1 # Android changes for NDK developers 2 3 This document details important changes related to native code 4 loading in various Android releases. 5 6 Required tools: the NDK has an _arch_-linux-android-readelf binary 7 (e.g. arm-linux-androideabi-readelf or i686-linux-android-readelf) 8 for each architecture (under toolchains/), but you can use readelf for 9 any architecture, as we will be doing basic inspection only. On Linux 10 you need to have the binutils package installed for readelf, 11 and pax-utils for scanelf. 12 13 14 ## How we manage incompatible changes 15 16 Our general practice with dynamic linker behavior changes is that they 17 will be tied to an app's target API level: 18 19 * Below the affected API level we'll preserve the old behavior or issue 20 a warning, as appropriate. 21 22 * At the affected API level and above, well refuse to load the library. 23 24 * Warnings about any behavior change that will affect a library if you 25 increase your target API level will appear in logcat when that library 26 is loaded, even if you're not yet targeting that API level. 27 28 * On a developer preview build, dynamic linker warnings will also show up 29 as toasts. Experience has shown that many developers dont habitually 30 check logcat for warnings until their app stops functioning, so the 31 toasts help bring some visibility to the issues before it's too late. 32 33 34 ## Changes to library search order 35 36 We have made various fixes to library search order when resolving symbols. 37 38 With API 22, load order switched from depth-first to breadth-first to 39 fix dlsym(3). 40 41 Before API 23, the default search order was to try the main executable, 42 LD_PRELOAD libraries, the library itself, and its DT_NEEDED libraries 43 in that order. For API 23 and later, for any given library, the dynamic 44 linker divides other libraries into the global group and the local 45 group. The global group is shared by all libraries and contains the main 46 executable, LD_PRELOAD libraries, and any library with the DF_1_GLOBAL 47 flag set (by passing -z global to ld(1)). The local group is 48 the breadth-first transitive closure of the library and its DT_NEEDED 49 libraries. The M dynamic linker searches the global group followed by 50 the local group. This allows ASAN, for example, to ensure that it can 51 intercept any symbol. 52 53 54 ## RTLD_LOCAL (Available in API level >= 23) 55 56 The dlopen(3) RTLD_LOCAL flag used to be ignored but is implemented 57 correctly in API 23 and later. Note that RTLD_LOCAL is the default, 58 so even calls to dlopen(3) that didnt explicitly use RTLD_LOCAL will 59 be affected (unless they explicitly used RTLD_GLOBAL). With RTLD_LOCAL, 60 symbols will not be made available to libraries loaded by later calls 61 to dlopen(3) (as opposed to being referenced by DT_NEEDED entries). 62 63 64 ## GNU hashes (Availible in API level >= 23) 65 66 The GNU hash style available with --hash-style=gnu allows faster 67 symbol lookup and is now supported by the dynamic linker in API 23 and 68 above. (Use --hash-style=both if you want to build code that uses this 69 feature >= Android M but still works on older releases.) 70 71 72 ## Correct soname/path handling (Available in API level >= 23) 73 74 The dynamic linker now understands the difference 75 between a librarys soname and its path (public bug 76 https://code.google.com/p/android/issues/detail?id=6670). API level 23 77 is the first release where search by soname is implemented. Earlier 78 releases would assume that the basename of the library was the soname, 79 and used that to search for already-loaded libraries. For example, 80 `dlopen("/this/directory/does/not/exist/libc.so", RTLD_NOW)` would 81 find `/system/lib/libc.so` because its already loaded. This also meant 82 that it was impossible to have two libraries `"dir1/libx.so"` and 83 `"dir2/libx.so"` --- the dynamic linker couldnt tell the difference 84 and would always use whichever was loaded first, even if you explicitly 85 tried to load both. This also applied to DT_NEEDED entries. 86 87 Some apps have bad DT_NEEDED entries (usually absolute paths on the build 88 machines file system) that used to work because we ignored everything 89 but the basename. These apps will fail to load on API level 23 and above. 90 91 92 ## Symbol versioning (Available in API level >= 23) 93 94 Symbol versioning allows libraries to provide better backwards 95 compatibility. For example, if a library author knowingly changes 96 the behavior of a function, they can provide two versions in the same 97 library so that old code gets the old version and new code gets the new 98 version. This is supported in API level 23 and above. 