From 246338f90ef660e3078f4643f35df92f7c31bece Mon Sep 17 00:00:00 2001 From: Jiyong Park Date: Mon, 28 Aug 2017 14:42:49 +0900 Subject: [PATCH] Make default namespace for system processes isolated The default namespace for system process now becomes isolated, which means it can load only the libs that are in search.paths and under permitted.paths. /system/framework, /system/app, /system/priv-app, /vendor/app, /data, etc are added to the permitted paths since libart should be able to dlopen odex files under the locations. Following directories become unavailable: /system/lib/vndk /system/lib/vndk-sp Bug: 37013858 Bug: 64888291 Bug: 64950640 Test: 2017 pixel devices builds and boots Test: android.jni.cts.JniStaticTest#test_linker_namespaces passes Merged-In: I2bbe9cc19940c3633c2fb901f9bf8ab813e38c13 Change-Id: I2bbe9cc19940c3633c2fb901f9bf8ab813e38c13 (cherry picked from commit 55f05d79f9e83757acb72d3d300262f5954a00af) --- rootdir/etc/ld.config.vndk.txt | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/rootdir/etc/ld.config.vndk.txt b/rootdir/etc/ld.config.vndk.txt index 063aab923..adffd92e1 100644 --- a/rootdir/etc/ld.config.vndk.txt +++ b/rootdir/etc/ld.config.vndk.txt @@ -23,25 +23,21 @@ additional.namespaces = sphal,vndk,rs ############################################################################### # "default" namespace # -# Framework-side code runs in this namespace. Anything from /vendor partition +# Framework-side code runs in this namespace. Libs from /vendor partition # can't be loaded in this namespace. ############################################################################### -namespace.default.isolated = false +namespace.default.isolated = true +# TODO(b/63553457): remove /vendor/lib from the search path. For now, this is +# required since the classloader namespace for vendor apks should have access +# vendor libraries in the directory. These search paths are copied to the search +# paths of the classloader namespace. namespace.default.search.paths = /system/${LIB}:/vendor/${LIB} -namespace.default.permitted.paths = /system/${LIB}:/vendor/${LIB} +# /vendor/app, /vendor/framework were added since libart should be able to dlopen +# the odex files from the directory. +namespace.default.permitted.paths = /system/${LIB}/drm:/system/${LIB}/hw:/system/framework:/system/app:/system/priv-app:/vendor/app:/vendor/framework:/oem/app:/data:/mnt/expand namespace.default.asan.search.paths = /data/asan/system/${LIB}:/system/${LIB}:/data/asan/vendor/${LIB}:/vendor/${LIB} -namespace.default.asan.permitted.paths = /data/asan/system/${LIB}:/system/${LIB}:/data/asan/vendor/${LIB}:/vendor/${LIB} - -# TODO(b/37013858): remove all dependencies to /vendor/lib from system processes -# When this is done, comment out following three lines and remove the three -# lines above -#namespace.default.isolated = true -#namespace.default.search.paths = /system/${LIB} -#namespace.default.permitted.paths = /system/${LIB} -# -#namespace.default.asan.search.paths = /data/asan/system/${LIB}:/system/${LIB} -#namespace.default.asan.permitted.paths = /data/asan/system/${LIB}:/system/${LIB} +namespace.default.asan.permitted.paths = /data:/system/${LIB}/drm:/system/${LIB}/hw:/system/framework:/system/app:/system/priv-app:/vendor/app:/vendor/framework:/oem/app:/mnt/expand ############################################################################### # "sphal" namespace