platform_system_netd/libnetdutils/Android.bp, branch master Unnamed repository; edit this file 'description' to name the repository. [LSC] Add LOCAL_LICENSE_KINDS to system/netd 2021-02-12T23:38:42+00:00 Bob Badour bbadour@google.com 2021-02-12T23:38:42+00:00 4114d1a05073315df2e012429585fc45f1de3384 Added SPDX-license-identifier-Apache-2.0 to: Android.bp bpf_progs/Android.bp client/Android.bp libnetdbpf/Android.bp libnetdutils/Android.bp netutils_wrappers/Android.bp server/Android.bp tests/Android.bp tests/benchmarks/Android.bp Bug: 68860345 Bug: 151177513 Bug: 151953481 Test: m all Exempt-From-Owner-Approval: janitorial work Change-Id: Ie250cbab6e287585b945160cba4c2a764778ebc4 
Added SPDX-license-identifier-Apache-2.0 to:
  Android.bp
  bpf_progs/Android.bp
  client/Android.bp
  libnetdbpf/Android.bp
  libnetdutils/Android.bp
  netutils_wrappers/Android.bp
  server/Android.bp
  tests/Android.bp
  tests/benchmarks/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all

Exempt-From-Owner-Approval: janitorial work
Change-Id: Ie250cbab6e287585b945160cba4c2a764778ebc4
Move OperationLimiter to DnsResolver 2020-11-27T11:59:03+00:00 Bernie Innocenti codewiz@google.com 2020-11-27T11:59:03+00:00 86a755f647562f203bd27b8771aa05bc91ce3f77 OperationLimiter logically belongs with its only customer, DnsResolver. I added OperationLimiter to libnetdutils for code sharing, but it turns out netd doesn't have any need for this because it doesn't include other threaded servers. Change-Id: If8de486c53875a17440f368e53dd7ad2af1e5e57 
OperationLimiter logically belongs with its only customer, DnsResolver.

I added OperationLimiter to libnetdutils for code sharing, but it turns
out netd doesn't have any need for this because it doesn't include other
threaded servers.

Change-Id: If8de486c53875a17440f368e53dd7ad2af1e5e57
Set min_sdk_version to be part of mainline modules 2020-05-01T17:09:52+00:00 Jooyung Han jooyung@google.com 2020-04-16T09:48:35+00:00 3c2225517c4cc33d8016ce286d0c04374feb6f74 Modules contributing mainline modules (APK/APEX) should set min_sdk_version as well as apex_available. For now setting min_sdk_version doesn't change build outputs. But build-time checks will be added soon. Bug: 152655956 Test: m Change-Id: I92c78b0930a14f2f5830d6f0873996c17d4ee44b 
Modules contributing mainline modules (APK/APEX) should set
min_sdk_version as well as apex_available.

For now setting min_sdk_version doesn't change build outputs.
But build-time checks will be added soon.

Bug: 152655956
Test: m
Change-Id: I92c78b0930a14f2f5830d6f0873996c17d4ee44b
Set apex_available property 2020-04-08T14:40:11+00:00 Jiyong Park jiyong@google.com 2020-04-08T14:40:11+00:00 3144db91ba989f6744eba50e8897009a02bb26e3 The marked library(ies) were available to the APEXes via the hand-written whitelist in build/soong/apex/apex.go. Trying to remove the whitelist by adding apex_available property to the Android.bp of the libraries. Bug: 150999716 Test: m Change-Id: I274feb4542624b348999e7c5f189f8606c6cd63d 
The marked library(ies) were available to the APEXes via the
hand-written whitelist in build/soong/apex/apex.go. Trying to remove the
whitelist by adding apex_available property to the Android.bp of the
libraries.

Bug: 150999716
Test: m
Change-Id: I274feb4542624b348999e7c5f189f8606c6cd63d
Remove CFI diagnostics mode 2020-03-12T05:19:51+00:00 Ken Chen cken@google.com 2020-03-12T02:05:08+00:00 53b155d5d7113aebaab7172668e8e044210d8f3b CFI diagnostics sould be disabled since it introduces additional overhead/complexity, and the diagnostics libraries haven't been analyzed from a security perspective since they were primarily meant for testing. The CFI will still work. Bug: 146408702 Bug: 149427927 Change-Id: I4afb84fc9d64439f6660c44343abefa62f9fedf4 
CFI diagnostics sould be disabled since it introduces additional
overhead/complexity, and the diagnostics libraries haven't been analyzed
from a security perspective since they were primarily meant for testing.
The CFI will still work.

