1# NDK-Related musl libc Interface Usage Restrictions 2 3## Overview 4 5When developing an application using DevEco Studio or NDK, you may need to use the interface capabilities of musl libc. However, some interfaces of musl libc may be unavailable due to restrictions of multiple systems and environments. In this case, you can refer to this document to troubleshoot interface issues. 6 7<!--RP1--><!--RP1End--> 8 9## Seccomp-Affected musl Interfaces<!--Del--> 10 For details about the secure computing mode (Seccomp) mechanism, see [Seccomp Policy Development](../../../device-dev/subsystems/subsys-boot-init-seccomp.md).<!--DelEnd--> 11 12### Determining Process Termination Due to Seccomp 13 14- Check the process fault logs. If the error cause is **signal:SIGSYS** and the stack top is in the ld-musl-{architecture}.so.1 library, the process termination may be caused by the Seccomp mechanism. 15 ``` 16 cat /data/log/faultlog/faultlogger/cppcrash-xxxx 17 ``` 18 Incorrect example: 19 ``` 20 Process name:com.example.myapplication 21 Reason:Signal:SIGSYS(UNKNOWN) 22 Fault thread Info: 23 Tid:13893, Name:e.myapplication 24 #00 pc 000a5d30 /system/lib/ld-musl-arm.so.1(sethostname+16)(584c9d0a0e9000497bb0d66799a9526a) 25 #01 pc 00002f68 /data/storage/el1/bundle/libs/arm/libentry.so(test()+64) 26 ``` 27<!--Del--> 28- Disable the Seccomp mechanism. If the process runs properly, the termination is caused by the Seccomp mechanism. 29 30 When the device system version is an ENG version and the system is in root mode, execute the shell command to set the system parameter to disable the Seccomp mechanism. 31 ```shell 32 # Set the system parameter to disable Seccomp and restart the process. 33 param set persist.init.debug.seccomp.enable 0 34 reboot 35 # Set the system parameter to enable Seccomp and restart the process. 36 param set persist.init.debug.seccomp.enable 1 37 reboot 38 ``` 39<!--DelEnd--> 40 41### Common Seccomp-Affected Interfaces 42 43| Header File | musl Interface | 44| ------------ | ----------------- | 45| fcntl.h | name_to_handle_at | 46| fcntl.h | open_by_handle_at | 47| grp.h | initgroups | 48| grp.h | setgroups | 49| sched.h | setns | 50| sched.h | unshare | 51| sys/fanotify.h | fanotify_init | 52| sys/fanotify.h | fanotify_mark | 53| sys/fsuid.h | setfsgid | 54| sys/fsuid.h | setfsuid | 55| sys/klog.h | klogctl | 56| sys/mount.h | mount | 57| sys/mount.h | umount2 | 58| sys/mount.h | umount | 59| sys/msg.h | msgctl | 60| sys/msg.h | msgget | 61| sys/msg.h | msgrcv | 62| sys/msg.h | msgsnd | 63| sys/reboot.h | reboot | 64| sys/sem.h | semctl | 65| sys/sem.h | semget | 66| sys/sem.h | semop | 67| sys/sem.h | semtimedop | 68| sys/shm.h | shmat | 69| sys/shm.h | shmctl | 70| sys/shm.h | shmdt | 71| sys/shm.h | shmget | 72| sys/stat.h | mkfifo | 73| sys/stat.h | mkfifoat | 74| sys/stat.h | mknod | 75| sys/stat.h | mknodat | 76| sys/swap.h | swapoff | 77| sys/swap.h | swapon | 78| time.h | clock_settime | 79| sys/time.h | settimeofday | 80| sys/timex.h | adjtimex | 81| sys/timex.h | clock_adjtime | 82| unistd.h | acct | 83| unistd.h | chroot | 84| unistd.h | pause | 85| unistd.h | setdomainname | 86| unistd.h | setegid | 87| unistd.h | setgid | 88| unistd.h | sethostname | 89| unistd.h | setregid | 90| unistd.h | setresgid | 91| unistd.h | setreuid | 92| unistd.h | setuid | 93| None | pivot_root | 94| None | init_module | 95| None | delete_module | 96 97 98## Kernel-Related musl Interfaces Not Opened to the Public 99 100| Header File | musl Interface | 101| -------------- | -------------- | 102| sys/fanotify.h | fanotify_init | 103| sys/fanotify.h | fanotify_mark | 104| unistd.h | acct | 105 106## SELinux-Affected musl Interfaces<!--Del--> 107 For details about SELinux, see [OpenHarmony SELinux Overview](../../../device-dev/subsystems/subsys-security-selinux-overview.md).<!--DelEnd--> 108 109### Determining Interface Errors Caused by SELinux 110- Include the **errno.h** header file and check the errno error status code. If the error status code is EACCES, the interface error may be caused by the SELinux mechanism. 111<!--Del--> 112- Check the kernel AVC logs for SELinux interception logs with type=1400 to determine whether the interface error is caused by the SELinux mechanism. 