Fix support for named mmap usage on Android

Using a memfd name to annotate swiftshader_jit allocations is quite clever, but it doesn't work on Android because memfds can be shared and so writing to mappings of them promotes CoW/shared, which is classified by selinux as 'execmod' permission. Android prohibits 'execmod' permission for new app processes, because this is usually a sign the app relies on shared text relocations, which are insecure. In this case, that isn't actually happening, but we are subject to the same blanket ban :) Fortunately, Android has a longtime non-upstreamed prctl() to allow private mappings to be named as well, PR_SET_VMA_ANON_NAME. As this isn't generally available for Linux, wrap it in checks for __ANDROID__. This enables the naming without tripping the 'execmod' permission check. Bug: b/171498948 Bug: b/174801963 Change-Id: Ic4375bc4407e21ecdafb42a7cec651dc3b2ad13e Reviewed-on: https://swiftshader-review.googlesource.com/c/SwiftShader/+/52669Reviewed-by: Jason Macnak <natsu@google.com> Reviewed-by: Nicolas Capens <nicolascapens@google.com> Presubmit-Ready: Jason Macnak <natsu@google.com> Tested-by: Jason Macnak <natsu@google.com> Kokoro-Result: kokoro <noreply+kokoro@google.com> Commit-Queue: Jason Macnak <natsu@google.com>

Fix support for named mmap usage on Android
3f88826b · Alistair Delva · swiftshader-scoped@luci-project-accounts.iam.gserviceaccount.com · bb04803b · 3f88826b
Commit 3f88826b authored Feb 09, 2021 by Alistair Delva Committed by swiftshader-scoped@luci-project-accounts.iam.gserviceaccount.com Feb 17, 2021
Show whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

ExecutableMemory.cpp src/Reactor/ExecutableMemory.cpp +22 -0

No files found.
--- a/src/Reactor/ExecutableMemory.cpp
+++ b/src/Reactor/ExecutableMemory.cpp
@@ -33,6 +33,10 @@
 #	include <unistd.h>
 #endif
+#if defined(__ANDROID__)
+#	include <sys/prctl.h>
+#endif
 #include <memory.h>
 #undef allocate
@@ -132,6 +136,7 @@ int permissionsToMmapProt(int permissions)
 #endif  // !defined(_WIN32) && !defined(__Fuchsia__)
 #if defined(__linux__) && defined(REACTOR_ANONYMOUS_MMAP_NAME)
+#	if !defined(__ANDROID__)
 // Create a file descriptor for anonymous memory with the given
 // name. Returns -1 on failure.
 // TODO: remove once libc wrapper exists.
@@ -165,6 +170,12 @@ int anonymousFd()
 	static int fd = memfd_create(MACRO_STRINGIFY(REACTOR_ANONYMOUS_MMAP_NAME), 0);
 	return fd;
 }
+#	else   // defined(__ANDROID__)
+int anonymousFd()
+{
+	return -1;
+}
+#	endif  // defined(__ANDROID__)
 // Ensure there is enough space in the "anonymous" fd for length.
 void ensureAnonFileSize(int anonFd, size_t length)
@@ -278,6 +289,17 @@ void *allocateMemoryPages(size_t bytes, int permissions, bool need_exec)
 	{
 		mapping = nullptr;
 	}
+#	if defined(__ANDROID__)
+	else
+	{
+		// On Android, prefer to use a non-standard prctl called
+		// PR_SET_VMA_ANON_NAME to set the name of a private anonymous
+		// mapping, as Android restricts EXECUTE permission on
+		// CoW/shared anonymous mappings with sepolicy neverallows.
+		prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, mapping, length,
+		      MACRO_STRINGIFY(REACTOR_ANONYMOUS_MMAP_NAME));
+	}
+#	endif  // __ANDROID__
 #elif defined(__Fuchsia__)
 	zx_handle_t vmo;
 	if(zx_vmo_create(length, 0, &vmo) != ZX_OK)