Is NDK Allowed to Break Security Rules for Android O?

[Andrew Esh]

I am using NDK r15 to compile native libraries for an application I am developing. The API target for the app is Android O. There are several new security restrictions being added to Android O, and my use of the NDK appears to violate one of them. Here is the page describing the new rules, specifically the Security section:

https://developer.android.com/preview/behavior-changes.html?hl=en#security-all

The rule I am concerned with is this:

"Android O applies a Secure Computing (SECCOMP) filter to all apps. The list of allowed syscalls is restricted to those exposed through bionic. Although there are several other syscalls provided for backwards compatibility, we recommend against their use."

The syscalls list in bionic is at: https://android.googlesource.com/platform/bionic/+/master/libc/SYSCALLS.TXT

The "futex" syscall is used within the NDK when Native threads are selected. Alternatively, pthreads can be selected within the NDK. I am currently using Native threads, which causes the NDK to include a syscall to "futex". The bionic allowed syscall list does not include "futex".

Should I have to select pthreads and reconfigure my library to follow the Android O security rule, or can I stay with "futex" because the NDK is using it?

Should the syscalls made by the NDK be added to the acceptable list of syscalls, in addition to the ones bionic provides?

[Glenn Kasten]

> Is NDK Allowed to Break Security Rules for Android O?

No

Regarding futex, I am surprised this is not included.  

This seems most likely a documentation error.

Can you please file a bug?  See

  https://source.android.com/source/report-bugs

[Dan Albert]

Agreed with Glenn. Not much works without futexes, so that pretty much has to be on the list. Probably a doc bug.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk+unsubscribe@googlegroups.com.
To post to this group, send email to andro...@googlegroups.com.
Visit this group at https://groups.google.com/group/android-ndk.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/9b9714e4-952a-4878-8c21-05ffb41eac50%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Andrew Esh]

On Monday, June 26, 2017 at 10:45:50 AM UTC-5, Andrew Esh wrote:

The syscalls list in bionic is at: https://android.googlesource.com/platform/bionic/+/master/libc/SYSCALLS.TXT

The "futex" syscall is used within the NDK when Native threads are selected. Alternatively, pthreads can be selected within the NDK. I am currently using Native threads, which causes the NDK to include a syscall to "futex". The bionic allowed syscall list does not include "futex".

I found  these files:

https://android.googlesource.com/platform/bionic/+/master/libc/SECCOMP_WHITELIST.TXT

https://android.googlesource.com/platform/bionic/+/master/libc/SECCOMP_BLACKLIST.TXT

The latter contains the statement "The final seccomp whitelist is SYSCALLS.TXT - SECCOMP_BLACKLIST.TXT + SECCOMP_WHITELIST.TXT".

Since the SECCOMP_WHITELIST.TXT file contains "futex", I assume it is OK for me to allow NDK to use futex under my library.