f5573fdec8dd6bedac5e52b3dfadb309434730cd - platform_packages_modules_DnsResolver

commit	f5573fdec8dd6bedac5e52b3dfadb309434730cd	[log] [tgz]
author	Ken Chen <cken@google.com>	Tue Jan 14 01:51:05 2020 +0800
committer	Ken Chen <cken@google.com>	Sun Jan 19 10:34:04 2020 +0000
tree	261165427317a2fb8dd267561e5f7cded0b1d550
parent	0452b8cf515b25e76321ba0ca337fafbc58b5506 [diff]

Enable CFI (Control Flow Integrity)

Enable Control Flow Integrity in DNS resolver

There is no significant difference in PSS (Proportional Set Size) between
non-CFI and CFI binaries. Th performance overhead is also negligible
according to [1][2].

non-CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1556 kB | 1528 kB | 1592 kB | 1559 kB |
| RssFile   | 4792 kB | 4872 kB | 4648 kB | 4771 kB |
| RssShmem  | 176 kB  | 176 kB  | 172 kB  | 175 kB  |
| Total PSS | 4381 kB | 4386 kB | 4437 kB | 4401 kB |
+-----------+---------+---------+---------+---------+

CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1604 kB | 1608 kB | 1592 kB | 1601 kB |
| RssFile   | 4528 kB | 4892 kB | 4916 kB | 4779 kB |
| RssShmem  | 176 kB  | 176 kB  | 176 kB  | 176 kB  |
| Total PSS | 3962 kB | 4523 kB | 4483 kB | 4323 kB |
+-----------+---------+---------+---------+---------+

Binary size of aarch64 (bytes)
+----------------------+---------+--------+
|                      | non-CFI |  CFI   |
+----------------------+---------+--------+
| libnetd_resolv       |  668584 | 734552 |
+----------------------+---------+--------+

[1] https://source.android.com/devices/tech/debug/cfi
[2] http://clang.llvm.org/docs/ControlFlowIntegrity.html#performance

Bug: 146408702
Test: AOSP master:
      1. patch commit to enable CFI on both netd and resolver.
      2. m
      3. flash ROM.
      4. atest under system/netd/

      Compatibility:
      1. flash Android Q ROM.
      2. patch commit enabling CFI on both netd and resolver in branch
         qt-aml-resolv-release.
      3. build com.android.resolv in branch qt-aml-resolv-release.
      4. adb install CFI enabled resolver apex into Q device (non-CFI
         netd).
      5. atest under packages/modules/DnsResolver.


Change-Id: I65ce931d57bd285e1c49c34b4231f8151380eae3

Android.bp[diff]

1 file changed

tree: 261165427317a2fb8dd267561e5f7cded0b1d550

README.md

Logging

This code uses LOG(X) for logging. Log levels are VERBOSE,DEBUG,INFO,WARNING and ERROR. The default setting is WARNING and logs relate to WARNING and ERROR will be shown. If you want to enable the DEBUG level logs, using following command. adb shell service call dnsresolver 10 i32 1 VERBOSE 0 DEBUG 1 INFO 2 WARNING 3 ERROR 4 Verbose resolver logs could contain PII -- do NOT enable in production builds.