99 100 101 ## Opening shared libraries directly from an APK 102 103 In API level 23 and above, its possible to open a .so file directly from 104 your APK. Just use `System.loadLibrary("foo")` exactly as normal but set 105 `android:extractNativeLibs="false"` in your `AndroidManifest.xml`. In 106 older releases, the .so files were extracted from the APK file 107 at install time. This meant that they took up space in your APK and 108 again in your installation directory (and this was counted against you 109 and reported to the user as space taken up by your app). Any .so file 110 that you want to load directly from your APK must be page aligned 111 (on a 4096-byte boundary) in the zip file and stored uncompressed. 112 Current versions of the zipalign tool take care of alignment. 113 114 Note that in API level 23 and above dlopen(3) will open a library from 115 any zip file, not just your APK. Just give dlopen(3) a path of the form 116 "my_zip_file.zip!/libs/libstuff.so". As with APKs, the library must be 117 page-aligned and stored uncompressed for this to work. 118 119 120 ## Private API (Enforced for API level >= 24) 121 122 Native libraries must use only public API, and must not link against 123 non-NDK platform libraries. Starting with API 24 this rule is enforced and 124 applications are no longer able to load non-NDK platform libraries. The 125 rule is enforced by the dynamic linker, so non-public libraries 126 are not accessible regardless of the way code tries to load them: 127 System.loadLibrary, DT_NEEDED entries, and direct calls to dlopen(3) 128 will all work exactly the same. 129 130 Users should have a consistent app experience across updates, 131 and developers shouldn't have to make emergency app updates to 132 handle platform changes. For that reason, we recommend against using 133 private C/C++ symbols. Private symbols aren't tested as part of the 134 Compatibility Test Suite (CTS) that all Android devices must pass. They 135 may not exist, or they may behave differently. This makes apps that use 136 them more likely to fail on specific devices, or on future releases --- 137 as many developers found when Android 6.0 Marshmallow switched from 138 OpenSSL to BoringSSL. 139 140 In order to reduce the user impact of this transition, we've identified 141 a set of libraries that see significant use from Google Play's 142 most-installed apps, and that are feasible for us to support in the 143 short term (including libandroid_runtime.so, libcutils.so, libcrypto.so, 144 and libssl.so). In order to give you more time to transition, we will 145 temporarily support these libraries; so if you see a warning that means 146 your code will not work in a future release -- please fix it now! 147 148 In O and later, the system property `debug.ld.greylist_disabled` can be 149 used to deny access to the greylist even to an app that would normally 150 be allowed it. This allows you to test compatibility without bumping the 151 app's `targetSdkVersion`. Use `setprop debug.ld.greylist_disabled true` 152 to turn this on (any other value leaves the greylist enabled). 153 154 ``` 155 $ readelf --dynamic libBroken.so | grep NEEDED 156 0x00000001 (NEEDED) Shared library: [libnativehelper.so] 157 0x00000001 (NEEDED) Shared library: [libutils.so] 158 0x00000001 (NEEDED) Shared library: [libstagefright_foundation.so] 159 0x00000001 (NEEDED) Shared library: [libmedia_jni.so] 160 0x00000001 (NEEDED) Shared library: [liblog.so] 161 0x00000001 (NEEDED) Shared library: [libdl.so] 162 0x00000001 (NEEDED) Shared library: [libz.so] 163 0x00000001 (NEEDED) Shared library: [libstdc++.so] 164 0x00000001 (NEEDED) Shared library: [libm.so] 165 0x00000001 (NEEDED) Shared library: [libc.so] 166 ``` 167 168 *Potential problems*: starting from API 24 the dynamic linker will not 169 load private libraries, preventing the application from loading. 170 171 *Resolution*: rewrite your native code to rely only on public API. As a 172 short term workaround, platform libraries without complex dependencies 173 (libcutils.so) can be copied to the project. As a long term solution 174 the relevant code must be copied to the project tree. SSL/Media/JNI 175 internal/binder APIs should not be accessed from the native code. When 176 necessary, native code should call appropriate public Java API methods. 