Loading rootdir/etc/ld.config.txt +83 −16 Original line number Diff line number Diff line Loading @@ -28,7 +28,7 @@ dir.system = /data/benchmarktest64 dir.postinstall = /postinstall [system] additional.namespaces = sphal,vndk,rs additional.namespaces = runtime,sphal,vndk,rs ############################################################################### # "default" namespace Loading Loading @@ -105,6 +105,28 @@ namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/app namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/priv-app namespace.default.asan.permitted.paths += /mnt/expand # Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.default.link.runtime.shared_libs += libart.so:libartd.so namespace.default.link.runtime.shared_libs += libnativebridge.so namespace.default.link.runtime.shared_libs += libnativehelper.so namespace.default.link.runtime.shared_libs += libnativeloader.so ############################################################################### # "runtime" APEX namespace # # This namespace exposes externally accessible libraries from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true # Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library # when it exists. namespace.runtime.link.default.allow_all_shared_libs = true ############################################################################### # "sphal" namespace # Loading Loading @@ -139,8 +161,12 @@ namespace.sphal.asan.permitted.paths += /vendor/${LIB} # Once in this namespace, access to libraries in /system/lib is restricted. Only # libs listed here can be used. namespace.sphal.links = default,vndk,rs namespace.sphal.links = runtime,default,vndk,rs namespace.sphal.link.runtime.shared_libs = libc.so:libdl.so:libm.so # LLNDK_LIBRARIES includes the runtime libs above, but the order here ensures # that they are loaded from the runtime namespace. namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading Loading @@ -187,7 +213,9 @@ namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB} namespace.rs.asan.permitted.paths += /vendor/${LIB} namespace.rs.asan.permitted.paths += /data namespace.rs.links = default,vndk namespace.rs.links = runtime,default,vndk namespace.rs.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading Loading @@ -235,10 +263,13 @@ namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl namespace.vndk.asan.permitted.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER%/hw namespace.vndk.asan.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER%/hw # The "vndk" namespace links to "default" namespace for LLNDK libs and links to # "sphal" namespace for vendor libs. The ordering matters. The "default" # namespace has higher priority than the "sphal" namespace. namespace.vndk.links = default,sphal # The "vndk" namespace links to "runtime" for Bionic libs, "default" namespace # for LLNDK libs, and links to "sphal" namespace for vendor libs. The ordering # matters. The "default" namespace has higher priority than the "sphal" # namespace. namespace.vndk.links = runtime,default,sphal namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so # When these NDK libs are required inside this namespace, then it is redirected # to the default namespace. This is possible since their ABI is stable across Loading @@ -249,6 +280,7 @@ namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% # Allow VNDK-SP extensions to use vendor libraries namespace.vndk.link.sphal.allow_all_shared_libs = true ############################################################################### # Namespace config for vendor processes. In O, no restriction is enforced for # them. However, in O-MR1, access to /system/${LIB} will not be allowed to Loading @@ -256,7 +288,7 @@ namespace.vndk.link.sphal.allow_all_shared_libs = true # (LL-NDK only) access. ############################################################################### [vendor] additional.namespaces = system,vndk additional.namespaces = runtime,system,vndk ############################################################################### # "default" namespace Loading Loading @@ -287,11 +319,23 @@ namespace.default.asan.permitted.paths += /odm namespace.default.asan.permitted.paths += /data/asan/vendor namespace.default.asan.permitted.paths += /vendor namespace.default.links = system,vndk namespace.default.links = runtime,system,vndk namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES% namespace.default.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% namespace.default.link.vndk.shared_libs += %VNDK_CORE_LIBRARIES% ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies. namespace.runtime.link.default.allow_all_shared_libs = true ############################################################################### # "vndk" namespace # Loading Loading @@ -323,7 +367,10 @@ namespace.vndk.asan.search.paths += /system/${LIB}/vndk%VNDK_VER% # When these NDK libs are required inside this namespace, then it is redirected # to the system namespace. This is possible since their ABI is stable across # Android releases. namespace.vndk.links = system,default namespace.vndk.links = runtime,system,default namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.vndk.link.system.shared_libs = %LLNDK_LIBRARIES% namespace.vndk.link.system.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading @@ -348,16 +395,36 @@ namespace.system.asan.search.paths += /%PRODUCT%/${LIB} namespace.system.asan.search.paths += /data/asan/product_services/${LIB} namespace.system.