Bug: 146408702
Bug: 149427927
Change-Id: I4afb84fc9d64439f6660c44343abefa62f9fedf4
Enable CFI (Control Flow Integrity) 2020-01-21T14:04:18+00:00 Ken Chen cken@google.com 2020-01-13T03:59:53+00:00 2e413c3fe2fc48b70bebab951070dc3db203587d Enable Control Flow Integrity to protect netd. The enabled binaries and shared libraries include: - netd - libnetd_client - libnetdbpf - libnetdutils - netutils-wrapper-1.0 - ndc No need to specifically enable it in static libraries like libnetd_server, which are inherently protected by library caller who enable CFI. There is no significant difference in PSS (Proportional Set Size) between non-CFI and CFI binaries. The performance overhead is also negligible according to [1][2]. non-CFI (netd + DNS resolver): +-----------+---------+---------+---------+---------+ | | round#1 | round#2 | round#3 | Avg | +-----------+---------+---------+---------+---------+ | RssAnon | 1556 kB | 1528 kB | 1592 kB | 1559 kB | | RssFile | 4792 kB | 4872 kB | 4648 kB | 4771 kB | | RssShmem | 176 kB | 176 kB | 172 kB | 175 kB | | Total PSS | 4381 kB | 4386 kB | 4437 kB | 4401 kB | +-----------+---------+---------+---------+---------+ CFI (netd + DNS resolver): +-----------+---------+---------+---------+---------+ | | round#1 | round#2 | round#3 | Avg | +-----------+---------+---------+---------+---------+ | RssAnon | 1604 kB | 1608 kB | 1592 kB | 1601 kB | | RssFile | 4528 kB | 4892 kB | 4916 kB | 4779 kB | | RssShmem | 176 kB | 176 kB | 176 kB | 176 kB | | Total PSS | 3962 kB | 4523 kB | 4483 kB | 4323 kB | +-----------+---------+---------+---------+---------+ Binary size of aarch64 (bytes) +----------------------+---------+--------+ | | non-CFI | CFI | +----------------------+---------+--------+ | netd | 563528 | 643248 | | libnetd_client | 20192 | 20192 | | libnetdbpf | 42296 | 42296 | | libnetdutils | 76608 | 76608 | | netutils-wrapper-1.0 | 60128 | 70144 | | ndc | 55624 | 78352 | +----------------------+---------+--------+ [1] https://source.android.com/devices/tech/debug/cfi [2] http://clang.llvm.org/docs/ControlFlowIntegrity.html#performance Bug: 146408702 Test: AOSP master: 1. patch commit to enable CFI on both netd and resolver. 2. m 3. flash ROM. 4. atest under system/netd/, all pass. Compatibility: 1. flash Android Q ROM. 2. patch commit enabling CFI on both netd and resolver in branch qt-aml-resolv-release. 3. build com.android.resolv in branch qt-aml-resolv-release. 4. adb install CFI enabled resolver apex into Q device (non-CFI netd). 5. atest under packages/modules/DnsResolver. Change-Id: I56b6aed2398b7326df274d691bbd861dbef4fdf6 
Enable Control Flow Integrity to protect netd. The enabled binaries and
shared libraries include:
- netd
- libnetd_client
- libnetdbpf
- libnetdutils
- netutils-wrapper-1.0
- ndc

No need to specifically enable it in static libraries like
libnetd_server, which are inherently protected by library caller who
enable CFI.

There is no significant difference in PSS (Proportional Set Size) between
non-CFI and CFI binaries. The performance overhead is also negligible
according to [1][2].

non-CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1556 kB | 1528 kB | 1592 kB | 1559 kB |
| RssFile   | 4792 kB | 4872 kB | 4648 kB | 4771 kB |
| RssShmem  | 176 kB  | 176 kB  | 172 kB  | 175 kB  |
| Total PSS | 4381 kB | 4386 kB | 4437 kB | 4401 kB |
+-----------+---------+---------+---------+---------+

CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1604 kB | 1608 kB | 1592 kB | 1601 kB |
| RssFile   | 4528 kB | 4892 kB | 4916 kB | 4779 kB |
| RssShmem  | 176 kB  | 176 kB  | 176 kB  | 176 kB  |
| Total PSS | 3962 kB | 4523 kB | 4483 kB | 4323 kB |
+-----------+---------+---------+---------+---------+

