Discussion:
[Toybox] Android O: XARGS - bad system call
darken
2017-04-13 13:39:13 UTC
Permalink
On a Pixel device running Android O, xarg doesn't seem to work.
The commands were run from an normal user (non-system app) without root.

V/Shell:Interactive: Input : SDMBOX=/data/user/0/eu.
thedarken.sdm/files/toybox_sdm
Toybox build i used: https://github.com/d4rken/toybox

Just running the FIND applet works:

V/Shell:Interactive: Input : $SDMBOX find '/data/user/0/eu.thedarken.
sdm/files'
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/files
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/files/uuid-token
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/files/toybox_sdm
D/Shell:Interactive: runCommand(...): Command.Result(exitcode=0)
With XARGS it doesn't work:

V/Shell:Interactive: Input : $SDMBOX find '/data/user/0/eu.thedarken.sdm/files'
-maxdepth 0 -print0 | $SDMBOX xargs -0 $SDMBOX echo
V/Shell:Interactive: Error : Bad system call
D/Shell:Interactive: runCommand(...): Command.Result(exitcode=159)
Any idea why? Or how I could find out why?

~Matthias
enh
2017-04-13 16:29:08 UTC
Permalink
works fine for me with the toybox that's actually part of O. strace?
Post by darken
On a Pixel device running Android O, xarg doesn't seem to work.
The commands were run from an normal user (non-system app) without root.
V/Shell:Interactive: Input : SDMBOX=/data/user/0/eu.thedark
en.sdm/files/toybox_sdm
Toybox build i used: https://github.com/d4rken/toybox
V/Shell:Interactive: Input : $SDMBOX find '/data/user/0/eu.thedarken.sdm
/files'
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/files
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/
files/uuid-token
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/
files/toybox_sdm
D/Shell:Interactive: runCommand(...): Command.Result(exitcode=0)
V/Shell:Interactive: Input : $SDMBOX find '/data/user/0/eu.thedarken.sdm/files'
-maxdepth 0 -print0 | $SDMBOX xargs -0 $SDMBOX echo
V/Shell:Interactive: Error : Bad system call
D/Shell:Interactive: runCommand(...): Command.Result(exitcode=159)
Any idea why? Or how I could find out why?
~Matthias
_______________________________________________
Toybox mailing list
http://lists.landley.net/listinfo.cgi/toybox-landley.net
--
Elliott Hughes - http://who/enh - http://jessies.org/~enh/
Android native code/tools questions? Mail me/drop by/add me as a reviewer.
darken
2017-04-13 21:13:03 UTC
Permalink
I'm not sure how to use strace, how do I get a strace binary into the
Android O image?

Can't reproduce it on the X86 Android O emulator image.
But can reproduce it on my Pixel running Android O.
Tried the latest toybox build too but it's not the build, and when running
sailfish:/data/local/tmp $ ./toybox_new find '/data/local/tmp' -maxdepth
0 -print0 | ./toybox_new xargs -0 echo
/data/local/tmp
sailfish:/data/local/tmp $ ./toybox_old find '/data/local/tmp' -maxdepth
0 -print0 | ./toybox_old xargs -0 echo
/data/local/tmp
sailfish:/data/local/tmp $ ./toybox_new --version
toybox 0.7.3-37-g04940678c81a
sailfish:/data/local/tmp $ ./toybox_old --version
toybox 0.7.2-37-g109a28b8a749
So it works as shell user, but not as app user.
But it also works if the app runs the native toybox from /system.
Is this some kind of SELinux issue?
Preventing xargs from forking processes or something like that?