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} namespace.system.links = runtime namespace.system.link.runtime.shared_libs = libc.so:libdl.so:libm.so ############################################################################### # Namespace config for binaries under /postinstall. # Only one default namespace is defined and it has no directories other than # /system/lib in the search paths. This is because linker calls realpath on the # search paths and this causes selinux denial if the paths (/vendor, /odm) are # not allowed to the poinstall binaries. There is no reason to allow the # binaries to access the paths. # Only default and runtime namespaces are defined and default has no directories # other than /system/lib in the search paths. This is because linker calls # realpath on the search paths and this causes selinux denial if the paths # (/vendor, /odm) are not allowed to the postinstall binaries. There is no # reason to allow the binaries to access the paths. ############################################################################### [postinstall] additional.namespaces = runtime namespace.default.isolated = false namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /%PRODUCT%/${LIB} namespace.default.search.paths += /%PRODUCT_SERVICES%/${LIB} namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies. namespace.runtime.link.default.allow_all_shared_libs = true rootdir/etc/ld.config.vndk_lite.txt +74 −11 Original line number Diff line number Diff line Loading @@ -28,7 +28,7 @@ dir.system = /data/benchmarktest64 dir.postinstall = /postinstall [system] additional.namespaces = sphal,vndk,rs additional.namespaces = runtime,sphal,vndk,rs ############################################################################### # "default" namespace Loading @@ -55,6 +55,27 @@ namespace.default.asan.search.paths += /%PRODUCT%/${LIB} namespace.default.asan.search.paths += /data/asan/product_services/${LIB} namespace.default.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} # Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.default.link.runtime.shared_libs += libart.so:libartd.so namespace.default.link.runtime.shared_libs += libnativehelper.so namespace.default.link.runtime.shared_libs += libnativeloader.so ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true # Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library # when it exists. namespace.runtime.link.default.allow_all_shared_libs = true ############################################################################### # "sphal" namespace # Loading Loading @@ -89,8 +110,12 @@ namespace.sphal.asan.permitted.paths += /vendor/${LIB} # Once in this namespace, access to libraries in /system/lib is restricted. Only # libs listed here can be used. namespace.sphal.links = default,vndk,rs namespace.sphal.links = runtime,default,vndk,rs namespace.sphal.link.runtime.shared_libs = libc.so:libdl.so:libm.so # LLNDK_LIBRARIES includes the runtime libs above, but the order here ensures # that they are loaded from the runtime namespace. namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading Loading @@ -137,7 +162,9 @@ namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB} namespace.rs.asan.permitted.paths += /vendor/${LIB} namespace.rs.asan.permitted.paths += /data namespace.rs.links = default,vndk namespace.rs.links = runtime,default,vndk namespace.rs.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading Loading @@ -188,10 +215,14 @@ namespace.vndk.asan.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER # When these NDK libs are required inside this namespace, then it is redirected # to the default namespace. This is possible since their ABI is stable across # Android releases. namespace.vndk.links = default namespace.vndk.links = runtime,default namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.vndk.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% ############################################################################### # Namespace config for vendor processes. In O, no restriction is enforced for # them. However, in O-MR1, access to /system/${LIB} will not be allowed to Loading @@ -199,6 +230,7 @@ namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% # (LL-NDK only) access. ############################################################################### [vendor] additional.namespaces = runtime namespace.default.isolated = false namespace.default.search.paths = /odm/${LIB} Loading @@ -208,7 +240,7 @@ namespace.default.search.paths += /vendor/${LIB} namespace.default.search.paths += /vendor/${LIB}/vndk namespace.default.search.paths += /vendor/${LIB}/vndk-sp # Access to system libraries are allowed # Access to system libraries is allowed namespace.default.search.paths += /system/${LIB}/vndk%VNDK_VER% namespace.default.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% namespace.default.search.paths += /system/${LIB} Loading Loading @@ -238,16 +270,47 @@ namespace.default.asan.search.paths += /%PRODUCT%/${LIB} namespace.default.asan.search.paths += /data/asan/product_services/${LIB} namespace.default.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies. namespace.runtime.link.default.allow_all_shared_libs = true ############################################################################### # Namespace config for binaries under /postinstall. # Only one default namespace is defined and it has no directories other than # /system/lib in the search paths. This is because linker calls realpath on the # search paths and this causes selinux denial if the paths (/vendor, /odm) are # not allowed to the poinstall binaries. There is no reason to allow the # binaries to access the paths. # Only default and runtime namespaces are defined and default has no directories # other than /system/lib in the search paths. This is because linker calls # realpath on the search paths and this causes selinux denial if the paths # (/vendor, /odm) are not allowed to the postinstall binaries. There is no # reason to allow the binaries to access the paths. ############################################################################### [postinstall] additional.namespaces = runtime namespace.default.isolated = false namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /%PRODUCT%/${LIB} namespace.default.search.paths += /%PRODUCT_SERVICES%/${LIB} namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies. namespace.runtime.link.default.allow_all_shared_libs = true Loading
