name, the existing
code would attempt to map it with PROT_WRITE, unconditionally, which
would result in a failure to map.
With this change, we omit PROT_WRITE from the mapping whenever the
READ_ONLY flag is set, but only when accessing via one of these ctors.
The ctor that allocates a new ashmem region continues to work as
before, with the caller process having write access, but any other
process not having it.
Test: atest -p frameworks/native/libs/binder
Change-Id: Iab3583d841c3dceed1a7cb61e922a85104b4b00b
|
| |
|
|
|
|
|
| |
Bug: N/A
Test: build w/o -Wno-c++98-compat-extra-semi
Merged-In: I632d6df9a03485e547a6e7f14df0f1c068066c1e
Change-Id: I632d6df9a03485e547a6e7f14df0f1c068066c1e
|
| |
|
|
|
|
|
|
|
| |
Change MemoryHeap offset to use off_t.
Always transmit Memory related size and offset as 64 bits.
Test: CTS, native binder tests, sanity
Bug: 117556990
Change-Id: Icaabf7442f561a53941f9ebebe4029ddc533b0c2
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes -Wzero-as-null-pointer-constant warning.
clang-tidy -checks=modernize-use-nullptr -p compile_commands.json -fix
...
Test: m
Bug: 68236239
Change-Id: I3181bc5683796423a98b0f9b94daf30880c07bdc
|
| |
|
|
|
|
|
|
|
|
| |
- cutils/log.h treat as deprecated and lead by example
- coding standard for header order
- include headers that are side effect of others.
Test: compile
Bug: 34250038
Change-Id: I8d99b24c333578c9b5aa9f2a01324bd0bba268dd
|
| |\
| |
| |
| |
| |
| |
| | |
Test: compile
Bug: 26552300
Bug: 31289077
Change-Id: I84d0ffa430df3beca0dcc6ed205ce220d7be1f87
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- cutils/log.h treat as deprecated and lead by example
- android/log.h to be used instead of log/log.h if possible
- add system includes that are assumed as side effects
- define LOG_TAG first
Test: compile
Bug: 31289077
Bug: 30465923
Change-Id: I8d99b24c333578c9b5aa9f2a01324bd0bba268dd
|
| |\|
| |
| |
| |
| | |
Test: build
Change-Id: Id1c6d3d9dd158fb086b0d8ab74f7838ef0a51af1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- cutils/log.h treat as deprecated and lead by example
- android/log.h to be used instead of log/log.h if required
- add system includes that are assumed as side effects of log.h
- modules that use SLOG should use SLOG for all logging (installd)
- define LOG_TAG first
- remove logging infrastructure if not used
Test: build
Bug: 31289077
Change-Id: Iea147a0104c7ab7f12451304131d6500f42141e7
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace calls to dup() with fcntl(F_DUPFD_CLOEXEC). The only difference
between the two is that O_CLOEXEC is set on the newly duped file
descriptor. This helps address file descriptor leaks crossing an exec()
boundary in multi-threaded processes, and potentially fixes the following
non-reproducible SELinux denials which may be occurring because of FD
leakage from netd to clatd/dnsmasq.
avc: denied { use } for comm="clatd" path="socket:[860297]" dev="sockfs"
ino=860297 scontext=u:r:clatd:s0 tcontext=u:r:untrusted_app:s0:c512,c768
tclass=fd permissive=0
avc: denied { read write } for comm="clatd" path="socket:[1414454]"
dev="sockfs" ino=1414454 scontext=u:r:clatd:s0
tcontext=u:r:system_server:s0 tclass=tcp_socket permissive=0
avc: denied { use } for comm="clatd" path="socket:[681600]" dev="sockfs"
ino=681600 scontext=u:r:clatd:s0 tcontext=u:r:priv_app:s0:c512,c768
tclass=fd permissive=0
Test: Device boots and no obvious problems
Change-Id: I9dcd9911a093f329c6f12e39d2c49ef3df651ae5
|
| |
|
|
| |
Change-Id: I5d3befd075e51614e6801115388a0a9f32fbb6ea
|
| |
|
|
|
|
|
| |
See https://android-git.corp.google.com/g/#/c/157220
Bug: 5449033
Change-Id: Ic9c19d30693bd56755f55906127cd6bd7126096c
|
| |
|
|
|
|
|
| |
See https://android-git.corp.google.com/g/156016
Bug: 5449033
Change-Id: I4c4e33bb9df3e39e11cd985e193e6fbab4635298
|
| |
|
|
|
|
|
|
|
|
| |
The offset that is used in the creation of the MemoryHeapBase must be saved, so
that it can be used to recreate the Heap when an IMemory object is passed
across process boundary through the binder.
Change-Id: Ie618fb5c0718e6711f55ed9235616fd801e648dc
Signed-off-by: Anu Sundararajan <sanuradha@ti.com>
Signed-off-by: Iliyan Malchev <malchev@google.com>
|
| |
|
|
|
|
|
|
| |
HAVE_ANDROID_OS was defined as "1" for targets, but never defined as "0"
for non-targets. Changing them to #ifdef should be safe and matches
all the other uses of HAVE_ANDROID_OS throughout the system.
Change-Id: I82257325a8ae5e4e4371ddfc4dbf51cea8ea0abb
|
| |
|
|
|
|
| |
The NO_CACHING flag translates to opening a memory region with O_SYNC.
Signed-off-by: Iliyan Malchev <malchev@google.com>
|
| | |
|
| | |
|
| |
|