113 114 ```shell 115 # Search for type=1400 kernel Selinux logs (Note: Due to execution efficiency, the kernel may discard some logs.) 116 dmesg -w | grep "pid=2854" | grep "type=1400" 117 # Example of a log affected by the SELinux mechanism 118 audit: type=1400 audit(1502785908.269:47562): avc: denied { ioctl } for pid=2854 comm="sh" path="/dev/tty" dev="tmpfs" ino=40 ioctlcmd=0x5403 scontext=u:r:su:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0 119 # Log interpretation 120 ioctl # Operation performed on the object 121 pid=2854 # Process ID of the subject 122 comm="sh" # Process name of the subject 123 path="/dev/tty" # Object being accessed 124 dev="tmpfs" # File system of the object 125 ino=40 # Inode number of the object 126 ioctlcmd=0x5403 # ioctl command 127 scontext=u:r:su:s0 # SELinux context of the subject 128 tcontext=u:object_r:tty_device:s0 # SELinux context of the object 129 tclass=chr_file # Permission category (character device file) 130 permissive=0 # 0: enforcing mode; 1: permissive mode 131 # Log conclusion 132 The process (2854) attempted to perform an ioctl operation on /dev/tty. Due to a lack of permission for the ioctlcmd=0x5403 command and SELinux being in enforcing mode, the kernel blocked the process operation and set errno to EACCES. 133 ``` 134 135- Disable the SELinux mechanism. If the interface call succeeds, the error is caused by the SELinux mechanism. 136 137 When the device is in root mode, execute the shell command to set the system parameter to temporarily disable the SELinux mechanism. 138 ```shell 139 # Set the system parameter to disable the SELinux mechanism. 140 setenforce 0 141 # Set the system parameter to enable the SELinux mechanism. 142 setenforce 1 143 ``` 144<!--DelEnd--> 145 146### Common SELinux-Affected Interfaces 147 148| Header File | musl Interface | 149| -------------- | -------------- | 150| net/if.h | if_indextoname | 151| net/if.h | if_nametoindex | 152| pty.h | forkpty | 153| pty.h | openpty | 154| semaphore.h | sem_open | 155| semaphore.h | sem_unlink | 156| stdlib.h | ptsname | 157| stdlib.h | ptsname_r | 158| stdlib.h | posix_openpt | 159| stdlib.h | unlockpt | 160| stdio.h | popen | 161| stdio.h | pclose | 162| sys/ioctl.h | ioctl | 163| sys/mman.h | shm_open | 164| sys/mman.h | shm_unlink | 165| sys/mount.h | mount | 166| sys/mount.h | umount | 167| sys/mount.h | umount2 | 168| sys/msg.h | msgctl | 169| sys/msg.h | msgget | 170| sys/msg.h | msgrcv | 171| sys/msg.h | msgsnd | 172| sys/sem.h | semget | 173| sys/sem.h | semctl | 174| sys/sem.h | semop | 175| sys/sem.h | semtimedop | 176| sys/shm.h | shmget | 177| sys/shm.h | shmat | 178| sys/shm.h | shmdt | 179| sys/shm.h | shmctl | 180| sys/stat.h | mkfifo | 181| sys/stat.h | mkfifoat | 182| sys/stat.h | mknod | 183| sys/stat.h | mknodat | 184| termios.h | tcgetattr | 185| termios.h | tcsetattr | 186| termios.h | tcsendbreak | 187| termios.h | tcdrain | 188| termios.h | tcflush | 189| termios.h | tcflow | 190| termios.h | tcgetsid | 191| unistd.h | link | 192| unistd.h | linkat | 193| unistd.h | readlink | 194| unistd.h | readlinkat | 195| unistd.h | symlink | 196| unistd.h | symlinkat | 197| unistd.h | tcgetpgrp | 198| unistd.h | tcsetpgrp | 199| utmp.h | login_tty | 200 201 202## Sandbox-Affected musl Interfaces 203 204For details about the sandbox mechanism, see [Application Sandbox](../../file-management/app-sandbox-directory.md). 205 206Include the **errno.h** header file and check the errno error status code. If the error status code is ENOENT, the interface error may be caused by the sandbox mechanism. 207 208### Common Sandbox-Affected Interfaces 209 210| Header File | musl Interface| 211| -------------- | ----------- | 212| fcntl.h | open | 213| fcntl.h | openat | 214| nl_types.h | catopen | 215| stdio.h | fopen | 216| stdio.h | freopen | 217| stdio.h | rename | 218| stdio.h | renameat | 219| stdio.h | renameat2 | 220| stdio.h | tmpfile | 221| stdio.h | tmpfile64 | 222 223 224## No-Op or Default-Failure musl Interfaces 225 226| Header File | musl Interface | 227| -------------- | ------------- | 228| netdb.h | getnetbyaddr | 229| netdb.h | getnetbyname | 230| stdio_ext.h | __fsetlocking | 231| unistd.h | brk | 232| utmp.h | getutent | 233| utmp.h | pututline | 234| utmp.h | setutent | 235| utmp.h | pututline | 236| utmp.h | utmpname | 237 238 239## musl Interfaces Requiring Special Permissions 240 241Include the **errno.h** header file and check the errno error status code. If the error status code is EPERM, the interface error may be caused by the system capabilities security mechanism or other kernel security controls. 242 243### Common Capabilities-Affected Interfaces 244 245| Header File | musl Interface | Capabilities Permission | 246| -------------- | ----------------- | -------------------- | 247| None | pivot_root | CAP_SYS_ADMIN | 248| None | init_module | CAP_SYS_MODULE | 249| None | delete_module | CAP_SYS_MODULE | 250| fcntl.h | open_by_handle_at | CAP_DAC_READ_SEARCH | 251| sys/klog.h | klogctl | CAP_SYS_ADMIN | 252| sys/mount.h | mount | CAP_SYS_ADMIN | 253| sys/mount.h | umount | CAP_SYS_ADMIN | 254| sys/mount.h | umount2 | CAP_SYS_ADMIN | 255| sys/reboot.h | reboot | CAP_SYS_BOOT | 256| sys/swap.h | swapon | CAP_SYS_ADMIN | 257| sys/swap.h | swapoff | CAP_SYS_ADMIN | 258| sys/time.h | settimeofday | CAP_SYS_TIME | 259| unistd.h | setdomainname | CAP_SYS_ADMIN | 260| unistd.h | sethostname | CAP_SYS_ADMIN | 261| unistd.h | chroot | CAP_SYS_CHROOT | 262