rootdir/etc/ld.config.txt +83 −16 Original line number Diff line number Diff line Loading @@ -28,7 +28,7 @@ dir.system = /data/benchmarktest64 dir.postinstall = /postinstall [system] additional.namespaces = sphal,vndk,rs additional.namespaces = runtime,sphal,vndk,rs ############################################################################### # "default" namespace Loading Loading @@ -105,6 +105,28 @@ namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/app namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/priv-app namespace.default.asan.permitted.paths += /mnt/expand # Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.default.link.runtime.shared_libs += libart.so:libartd.so namespace.default.link.runtime.shared_libs += libnativebridge.so namespace.default.link.runtime.shared_libs += libnativehelper.so namespace.default.link.runtime.shared_libs += libnativeloader.so ############################################################################### # "runtime" APEX namespace # # This namespace exposes externally accessible libraries from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true # Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library # when it exists. namespace.runtime.link.default.allow_all_shared_libs = true ############################################################################### # "sphal" namespace # Loading Loading @@ -139,8 +161,12 @@ namespace.sphal.asan.permitted.paths += /vendor/${LIB} # Once in this namespace, access to libraries in /system/lib is restricted. Only # libs listed here can be used. namespace.sphal.links = default,vndk,rs namespace.sphal.links = runtime,default,vndk,rs namespace.sphal.link.runtime.shared_libs = libc.so:libdl.so:libm.so # LLNDK_LIBRARIES includes the runtime libs above, but the order here ensures # that they are loaded from the runtime namespace. namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading Loading @@ -187,7 +213,9 @@ namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB} namespace.rs.asan.permitted.paths += /vendor/${LIB} namespace.rs.asan.permitted.paths += /data namespace.rs.links = default,vndk namespace.rs.links = runtime,default,vndk namespace.rs.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading Loading @@ -235,10 +263,13 @@ namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl namespace.vndk.asan.permitted.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER%/hw namespace.vndk.asan.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER%/hw # The "vndk" namespace links to "default" namespace for LLNDK libs and links to # "sphal" namespace for vendor libs. The ordering matters. The "default" # namespace has higher priority than the "sphal" namespace. namespace.vndk.links = default,sphal # The "vndk" namespace links to "runtime" for Bionic libs, "default" namespace # for LLNDK libs, and links to "sphal" namespace for vendor libs. The ordering # matters. The "default" namespace has higher priority than the "sphal" # namespace. namespace.vndk.links = runtime,default,sphal namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so # When these NDK libs are required inside this namespace, then it is redirected # to the default namespace. This is possible since their ABI is stable across Loading @@ -249,6 +280,7 @@ namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% # Allow VNDK-SP extensions to use vendor libraries namespace.vndk.link.sphal.allow_all_shared_libs = true ############################################################################### # Namespace config for vendor processes. In O, no restriction is enforced for # them. However, in O-MR1, access to /system/${LIB} will not be allowed to Loading @@ -256,7 +288,7 @@ namespace.vndk.link.sphal.allow_all_shared_libs = true # (LL-NDK only) access. ############################################################################### [vendor] additional.namespaces = system,vndk additional.namespaces = runtime,system,vndk ############################################################################### # "default" namespace Loading Loading @@ -287,11 +319,23 @@ namespace.default.asan.permitted.paths += /odm namespace.default.asan.permitted.paths += /data/asan/vendor namespace.default.asan.permitted.paths += /vendor namespace.default.links = system,vndk namespace.default.links = runtime,system,vndk namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES% namespace.default.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% namespace.default.link.vndk.shared_libs += %VNDK_CORE_LIBRARIES% ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies. namespace.runtime.link.default.allow_all_shared_libs = true ############################################################################### # "vndk" namespace # Loading Loading @@ -323,7 +367,10 @@ namespace.vndk.asan.search.paths += /system/${LIB}/vndk%VNDK_VER% # When these NDK libs are required inside this namespace, then it is redirected # to the system namespace. This is possible since their ABI is stable across # Android releases. namespace.vndk.links = system,default namespace.vndk.links = runtime,system,default namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.vndk.link.system.shared_libs = %LLNDK_LIBRARIES% namespace.vndk.link.system.