[guardian-dev] Confused by Android-L PIE
Nathan of Guardian
nathan at guardianproject.info
Thu Nov 6 15:58:23 EST 2014
On Thu, Nov 6, 2014, at 03:39 PM, David Brodsky wrote:
> > So, does that mean the PIE setting only affected executables and not
> libraries, perhaps?
>
> This is indeed the case. From the 5.0 security notes.
> <http://source.android.com/devices/tech/security/enhancements50.html>:
>
> "Android now requires all dynamically linked executables to support PIE
> (position-independent executables)."
All of our binaries are statically linked though... I think?
In the end, it seems like this issue really only affects a very small
amount of apps, which just happens to include Orbot (tor, polipo),
StoryMaker (ffmpeg) and InformaCam (ffmpeg).
>
> On Thu Nov 06 2014 at 11:26:33 AM Nick Parker <nparker at zetetic.net>
> wrote:
>
> > Hi Nathan,
> >
> > For what its worth, running the latest SQLCipher for Android (3.2.0)
> > library on the Android L preview emulator executing the test suite is
> > entirely successful. I had previously submitted a screenshot of this to
> > this thread however the message was not posted.
> >
> > On 11/6/14 1:09 PM, Nathan of Guardian wrote:
> > > I finally updated my Nexus 7 to use the latest Android L/5.0 developer
> > > preview ROMs
> > >
> > > I've updated Orbot's Makefile to support a simple command line arg for
> > > enabling PIE or not:
> > > https://github.com/n8fr8/orbot/commit/7f50f79b0e3ebbb0dd97845445dbb6
> > 93f3fd541c
> > >
> > > For PIE-enabled/Android-16 binaries:
> > >> make polipo PIEFLAGS="-fPIE -pie" NDK_PLATFORM_LEVEL="16"
> > >
> > > For non-PIE/Android-9 through 15 binaries:
> > >> make polipo PIEFLAGS="" NDK_PLATFORM_LEVEL="9"
> > >
> > > I can verify that if I try to run the non-PIE binaries on L, they do not
> > > work.
> > >
> > > Now, when I decided to install Courier (securereader) and ChatSecure
> > > from the Google Play store existing versions, they both installed and
> > > executed perfectly. They both contain native code, but they are used as
> > > shared libraries and not command line executables like with Orbot.
> > >
> > > So, does that mean the PIE setting only affected executables and not
> > > libraries, perhaps?
> > >
> > >
> >
> > --
> > Nick Parker
> >
> > _______________________________________________
> > Guardian-dev mailing list
> >
> > Post: Guardian-dev at lists.mayfirst.org
> > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >
> > To Unsubscribe
> > Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> > Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/
> > davidpbrodsky%40gmail.com
> >
> > You are subscribed as: davidpbrodsky at gmail.com
> >
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
>
> You are subscribed as: nathan at guardianproject.info
--
Nathan of Guardian
nathan at guardianproject.info
More information about the Guardian-dev
mailing list