Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / packages / modules / DnsResolver / f5573fdec8dd6bedac5e52b3dfadb309434730cd^! / . / Android.bp
commitf5573fdec8dd6bedac5e52b3dfadb309434730cd[log] [tgz]
authorKen Chen <cken@google.com>Tue Jan 14 01:51:05 2020 +0800
committerKen Chen <cken@google.com>Sun Jan 19 10:34:04 2020 +0000
tree261165427317a2fb8dd267561e5f7cded0b1d550
parent0452b8cf515b25e76321ba0ca337fafbc58b5506 [diff] [blame]
Enable CFI (Control Flow Integrity)

Enable Control Flow Integrity in DNS resolver

There is no significant difference in PSS (Proportional Set Size) between
non-CFI and CFI binaries. Th performance overhead is also negligible
according to [1][2].

non-CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1556 kB | 1528 kB | 1592 kB | 1559 kB |
| RssFile   | 4792 kB | 4872 kB | 4648 kB | 4771 kB |
| RssShmem  | 176 kB  | 176 kB  | 172 kB  | 175 kB  |
| Total PSS | 4381 kB | 4386 kB | 4437 kB | 4401 kB |
+-----------+---------+---------+---------+---------+

CFI (netd + DNS resolver):
+-----------+---------+---------+---------+---------+
|           | round#1 | round#2 | round#3 |   Avg   |
+-----------+---------+---------+---------+---------+
| RssAnon   | 1604 kB | 1608 kB | 1592 kB | 1601 kB |
| RssFile   | 4528 kB | 4892 kB | 4916 kB | 4779 kB |
| RssShmem  | 176 kB  | 176 kB  | 176 kB  | 176 kB  |
| Total PSS | 3962 kB | 4523 kB | 4483 kB | 4323 kB |
+-----------+---------+---------+---------+---------+

Binary size of aarch64 (bytes)
+----------------------+---------+--------+
|                      | non-CFI |  CFI   |
+----------------------+---------+--------+
| libnetd_resolv       |  668584 | 734552 |
+----------------------+---------+--------+

[1] https://source.android.com/devices/tech/debug/cfi
[2] http://clang.llvm.org/docs/ControlFlowIntegrity.html#performance

Bug: 146408702
Test: AOSP master:
      1. patch commit to enable CFI on both netd and resolver.
      2. m
      3. flash ROM.
      4. atest under system/netd/

      Compatibility:
      1. flash Android Q ROM.
      2. patch commit enabling CFI on both netd and resolver in branch
         qt-aml-resolv-release.
      3. build com.android.resolv in branch qt-aml-resolv-release.
      4. adb install CFI enabled resolver apex into Q device (non-CFI
         netd).
      5. atest under packages/modules/DnsResolver.


Change-Id: I65ce931d57bd285e1c49c34b4231f8151380eae3

diff --git a/Android.bp b/Android.bp
index dcf2cdf..717d081 100644
--- a/Android.bp
+++ b/Android.bp

@@ -116,6 +116,12 @@
         enabled: true,
         symbol_file: "libnetd_resolv.map.txt",
     },
+    sanitize: {
+        cfi: true,
+        diag: {
+            cfi: true,
+        },
+    },
 }
 
 cc_library_static {