177 178 A complete list of public libraries is available within the NDK, under 179 platforms/android-API/usr/lib. 180 181 Note: SSL/crypto is a special case, applications must NOT use platform 182 libcrypto and libssl libraries directly, even on older platforms. All 183 applications should use GMS Security Provider to ensure they are protected 184 from known vulnerabilities. 185 186 187 ## Missing Section Headers (Enforced for API level >= 24) 188 189 Each ELF file has additional information contained in the section 190 headers. These headers must be present now, because the dynamic linker 191 uses them for sanity checking. Some developers strip them in an 192 attempt to obfuscate the binary and prevent reverse engineering. (This 193 doesn't really help because it is possible to reconstruct the stripped 194 information using widely-available tools.) 195 196 ``` 197 $ readelf --header libBroken.so | grep 'section headers' 198 Start of section headers: 0 (bytes into file) 199 Size of section headers: 0 (bytes) 200 Number of section headers: 0 201 ``` 202 203 *Resolution*: remove the extra steps from your build that strip section 204 headers. 205 206 ## Text Relocations (Enforced for API level >= 23) 207 208 Starting with API 23, shared objects must not contain text 209 relocations. That is, the code must be loaded as is and must not be 210 modified. Such an approach reduces load time and improves security. 211 212 The usual reason for text relocations is non-position independent 213 hand-written assembler. This is not common. Use the scanelf tool as 214 described in our documentation for further diagnostics: 215 216 ``` 217 $ scanelf -qT libTextRel.so 218 libTextRel.so: (memory/data?) [0x15E0E2] in (optimized out: previous simd_broken_op1) [0x15E0E0] 219 libTextRel.so: (memory/data?) [0x15E3B2] in (optimized out: previous simd_broken_op2) [0x15E3B0] 220 ... 221 ``` 222 223 If you have no scanelf tool available, it is possible to do a basic 224 check with readelf instead, look for either a TEXTREL entry or the 225 TEXTREL flag. Either alone is sufficient. (The value corresponding to the 226 TEXTREL entry is irrelevant and typically 0 --- simply the presence of 227 the TEXTREL entry declares that the .so contains text relocations). This 228 example has both indicators present: 229 230 ``` 231 $ readelf --dynamic libTextRel.so | grep TEXTREL 232 0x00000016 (TEXTREL) 0x0 233 0x0000001e (FLAGS) SYMBOLIC TEXTREL BIND_NOW 234 ``` 235 236 Note: it is technically possible to have a shared object with the TEXTREL 237 entry/flag but without any actual text relocations. This doesn't happen 238 with the NDK, but if you're generating ELF files yourself make sure 239 you're not generating ELF files that claim to have text relocations, 240 because the Android dynamic linker trusts the entry/flag. 241 242 *Potential problems*: Relocations enforce code pages being writable, and 243 wastefully increase the number of dirty pages in memory. The dynamic 244 linker has issued warnings about text relocations since Android K 245 (API 19), but on API 23 and above it refuses to load code with text 246 relocations. 247 248 *Resolution*: rewrite assembler to be position independent to ensure 249 no text relocations are necessary. The 250 [Gentoo Textrels guide](https://wiki.gentoo.org/wiki/Hardened/Textrels_Guide) 251 has instructions for fixing text relocations, and more detailed 252 [scanelf documentation](https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities). 253 254 255 ## Invalid DT_NEEDED Entries (Enforced for API level >= 23) 256 257 While library dependencies (DT_NEEDED entries in the ELF headers) can be 258 absolute paths, that doesn't make sense on Android because you have 259 no control over where your library will be installed by the system. A 260 DT_NEEDED entry should be the same as the needed library's SONAME, 261 leaving the business of finding the library at runtime to the dynamic 262 linker. 263 264 Before API 23, Android's dynamic linker ignored the full path, and 265 used only the basename (the part after the last /') when looking 266 up the required libraries. Since API 23 the runtime linker will honor 267 the DT_NEEDED exactly and so it won't be able to load the library if 268 it is not present in that exact location on the device. 269 270 Even worse, some build systems have bugs that cause them to insert 271 DT_NEEDED entries that point to a file on the build host, something that 272 cannot be found on the device. 