Why would it work on the emulator though...
works fine for me with the toybox that's actually part of O. strace?
Post by darken
On a Pixel device running Android O, xarg doesn't seem to work.
The commands were run from an normal user (non-system app) without root.
V/Shell:Interactive: Input : SDMBOX=/data/user/0/eu.thedark
en.sdm/files/toybox_sdm
Toybox build i used: https://github.com/d4rken/toybox
V/Shell:Interactive: Input : $SDMBOX find '/data/user/0/eu.thedarken.sdm
/files'
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/files
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/
files/uuid-token
V/Shell:Interactive: Output: /data/user/0/eu.thedarken.sdm/
files/toybox_sdm
D/Shell:Interactive: runCommand(...): Command.Result(exitcode=0)
V/Shell:Interactive: Input : $SDMBOX find '/data/user/0/eu.thedarken.sdm/files'
-maxdepth 0 -print0 | $SDMBOX xargs -0 $SDMBOX echo
V/Shell:Interactive: Error : Bad system call
D/Shell:Interactive: runCommand(...): Command.Result(exitcode=159)
Any idea why? Or how I could find out why?
~Matthias
_______________________________________________
Toybox mailing list
http://lists.landley.net/listinfo.cgi/toybox-landley.net
--
Elliott Hughes - http://who/enh - http://jessies.org/~enh/
Android native code/tools questions? Mail me/drop by/add me as a reviewer.
Steve Muckle
2017-04-14 22:02:46 UTC
Permalink
Hi Matthias,
Post by darken
I'm not sure how to use strace, how do I get a strace binary into the
Android O image?
Can't reproduce it on the X86 Android O emulator image.
But can reproduce it on my Pixel running Android O.
Tried the latest toybox build too but it's not the build, and when running
sailfish:/data/local/tmp $ ./toybox_new find '/data/local/tmp' -maxdepth
0 -print0 | ./toybox_new xargs -0 echo
/data/local/tmp
sailfish:/data/local/tmp $ ./toybox_old find '/data/local/tmp' -maxdepth
0 -print0 | ./toybox_old xargs -0 echo
/data/local/tmp
sailfish:/data/local/tmp $ ./toybox_new --version
toybox 0.7.3-37-g04940678c81a
sailfish:/data/local/tmp $ ./toybox_old --version
toybox 0.7.2-37-g109a28b8a749
So it works as shell user, but not as app user.
But it also works if the app runs the native toybox from /system.
Is this some kind of SELinux issue?
Preventing xargs from forking processes or something like that?
Why would it work on the emulator though...
This sounds like it may be seccomp, a Linux kernel facility for restricting
the set of system calls a process may make. It is enforced at the zygote
level so would affect attempts from apps but presumably not the shell. It
is configured with the list of system calls in bionic (SYSCALLS.TXT) as
well as a whitelist (SECCOMP_WHITELIST.TXT):

https://android.googlesource.com/platform/bionic/+/o-preview/libc/

These lists are architecture specific. This is where seccomp was enforced
at the zygote level:

https://android.googlesource.com/platform/system/core/+/c4af05f8a3d67b9a4288a2b37c7fc16755497f6b

You could try disabling seccomp in Zygote:
https://android.googlesource.com/platform/frameworks/base/+/o-preview/core/java/com/android/internal/os/ZygoteInit.java#696

cheers,
Steve
darken
2017-04-15 11:52:36 UTC
Permalink
Created an issue ticket for this on the Android O tracker:
https://issuetracker.google.com/issues/37369410

You could try disabling seccomp in Zygote:
https://android.googlesource.com/platform/frameworks/base/+
Post by Steve Muckle
/o-preview/core/java/com/android/internal/os/ZygoteInit.java#696
I would have to compile my own Pixel Android O ROM for that though right?

~Matthias
Post by Steve Muckle
Hi Matthias,
Post by darken
I'm not sure how to use strace, how do I get a strace binary into the
Android O image?
Can't reproduce it on the X86 Android O emulator image.
But can reproduce it on my Pixel running Android O.
Tried the latest toybox build too but it's not the build, and when
sailfish:/data/local/tmp $ ./toybox_new find '/data/local/tmp'
-maxdepth 0 -print0 | ./toybox_new xargs -0 echo
/data/local/tmp
sailfish:/data/local/tmp $ ./toybox_old find '/data/local/tmp'
-maxdepth 0 -print0 | ./toybox_old xargs -0 echo
/data/local/tmp
sailfish:/data/local/tmp $ ./toybox_new --version
toybox 0.7.3-37-g04940678c81a
sailfish:/data/local/tmp $ ./toybox_old --version
toybox 0.7.2-37-g109a28b8a749
So it works as shell user, but not as app user.
But it also works if the app runs the native toybox from /system.
Is this some kind of SELinux issue?
Preventing xargs from forking processes or something like that?
Why would it work on the emulator though...
This sounds like it may be seccomp, a Linux kernel facility for
restricting the set of system calls a process may make. It is enforced at
the zygote level so would affect attempts from apps but presumably not the
shell. It is configured with the list of system calls in bionic
https://android.googlesource.com/platform/bionic/+/o-preview/libc/
These lists are architecture specific. This is where seccomp was enforced
https://android.googlesource.com/platform/system/core/+/
c4af05f8a3d67b9a4288a2b37c7fc16755497f6b
https://android.googlesource.com/platform/frameworks/base/+
/o-preview/core/java/com/android/internal/os/ZygoteInit.java#696
cheers,
Steve
darken
2017-04-16 09:36:15 UTC
Permalink
FYI (but I think you CCed yourself on the issue ticket right?)

Copying the system toybox into my app makes it work.
So it seems to be related to how the system toybox is build (NDK
toolchain?) and my toybox is build (musl libc).