Binary size of aarch64 (bytes)
+----------------------+---------+--------+
|                      | non-CFI |  CFI   |
+----------------------+---------+--------+
| netd                 |  563528 | 643248 |
| libnetd_client       |   20192 |  20192 |
| libnetdbpf           |   42296 |  42296 |
| libnetdutils         |   76608 |  76608 |
| netutils-wrapper-1.0 |   60128 |  70144 |
| ndc                  |   55624 |  78352 |
+----------------------+---------+--------+

[1] https://source.android.com/devices/tech/debug/cfi
[2] http://clang.llvm.org/docs/ControlFlowIntegrity.html#performance

Bug: 146408702
Test: AOSP master:
      1. patch commit to enable CFI on both netd and resolver.
      2. m
      3. flash ROM.
      4. atest under system/netd/, all pass.

      Compatibility:
      1. flash Android Q ROM.
      2. patch commit enabling CFI on both netd and resolver in branch
         qt-aml-resolv-release.
      3. build com.android.resolv in branch qt-aml-resolv-release.
      4. adb install CFI enabled resolver apex into Q device (non-CFI
         netd).
      5. atest under packages/modules/DnsResolver.

Change-Id: I56b6aed2398b7326df274d691bbd861dbef4fdf6
Move thread_util to libnetdutils 2019-04-02T12:49:45+00:00 Mike Yu yumike@google.com 2019-03-14T07:14:44+00:00 c6d4c6b0e2cc0be1299e7b5f1d6c59fec69de423 This change comprises: [1] Move thread_util.h to libnetdutils to ease the cleanup of the include path system/netd/server for libnetd_resolv. [2] Rename thread_util.h to ThreadUtil.h. [3] Add the test to ThreadUtilTest. Bug: 128662167 Test: system/netd/tests/runtests.sh passed Change-Id: Ia8e9b196fbe41a4bd1edc7592badaacf57165988 
This change comprises:

[1] Move thread_util.h to libnetdutils to ease the cleanup of the
    include path system/netd/server for libnetd_resolv.

[2] Rename thread_util.h to ThreadUtil.h.

[3] Add the test to ThreadUtilTest.

Bug: 128662167
Test: system/netd/tests/runtests.sh passed
Change-Id: Ia8e9b196fbe41a4bd1edc7592badaacf57165988
Move DumpWriter to libnetdutils 2019-03-15T05:39:32+00:00 Luke Huang huangluke@google.com 2019-03-14T13:19:13+00:00 b257d61cd55c00a50d1eaaf4e7fcf436185c9a2c resolver related component in libnetd_resolv needs it to easily print dump log. Bug: 122564854 Test: built, flashed, booted system/netd/tests/runtests.sh pass adb shell dumpsys netd, worked fine Change-Id: Ic97d5f21b738fc3074e9308f4846191e744ed479 
resolver related component in libnetd_resolv
needs it to easily print dump log.

Bug: 122564854
Test: built, flashed, booted
      system/netd/tests/runtests.sh pass
      adb shell dumpsys netd, worked fine

Change-Id: Ic97d5f21b738fc3074e9308f4846191e744ed479
libnetdutils: Remove dependency on libbinder 2018-10-18T13:11:24+00:00 Bernie Innocenti codewiz@google.com 2018-10-16T10:17:08+00:00 97f388fdba793fdd2002df32f3bae1198064312f Turns out asBinderStatus() is presently used only in NetdNativeService, so we can just move it there. This lets us drop the dependency on libbinder. Test: atest libnetdutils netd_unit_test Change-Id: If24a14b881326ec74880ea411973d0acc6ef5ff1 
Turns out asBinderStatus() is presently used only in NetdNativeService,
so we can just move it there. This lets us drop the dependency on
libbinder.

Test: atest libnetdutils netd_unit_test
Change-Id: If24a14b881326ec74880ea411973d0acc6ef5ff1
Do DNS64 prefix discovery in netd 2018-09-09T06:17:38+00:00 Erik Kline ek@google.com 2018-05-11T10:33:19+00:00 d26a2c2b132e3644f745b64ca3807ac99d47053d Test: as follows - built, flashed, booted - system/netd/tests/runtests.sh passes - dumpsys netd observes DNS64 discovery output Bug: 78545619 Change-Id: I447c35229b07e8077546a03489d36e7be9d969a3 
Test: as follows
    - built, flashed, booted
    - system/netd/tests/runtests.sh passes
    - dumpsys netd observes DNS64 discovery output
Bug: 78545619
Change-Id: I447c35229b07e8077546a03489d36e7be9d969a3