Merge "Avoid hardcoded paths to specific APEX jars in the fd allow list." am:... (ec133b58) · Commits · e / os / android_frameworks_base

core/jni/fd_utils.cpp

+6 −15

Original line number	Original line	Diff line number	Diff line
	@@ -33,16 +33,6 @@

	// Static whitelist of open paths that the zygote is allowed to keep open.		// Static whitelist of open paths that the zygote is allowed to keep open.
	static const char* kPathWhitelist[] = {		static const char* kPathWhitelist[] = {
	"/apex/com.android.conscrypt/javalib/conscrypt.jar",
	"/apex/com.android.ipsec/javalib/ike.jar",
	"/apex/com.android.i18n/javalib/core-icu4j.jar",
	"/apex/com.android.media/javalib/updatable-media.jar",
	"/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar",
	"/apex/com.android.os.statsd/javalib/framework-statsd.jar",
	"/apex/com.android.permission/javalib/framework-permission.jar",
	"/apex/com.android.sdkext/javalib/framework-sdkextensions.jar",
	"/apex/com.android.wifi/javalib/framework-wifi.jar",
	"/apex/com.android.tethering/javalib/framework-tethering.jar",
	"/dev/null",		"/dev/null",
	"/dev/socket/zygote",		"/dev/socket/zygote",
	"/dev/socket/zygote_secondary",		"/dev/socket/zygote_secondary",
	@@ -100,10 +90,11 @@ bool FileDescriptorWhitelist::IsAllowed(const std::string& path) const {
	}		}
	}		}

	// Jars from the ART APEX are allowed.		// Jars from APEXes are allowed. This matches /apex/*/javalib/.jar.
	static const char* kArtApexPrefix = "/apex/com.android.art/javalib/";		static const char* kApexPrefix = "/apex/";
	if (android::base::StartsWith(path, kArtApexPrefix)		static const char* kApexJavalibPathSuffix = "/javalib";
	&& android::base::EndsWith(path, kJarSuffix)) {		if (android::base::StartsWith(path, kApexPrefix) && android::base::EndsWith(path, kJarSuffix) &&
			android::base::EndsWith(android::base::Dirname(path), kApexJavalibPathSuffix)) {
	return true;		return true;
	}		}