273 274 ``` 275 $ readelf --dynamic libSample.so | grep NEEDED 276 0x00000001 (NEEDED) Shared library: [libm.so] 277 0x00000001 (NEEDED) Shared library: [libc.so] 278 0x00000001 (NEEDED) Shared library: [libdl.so] 279 0x00000001 (NEEDED) Shared library: 280 [C:\Users\build\Android\ci\jni\libBroken.so] 281 ``` 282 283 *Potential problems*: before API 23 the DT_NEEDED entry's basename was 284 used, but starting from API 23 the Android runtime will try to load the 285 library using the path specified, and that path won't exist on the 286 device. There are broken third-party toolchains/build systems that use 287 a path on a build host instead of the SONAME. 288 289 *Resolution*: make sure all required libraries are referenced by SONAME 290 only. It is better to let the runtime linker to find and load those 291 libraries as the location may change from device to device. 292 293 294 ## Missing SONAME (Enforced for API level >= 23) 295 296 Each ELF shared object (native library) must have a SONAME (Shared 297 Object Name) attribute. The NDK toolchain adds this attribute by default, 298 so its absence indicates either a misconfigured alternative toolchain 299 or a misconfiguration in your build system. A missing SONAME may lead 300 to runtime issues such as the wrong library being loaded: the filename 301 is used instead when this attribute is missing. 302 303 ``` 304 $ readelf --dynamic libWithSoName.so | grep SONAME 305 0x0000000e (SONAME) Library soname: [libWithSoName.so] 306 ``` 307 308 *Potential problems*: namespace conflicts may lead to the wrong library 309 being loaded at runtime, which leads to crashes when required symbols 310 are not found, or you try to use an ABI-incompatible library that isn't 311 the library you were expecting. 312 313 *Resolution*: the current NDK generates the correct SONAME by 314 default. Ensure you're using the current NDK and that you haven't 315 configured your build system to generate incorrect SONAME entries (using 316 the -soname linker option). 317 318 319 ## DT_RUNPATH support (Available in API level >= 24) 320 321 If an ELF file contains a DT_RUNPATH entry, the directories listed there 322 will be searched to resolve DT_NEEDED entries. The string `${ORIGIN}` will 323 be rewritten at runtime to the directory containing the ELF file. This 324 allows the use of relative paths. The `${LIB}` and `${PLATFORM}` 325 substitutions supported on some systems are not currently implemented on 326 Android. 327 328 329 ## Writable and Executable Segments (Enforced for API level >= 26) 330 331 Each segment in an ELF file has associated flags that tell the 332 dynamic linker what permissions to give the corresponding page in 333 memory. For security, data shouldn't be executable and code shouldn't be 334 writable. This means that the W (for Writable) and E (for Executable) 335 flags should be mutually exclusive. This wasn't historically enforced, 336 but is now. 337 338 ``` 339 $ readelf --program-headers -W libBadFlags.so | grep WE 340 LOAD 0x000000 0x00000000 0x00000000 0x4c01d 0x4c01d RWE 0x1000 341 ``` 342 343 *Resolution*: we're aware of one middleware product that introduces these 344 into your app. The middleware vendor is aware of the problem and has a fix 345 available. 346 347 ## Invalid ELF header/section headers (Enforced for API level >= 26) 348 349 In API level 26 and above the dynamic linker checks more values in 350 the ELF header and section headers and fails if they are invalid. 351 352 *Example error* 353 ``` 354 dlopen failed: "/data/data/com.example.bad/lib.so" has unsupported e_shentsize: 0x0 (expected 0x28) 355 ``` 356 357 *Resolution*: don't use tools that produce invalid/malformed 358 ELF files. Note that using them puts application under high risk of 359 being incompatible with future versions of Android. 360 361 ## Enable logging of dlopen/dlsym and library loading errors for apps (Available in Android O) 362 363 Starting with Android O it is possible to enable logging of all dlsym/dlopen calls 364 for debuggable apps. Here is short instruction on how to do that: 365 ``` 366 adb shell setprop debug.ld.app.com.example.myapp dlsym,dlopen,dlerror 367 adb logcat 368 ``` 369 370 Any subset of (dlsym,dlopen,dlerror) can be used. 371 372 On userdebug and eng builds it is possible to enable tracing for the whole system 373 by using debug.ld.all system property instead of app-specific one: 374 ``` 375 adb shell setprop debug.ld.all dlerror,dlopen 376 ``` 377 378 enables logging of all errors and dlopen calls 379