Merge "Don't resolve permitted.paths"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
24c9c3f380
1 changed files with 21 additions and 7 deletions
|
|
@ -320,7 +320,7 @@ class Properties {
|
|||
return (it == properties_.end()) ? "" : it->second.value();
|
||||
}
|
||||
|
||||
std::vector<std::string> get_paths(const std::string& name, size_t* lineno = nullptr) {
|
||||
std::vector<std::string> get_paths(const std::string& name, bool resolve, size_t* lineno = nullptr) {
|
||||
std::string paths_str = get_string(name, lineno);
|
||||
|
||||
std::vector<std::string> paths;
|
||||
|
|
@ -338,12 +338,16 @@ class Properties {
|
|||
format_string(&path, params);
|
||||
}
|
||||
|
||||
std::vector<std::string> resolved_paths;
|
||||
if (resolve) {
|
||||
std::vector<std::string> resolved_paths;
|
||||
|
||||
// do not remove paths that do not exist
|
||||
resolve_paths(paths, &resolved_paths);
|
||||
// do not remove paths that do not exist
|
||||
resolve_paths(paths, &resolved_paths);
|
||||
|
||||
return resolved_paths;
|
||||
return resolved_paths;
|
||||
} else {
|
||||
return paths;
|
||||
}
|
||||
}
|
||||
|
||||
void set_target_sdk_version(int target_sdk_version) {
|
||||
|
|
@ -474,8 +478,18 @@ bool Config::read_binary_config(const char* ld_config_file_path,
|
|||
property_name_prefix += ".asan";
|
||||
}
|
||||
|
||||
ns_config->set_search_paths(properties.get_paths(property_name_prefix + ".search.paths"));
|
||||
ns_config->set_permitted_paths(properties.get_paths(property_name_prefix + ".permitted.paths"));
|
||||
// search paths are resolved (canonicalized). This is required mainly for
|
||||
// the case when /vendor is a symlink to /system/vendor, which is true for
|
||||
// non Treble-ized legacy devices.
|
||||
ns_config->set_search_paths(properties.get_paths(property_name_prefix + ".search.paths", true));
|
||||
|
||||
// However, for permitted paths, we are not required to resolve the paths
|
||||
// since they are only set for isolated namespaces, which implies the device
|
||||
// is Treble-ized (= /vendor is not a symlink to /system/vendor).
|
||||
// In fact, the resolving is causing an unexpected side effect of selinux
|
||||
// denials on some executables which are not allowed to access some of the
|
||||
// permitted paths.
|
||||
ns_config->set_permitted_paths(properties.get_paths(property_name_prefix + ".permitted.paths", false));
|
||||
}
|
||||
|
||||
failure_guard.Disable();
|
||||
|
|
|
|||
Loading…
Reference in a new issue