Avoid hardcoded paths to specific APEX jars in the fd allow list. (11a66135) · Commits · e / os / android_frameworks_base

core/jni/fd_utils.cpp

+6 −15

Original line number	Diff line number	Diff line
		@@ -33,16 +33,6 @@

		// Static whitelist of open paths that the zygote is allowed to keep open.
		static const char* kPathWhitelist[] = {
		"/apex/com.android.conscrypt/javalib/conscrypt.jar",
		"/apex/com.android.ipsec/javalib/ike.jar",
		"/apex/com.android.i18n/javalib/core-icu4j.jar",
		"/apex/com.android.media/javalib/updatable-media.jar",
		"/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar",
		"/apex/com.android.os.statsd/javalib/framework-statsd.jar",
		"/apex/com.android.permission/javalib/framework-permission.jar",
		"/apex/com.android.sdkext/javalib/framework-sdkextensions.jar",
		"/apex/com.android.wifi/javalib/framework-wifi.jar",
		"/apex/com.android.tethering/javalib/framework-tethering.jar",
		"/dev/null",
		"/dev/socket/zygote",
		"/dev/socket/zygote_secondary",
		@@ -100,10 +90,11 @@ bool FileDescriptorWhitelist::IsAllowed(const std::string& path) const {
		}
		}

		// Jars from the ART APEX are allowed.
		static const char* kArtApexPrefix = "/apex/com.android.art/javalib/";
		if (android::base::StartsWith(path, kArtApexPrefix)
		&& android::base::EndsWith(path, kJarSuffix)) {
		// Jars from APEXes are allowed. This matches /apex/*/javalib/.jar.
		static const char* kApexPrefix = "/apex/";
		static const char* kApexJavalibPathSuffix = "/javalib";
		if (android::base::StartsWith(path, kApexPrefix) && android::base::EndsWith(path, kJarSuffix) &&
		android::base::EndsWith(android::base::Dirname(path), kApexJavalibPathSuffix)) {
		return true;
		}