Can't execute C "system" command on Android 8 Oreo

Discussion:

Amiad Salton

2018-01-07 13:09:34 UTC

.In our Android Service application, we use JNI to invoke C++ code of a
shared library. In this code, we invoke C "system" command to execute
antoher process. This code has worked perfectly on all Android OS and now
it fails on Android 8 Oreo

?Is there any new security or other restriction the prevent to execute
system commands

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk+***@googlegroups.com.
To post to this group, send email to android-***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-ndk.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/9b389fcb-9c81-4c58-b547-1ff04ed962f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Paulo Pinto

2018-02-08 22:14:36 UTC

Permalink

I guess you missed the security improvements on Oreo.

https://android-developers.googleblog.com/2017/12/double-stuffed-security-in-android-oreo.html

https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html

system() is not part of the allowed functions.

https://android.googlesource.com/platform/bionic/+/master/libc/SYSCALLS.TXT

Post by Amiad Salton
.In our Android Service application, we use JNI to invoke C++ code of a
shared library. In this code, we invoke C "system" command to execute
antoher process. This code has worked perfectly on all Android OS and now
it fails on Android 8 Oreo
?Is there any new security or other restriction the prevent to execute
system commands

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk+***@googlegroups.com.
To post to this group, send email to android-***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-ndk.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/098ec17d-6772-40b5-b323-671a7680619b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

'Ryan Prichard' via android-ndk

2018-02-09 22:16:48 UTC

Permalink

An app running on O should be able to invoke system().

system() isn't a system call. It's a libc function that uses other system
calls (looks like vfork and execve).

libc/SYSCALLS.TXT is an input to gensyscalls.py, which auto-generates libc
system call wrapper functions. execve is listed in that file, but vfork is
custom assembly.

https://android.googlesource.com/platform/bionic/+/master/libc/upstream-openbsd/lib/libc/stdlib/system.c
https://android.googlesource.com/platform/bionic/+/master/libc/arch-arm/bionic/vfork.S
https://android.googlesource.com/platform/bionic/+/master/libc/arch-arm/syscalls/execve.S

vfork(), execve(), and system() are all exposed by libc.so:

https://android.googlesource.com/platform/bionic/+/master/libc/libc.map.txt

-Ryan

Post by Paulo Pinto
I guess you missed the security improvements on Oreo.
https://android-developers.googleblog.com/2017/12/double-
stuffed-security-in-android-oreo.html
https://android-developers.googleblog.com/2017/07/
seccomp-filter-in-android-o.html
system() is not part of the allowed functions.
https://android.googlesource.com/platform/bionic/+/master/
libc/SYSCALLS.TXT

You received this message because you are subscribed to the Google Groups
"android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an
Visit this group at https://groups.google.com/group/android-ndk.
To view this discussion on the web visit https://groups.google.com/d/
msgid/android-ndk/098ec17d-6772-40b5-b323-671a7680619b%40googlegroups.com
<https://groups.google.com/d/msgid/android-ndk/098ec17d-6772-40b5-b323-671a7680619b%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk+***@googlegroups.com.
To post to this group, send email to android-***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-ndk.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/CALgsJzm_8QB7zHm1mZAQB%3DMJvpQg3c-xaJgz9X9iMHJ%2Bo5Z2vw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.