Gitiles
Code Review Sign In
review.blissroms.org / platform_system_netd / 2e413c3fe2fc48b70bebab951070dc3db203587d
commit2e413c3fe2fc48b70bebab951070dc3db203587d[log] [tgz]
authorKen Chen <cken@google.com>Mon Jan 13 11:59:53 2020 +0800
committerBernie Innocenti <codewiz@google.com>Tue Jan 21 14:04:18 2020 +0000
treeb6fb289da4d49e9774324aad4185499bfbc5c4da
parent7e1ee774e981a34832a44d6911b6fb5f61f4c901 [diff]
Enable CFI (Control Flow Integrity)

Enable Control Flow Integrity to protect netd. The enabled binaries and
shared libraries include:
- netd
- libnetd_client
- libnetdbpf
- libnetdutils
- netutils-wrapper-1.0
- ndc

No need to specifically enable it in static libraries like
libnetd_server, which are inherently protected by library caller who
enable CFI.

There is no significant difference in PSS (Proportional Set Size) between
non-CFI and CFI binaries. The performance overhead is also negligible
according to [1][2].

non-CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1556 kB | 1528 kB | 1592 kB | 1559 kB |
| RssFile   | 4792 kB | 4872 kB | 4648 kB | 4771 kB |
| RssShmem  | 176 kB  | 176 kB  | 172 kB  | 175 kB  |
| Total PSS | 4381 kB | 4386 kB | 4437 kB | 4401 kB |
+-----------+---------+---------+---------+---------+

CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1604 kB | 1608 kB | 1592 kB | 1601 kB |
| RssFile   | 4528 kB | 4892 kB | 4916 kB | 4779 kB |
| RssShmem  | 176 kB  | 176 kB  | 176 kB  | 176 kB  |
| Total PSS | 3962 kB | 4523 kB | 4483 kB | 4323 kB |
+-----------+---------+---------+---------+---------+

Binary size of aarch64 (bytes)
+----------------------+---------+--------+
|                      | non-CFI |  CFI   |
+----------------------+---------+--------+
| netd                 |  563528 | 643248 |
| libnetd_client       |   20192 |  20192 |
| libnetdbpf           |   42296 |  42296 |
| libnetdutils         |   76608 |  76608 |
| netutils-wrapper-1.0 |   60128 |  70144 |
| ndc                  |   55624 |  78352 |
+----------------------+---------+--------+

[1] https://source.android.com/devices/tech/debug/cfi
[2] http://clang.llvm.org/docs/ControlFlowIntegrity.html#performance

Bug: 146408702
Test: AOSP master:
      1. patch commit to enable CFI on both netd and resolver.
      2. m
      3. flash ROM.
      4. atest under system/netd/, all pass.

      Compatibility:
      1. flash Android Q ROM.
      2. patch commit enabling CFI on both netd and resolver in branch
         qt-aml-resolv-release.
      3. build com.android.resolv in branch qt-aml-resolv-release.
      4. adb install CFI enabled resolver apex into Q device (non-CFI
         netd).
      5. atest under packages/modules/DnsResolver.

Change-Id: I56b6aed2398b7326df274d691bbd861dbef4fdf6
5 files changed
tree: b6fb289da4d49e9774324aad4185499bfbc5c4da
  1. bpf_progs/
  2. client/
  3. include/
  4. libnetdbpf/
  5. libnetdutils/
  6. netutils_wrappers/
  7. server/
  8. tests/
  9. .clang-format ⇨ ../../build/soong/scripts/system-clang-format
  10. .editorconfig
  11. Android.bp
  12. MODULE_LICENSE_APACHE2
  13. NOTICE
  14. OWNERS
  15. PREUPLOAD.cfg
  16. TEST_MAPPING