[guardian-dev] Confused by Android-L PIE

Nathan of Guardian nathan at guardianproject.info
Thu Nov 6 15:58:23 EST 2014 


On Thu, Nov 6, 2014, at 03:39 PM, David Brodsky wrote:
> > So, does that mean the PIE setting only affected executables and not
> libraries, perhaps?
> 
> This is indeed the case. From the 5.0 security notes.
> <http://source.android.com/devices/tech/security/enhancements50.html>:
> 
> "Android now requires all dynamically linked executables to support PIE
> (position-independent executables)."

All of our binaries are statically linked though... I think? 

In the end, it seems like this issue really only affects a very small
amount of apps, which just happens to include Orbot (tor, polipo),
StoryMaker (ffmpeg) and InformaCam (ffmpeg).

> 
> On Thu Nov 06 2014 at 11:26:33 AM Nick Parker <nparker at zetetic.net>
> wrote:
> 
> > Hi Nathan,
> >
> > For what its worth, running the latest SQLCipher for Android (3.2.0)
> > library on the Android L preview emulator executing the test suite is
> > entirely successful.  I had previously submitted a screenshot of this to
> > this thread however the message was not posted.
> >
> > On 11/6/14 1:09 PM, Nathan of Guardian wrote:
> > > I finally updated my Nexus 7 to use the latest Android L/5.0 developer
> > > preview ROMs
> > >
> > > I've updated Orbot's Makefile to support a simple command line arg for
> > > enabling PIE or not:
> > > https://github.com/n8fr8/orbot/commit/7f50f79b0e3ebbb0dd97845445dbb6
> > 93f3fd541c
> > >
> > > For PIE-enabled/Android-16 binaries:
> > >> make polipo PIEFLAGS="-fPIE -pie" NDK_PLATFORM_LEVEL="16"
> > >
> > > For non-PIE/Android-9 through 15 binaries:
> > >> make polipo PIEFLAGS="" NDK_PLATFORM_LEVEL="9"
> > >
> > > I can verify that if I try to run the non-PIE binaries on L, they do not
> > > work.
> > >
> > > Now, when I decided to install Courier (securereader) and ChatSecure
> > > from the Google Play store existing versions, they both installed and
> > > executed perfectly. They both contain native code, but they are used as
> > > shared libraries and not command line executables like with Orbot.
> > >
> > > So, does that mean the PIE setting only affected executables and not
> > > libraries, perhaps?
> > >
> > >
> >
> > --
> > Nick Parker
> >
> > _______________________________________________
> > Guardian-dev mailing list
> >
> > Post: Guardian-dev at lists.mayfirst.org
> > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> >
> > To Unsubscribe
> >         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
> >         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/
> > davidpbrodsky%40gmail.com
> >
> > You are subscribed as: davidpbrodsky at gmail.com
> >
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit:
>         https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
> 
> You are subscribed as: nathan at guardianproject.info


-- 
  Nathan of Guardian
  nathan at guardianproject.info

More information about the Guardian-dev mailing list