tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_core/rootdir/etc/ld.config.legacy.txt
Jiyong Park d7e6cb27b6 /postinstall/* does not search for a lib in /vendor or /odm 
There has been no section in the linker config file for the binaries
under /postinstall. As a result, the binaries were run with the legacy
default config where /vendor/lib and /odm/lib are added to the search
paths. This is causing selinux denials as the binaries for OTA are not
allowed to access /vendor/lib or /odm/lib, but the dynamic linker calls
realpath(3) on the paths to canonicalize them.

Fixing the issue by letting /postinstall/* binaries to run with a
dedicated linker namespace config, where /vendor/lib and /odm/lib are
not added to the search paths. Not having the paths is okay because
he OTA binaries should not have dependency to the libs there.

Bug: 75287236
Test: do the OTA, selinux denials on postinstall_file is not shown
Test: above test should pass on  wahoo, marlin and pre-treble devices
Change-Id: I49c11a0929002adfef667890c0a375c2b41054f4
2018-03-20 10:12:00 +09:00

40 lines
1.6 KiB
Text
Raw Blame History

# Copyright (C) 2017 The Android Open Source Project
#
# Bionic loader config file.
# This gives the exactly the same namespace setup in pre-O.
#
# All binaries gets the same configuration 'legacy'
dir.legacy = /system
dir.legacy = /vendor
dir.legacy = /odm
dir.legacy = /sbin
# Except for /postinstall, where only /system is searched
dir.postinstall = /postinstall
[legacy]
namespace.default.isolated = false
namespace.default.search.paths = /system/${LIB}
namespace.default.search.paths += /vendor/${LIB}
namespace.default.search.paths += /odm/${LIB}
namespace.default.asan.search.paths = /data/asan/system/${LIB}
namespace.default.asan.search.paths += /system/${LIB}
namespace.default.asan.search.paths += /data/asan/odm/${LIB}
namespace.default.asan.search.paths += /odm/${LIB}
namespace.default.asan.search.paths += /data/asan/vendor/${LIB}
namespace.default.asan.search.paths += /vendor/${LIB}
###############################################################################
# Namespace config for binaries under /postinstall.
# Only one default namespace is defined and it has no directories other than
# /system/lib in the search paths. This is because linker calls realpath on the
# search paths and this causes selinux denial if the paths (/vendor, /odm) are
# not allowed to the poinstall binaries. There is no reason to allow the
# binaries to access the paths.
###############################################################################
[postinstall]
namespace.default.isolated = false
namespace.default.search.paths = /system/${LIB}
Reference in a new issue View git blame Copy permalink