ndk-gdb/gdbserver hits SELinux error reading /proc/stat

[rprichard]

Split off from #447

gdbserver calls sysconf(_SC_NPROCESSORS_ONLN) to get the number of cores, and because gdbserver is statically linked against an old libc, sysconf tries to get this information by reading /proc/stat, which fails due to an SELinux setting (https://issuetracker.google.com/issues/37140047).

11-16 08:05:40.507  3542  3542 W arm64-gdbserver: type=1400 audit(0.0:779): avc: denied { read } for name="stat" dev="proc" ino=4026531984 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=0

AFAICT, the only effect is that info os processes information is wrong. gdbserver only reports whether each process is associated with core 0. It ignores other cores, because it thinks there aren't any.

info os processes shows this:

BAD:

(gdb) info os processes
pid        user       command    cores      
...
2432       u0_a45     com.android.inputmethod.latin 0          
...
3262       u0_a38     com.android.gallery3d 0          
...
3515       u0_a57     com.example.native_activity            
...

GOOD:

(gdb) info os processes
pid        user       command    cores      
...
23620      u0_a69     com.google.android.apps.plus 0,1,2,3    
26496      u0_a1      com.android.providers.calendar 0,1,2      
26532      u0_a3      android.process.acore 0,1        
26863      u0_a53     com.google.android.talk 0,1        
27062      root       [kworker/u:0] 0          
27870      u0_a11     com.google.android.partnersetup 0,1,2      
28497      root       [kworker/u:1] 2          
...

The fix for #272 might be sufficient to fix this. There was a patch for that issue a while ago, https://android-review.googlesource.com/c/platform/bionic/+/522595.

[DanAlbert]

(if this isn't in scope for r17 go ahead and punt to r18)

[rprichard]

The new libc.a is in r17, which should fix this issue. I should retest it.

Do we know of any incompatibilities between the new libc.a and older platform kernels or SELinux policies?

[DanAlbert]

Not yet. I've tested as far back as ICS on a Galaxy Nexus. There isn't much older out there. Idk what the kernel version is though.

[DanAlbert]

I've tested libc.a, I should say. Not gdbserver. I think enh ran the bionic unit tests with a current libc.a on ICS and had surprisingly good results. The things you would expect to be broken (netd and whatnot), but otherwise good. He'd emailed out the results.

[enh]

the TL;DR was "system properties, tzdb, and netd code doesn't work until L, everything else is fine".

(i classify system call wrappers for system calls your kernel doesn't have as "working", even though ENOSYS might be a disappointment.)

[rprichard]

I think this can wait until we have dependency tracking in checkbuild.py. gdbserver is currently built using a prebuilts/ndk/current/platforms/android-24/arch-* sysroot. I think we want to build most of the NDK, then use that to build gdbserver.

[DanAlbert]

SGTM

[DanAlbert]

@rprichard: checkbuild.py has dependency tracking now

[rprichard]

@hhb

I think rebuilding gdbserver with a newer libc.a would fix this. Maybe it's already fixed?

[rprichard]

Yeah, this issue looks fixed. I tested ndk-gdb on an API 16 device and an API 26 device, and ndk-gdb is using gdb 8 now. info os processes shows core information, and I didn't see any avc denials.