~Matthias
Post by darken
https://issuetracker.google.com/issues/37369410
https://android.googlesource.com/platform/frameworks/base/+/
Post by Steve Muckle
o-preview/core/java/com/android/internal/os/ZygoteInit.java#696
I would have to compile my own Pixel Android O ROM for that though right?
~Matthias
Post by Steve Muckle
Hi Matthias,
Post by darken
I'm not sure how to use strace, how do I get a strace binary into the
Android O image?
Can't reproduce it on the X86 Android O emulator image.
But can reproduce it on my Pixel running Android O.
Tried the latest toybox build too but it's not the build, and when
sailfish:/data/local/tmp $ ./toybox_new find '/data/local/tmp'
-maxdepth 0 -print0 | ./toybox_new xargs -0 echo
/data/local/tmp
sailfish:/data/local/tmp $ ./toybox_old find '/data/local/tmp'
-maxdepth 0 -print0 | ./toybox_old xargs -0 echo
/data/local/tmp
sailfish:/data/local/tmp $ ./toybox_new --version
toybox 0.7.3-37-g04940678c81a
sailfish:/data/local/tmp $ ./toybox_old --version
toybox 0.7.2-37-g109a28b8a749
So it works as shell user, but not as app user.
But it also works if the app runs the native toybox from /system.
Is this some kind of SELinux issue?
Preventing xargs from forking processes or something like that?
Why would it work on the emulator though...
This sounds like it may be seccomp, a Linux kernel facility for
restricting the set of system calls a process may make. It is enforced at
the zygote level so would affect attempts from apps but presumably not the
shell. It is configured with the list of system calls in bionic
https://android.googlesource.com/platform/bionic/+/o-preview/libc/
These lists are architecture specific. This is where seccomp was enforced
https://android.googlesource.com/platform/system/core/+/c4af
05f8a3d67b9a4288a2b37c7fc16755497f6b
https://android.googlesource.com/platform/frameworks/base/+/
o-preview/core/java/com/android/internal/os/ZygoteInit.java#696
cheers,
Steve
Rob Landley
2017-04-17 17:47:28 UTC
Permalink
Post by darken
FYI (but I think you CCed yourself on the issue ticket right?)
Copying the system toybox into my app makes it work.
So it seems to be related to how the system toybox is build (NDK
toolchain?) and my toybox is build (musl libc).
Eh, that might just be kernel .config. There are a lot of duplicate
system calls that accumulated over the years (blah/blah64, open/openat,
mmap/mmap2...) and you can configure a bunch of them out

Don't ask me why the 4.11.0-rc7 menuconfig's "General setup" menu has
config options for bpf, madvise/fadvise, userfaultfd, membarrier... Why
are these NOT in the "embedded system" submenu? Enabling a _system_call_
is not enabling lots of infrastructure. It's micromanaging the API. Sigh...

You can find a static armv5l strace binary (from the dawn of time) at:

http://landley.net/aboriginal/downloads/old/binaries/1.4.3/extras/strace-armv5l

I've end of lifed aboriginal linux and am working on turning
https://github.com/landley/mkroot into a replacement, but it's not there
yet. Still, old binary might work. (Haven't tried it under an android
kernel.)

I also have a todo item to turn
https://blog.nelhage.com/2010/08/write-yourself-an-strace-in-70-lines-of-code/
and some build-time header preprocessing ala
http://landley.net/notes.html#18-02-2017 into a simple strace for toybox.

It's on the todo list...

Rob
enh
2017-04-17 17:50:22 UTC
Permalink
in O apps (and their children) are in a seccomp sandbox. if you use a
system call that bionic doesn't use (such as in this case, the obsolete
fork system call), you will run into things like this. the specific case of
fork was used enough in apps that the security folks added it to a
whitelist, so all O releases later than the first developer preview should
allow it.
Post by Rob Landley
Post by darken
FYI (but I think you CCed yourself on the issue ticket right?)
Copying the system toybox into my app makes it work.
So it seems to be related to how the system toybox is build (NDK
toolchain?) and my toybox is build (musl libc).
Eh, that might just be kernel .config. There are a lot of duplicate
system calls that accumulated over the years (blah/blah64, open/openat,
mmap/mmap2...) and you can configure a bunch of them out
Don't ask me why the 4.11.0-rc7 menuconfig's "General setup" menu has
config options for bpf, madvise/fadvise, userfaultfd, membarrier... Why
are these NOT in the "embedded system" submenu? Enabling a _system_call_
is not enabling lots of infrastructure. It's micromanaging the API. Sigh...
http://landley.net/aboriginal/downloads/old/binaries/1.4.3/
extras/strace-armv5l
I've end of lifed aboriginal linux and am working on turning
https://github.com/landley/mkroot into a replacement, but it's not there
yet. Still, old binary might work. (Haven't tried it under an android
kernel.)
I also have a todo item to turn
https://blog.nelhage.com/2010/08/write-yourself-an-strace-
in-70-lines-of-code/
and some build-time header preprocessing ala
http://landley.net/notes.html#18-02-2017 into a simple strace for toybox.
It's on the todo list...
Rob
--
Elliott Hughes - http://who/enh - http://jessies.org/~enh/
Android native code/tools questions? Mail me/drop by/add me as a reviewer.
Loading...