Build android binaries with PIE support

[bhush9]

So that one don't have to patch bionic,

diff --git a/linker/linker.cpp b/linker/linker.cpp
index 54867dc..55ca67a 100644
--- a/linker/linker.cpp
+++ b/linker/linker.cpp
@@ -2401,11 +2401,11 @@ static ElfW(Addr) __linker_init_post_relocation(KernelArgumentBlock& args, ElfW(
   si->dynamic = nullptr;
   si->ref_count = 1;

-  ElfW(Ehdr)* elf_hdr = reinterpret_cast<ElfW(Ehdr)*>(si->base);
-  if (elf_hdr->e_type != ET_DYN) {
-    __libc_format_fd(2, "error: only position independent executables (PIE) are supported.\n");
-    exit(EXIT_FAILURE);
-  }
+  //ElfW(Ehdr)* elf_hdr = reinterpret_cast<ElfW(Ehdr)*>(si->base);
+  //if (elf_hdr->e_type != ET_DYN) {
+  //  __libc_format_fd(2, "error: only position independent executables (PIE) are supported.\n");
+  //  exit(EXIT_FAILURE);
+  //}

   // Use LD_LIBRARY_PATH and LD_PRELOAD (but only if we aren't setuid/setgid).
   parse_LD_LIBRARY_PATH(ldpath_env);

[Samt43]

Very interested by this too !
I tried to run lxc on android 6, and patching bionic and recompiling the whole aosp ROM was a pain !

[stgraber]

A patch against the lxc-ci branch to tweak the Android build to use PIE would be appreciated.
LXC is built with PIE enabled on most Linux distributions so there shouldn't be any change needed in the upstream code for it.

[shvelo]

Any updates on this?

[stgraber]

Nobody appears to be interested in providing a patch or a branch for this, so no.

[shvelo]

I want to do this but I have absolutely no idea how LXC build system works
On Jul 9, 2016 02:18, "Stéphane Graber" [email protected] wrote:

Nobody appears to be interested in providing a patch or a branch for this,
so no.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#7 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/ABB93jIW3WSD1TyWrRbHzONuAVJ0Gu3uks5qTsyrgaJpZM4IYn2B
.

[Samt43]

I worked on this, and i could have a arm 32 bit lxc with PIE support enabled.

I couldn't do it by just modifying LXC-CI, so i modified LXC build system to do so.
Here is my commit on lxc for this : Samt43/lxc@ca674ac.

I don't know if my change can be included directly in lxc (because maybe there is a better way to do so).
But it's working on android 6.0 with this change (compiling using a local LXC-CI) !.

You can find arm 32 binaries with PIE support on this thread (second post) :
http://forum.xda-developers.com/pixel-c/orig-development/linux-pixel-c-running-ubuntu-xenial-lxc-t3410655

Hope it will help everyone :)

[stgraber]

Does something like http://paste.ubuntu.com/18897690/ and passing --enable-hardening work?

[binkybear]

If you use an NDK with a later API (instead of 9 in build script) it comes with PIE support by default. I believe it's API's after 10.

[stgraber]

I'd be fine moving to kitkat and higher, so that'd be API level 19. Can you send a branch to change it?

[binkybear]

Hi @stgraber ,

I tried modifying build-android for use with NDK build script and I wasn't able to get it to play nice. I'm not sure if it was just me but the sysroot didn't work with NDK. I did end up building it manually using a toolchain and testing it on the Nexus 5 (binaries ran):

https://gist.github.com/binkybear/18dab6ef15bfb8052f15c12c6b7777f3

[stgraber]

I just bumped our builds to use API level 21 and we've fixed the one build issue in the way.

There's a build in progress right now on Jenkins which will hopefully succeed and give you binaries that hopefully have PIE enabled.

[bhush9]

Thanks @stgraber

[stgraber]

There we go: https://jenkins.linuxcontainers.org/view/All/job/lxc-build-android/lastSuccessfulBuild/

[stgraber]

I'm assuming that this bug has been resolved now. If this still doesn't work on recent Android we'll look into whatever bits are missing.

[binkybear]

Tried the latest build and it only contains /data. It's missing system libs and binaries.

[bhush9]

Officially lxc provides binary and all only in /data.. see /data/lxc/lxc/

[binkybear]

@bhush9 - Thanks for clearing that up. I assumed from the build script it copied over some of the files to system.

I just gave it a run on marshmallow:

root@hammerhead:/data/lxc/lxc/bin # ./lxc-info
error: only position independent executables (PIE) are supported.
1|root@hammerhead:/data/lxc/lxc/bin # ./lxc-start
error: only position independent executables (PIE) are supported.
1|root@hammerhead:/data/lxc/lxc/bin # md5sum lxc-info                          
154254d9b354d9f207c345547cc48db0  lxc-info

[bhush9]

Hmm. right so.. build still have non PIE executable.. it seems?

[eMPee584]

still built without -fPIE ... WHY 😱

[droserasprout]

Getting the same error with LineageOS 14.1 (Android 7.1.1, kernel 3.18.31) on gemini.

[Samt43]

Yes, whatever the NDK used, the only solution is to fix the makefile (as i did in my previous comment)
With this, you will have an lxc version with PIE enabled :)

[droserasprout]

Oh, I see now. Wondering why It isn't default configuration, there's no much pre-lollipop devices on the market now.

[stgraber]

With the pkg-config change we merged a while back, it should be possible to convince the configure script to enable PIE without it breaking half the build.

[denysvitali]

Is there an update on this? The builds are still performed without PIE

[codekatana]

Hi, upstream android builds are not compiling with -fPIE, the issue is still present. I will try to fix it at configure.ac file as a "--enable-android-pie" and give a pull request. Stephane, that sounds good?