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading @@ -348,16 +395,36 @@ namespace.system.asan.search.paths += /%PRODUCT%/${LIB} namespace.system.asan.search.paths += /data/asan/product_services/${LIB} namespace.system.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} namespace.system.links = runtime namespace.system.link.runtime.shared_libs = libc.so:libdl.so:libm.so ############################################################################### # Namespace config for binaries under /postinstall. # Only one default namespace is defined and it has no directories other than # /system/lib in the search paths. This is because linker calls realpath on the # search paths and this causes selinux denial if the paths (/vendor, /odm) are # not allowed to the poinstall binaries. There is no reason to allow the # binaries to access the paths. # Only default and runtime namespaces are defined and default has no directories # other than /system/lib in the search paths. This is because linker calls # realpath on the search paths and this causes selinux denial if the paths # (/vendor, /odm) are not allowed to the postinstall binaries. There is no # reason to allow the binaries to access the paths. ############################################################################### [postinstall] additional.namespaces = runtime namespace.default.isolated = false namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /%PRODUCT%/${LIB} namespace.default.search.paths += /%PRODUCT_SERVICES%/${LIB} namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies. namespace.runtime.link.default.allow_all_shared_libs = true
rootdir/etc/ld.config.vndk_lite.txt +74 −11 Original line number Diff line number Diff line Loading @@ -28,7 +28,7 @@ dir.system = /data/benchmarktest64 dir.postinstall = /postinstall [system] additional.namespaces = sphal,vndk,rs additional.namespaces = runtime,sphal,vndk,rs ############################################################################### # "default" namespace Loading @@ -55,6 +55,27 @@ namespace.default.asan.search.paths += /%PRODUCT%/${LIB} namespace.default.asan.search.paths += /data/asan/product_services/${LIB} namespace.default.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} # Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.default.link.runtime.shared_libs += libart.so:libartd.so namespace.default.link.runtime.shared_libs += libnativehelper.so namespace.default.link.runtime.shared_libs += libnativeloader.so ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true # Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library # when it exists. namespace.runtime.link.default.allow_all_shared_libs = true ############################################################################### # "sphal" namespace # Loading Loading @@ -89,8 +110,12 @@ namespace.sphal.asan.permitted.paths += /vendor/${LIB} # Once in this namespace, access to libraries in /system/lib is restricted. Only # libs listed here can be used. namespace.sphal.links = default,vndk,rs namespace.sphal.links = runtime,default,vndk,rs namespace.sphal.link.runtime.shared_libs = libc.so:libdl.so:libm.so # LLNDK_LIBRARIES includes the runtime libs above, but the order here ensures # that they are loaded from the runtime namespace. namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading Loading @@ -137,7 +162,9 @@ namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB} namespace.rs.asan.permitted.paths += /vendor/${LIB} namespace.rs.asan.permitted.paths += /data namespace.rs.links = default,vndk namespace.rs.links = runtime,default,vndk namespace.rs.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% Loading Loading @@ -188,10 +215,14 @@ namespace.vndk.asan.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER # When these NDK libs are required inside this namespace, then it is redirected # to the default namespace. This is possible since their ABI is stable across # Android releases. namespace.vndk.links = default namespace.vndk.links = runtime,default namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so namespace.vndk.link.default.shared_libs = %LLNDK_LIBRARIES% namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% ############################################################################### # Namespace config for vendor processes. In O, no restriction is enforced for # them. However, in O-MR1, access to /system/${LIB} will not be allowed to Loading @@ -199,6 +230,7 @@ namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% # (LL-NDK only) access. ############################################################################### [vendor] additional.namespaces = runtime namespace.default.isolated = false namespace.default.search.paths = /odm/${LIB} Loading @@ -208,7 +240,7 @@ namespace.default.search.paths += /vendor/${LIB} namespace.default.search.paths += /vendor/${LIB}/vndk namespace.default.search.paths += /vendor/${LIB}/vndk-sp # Access to system libraries are allowed # Access to system libraries is allowed namespace.default.search.paths += /system/${LIB}/vndk%VNDK_VER% namespace.default.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% namespace.default.search.paths += /system/${LIB} Loading Loading @@ -238,16 +270,47 @@ namespace.default.asan.search.paths += /%PRODUCT%/${LIB} namespace.default.asan.search.paths += /data/asan/product_services/${LIB} namespace.default.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies. namespace.runtime.link.default.allow_all_shared_libs = true ############################################################################### # Namespace config for binaries under /postinstall. # Only one default namespace is defined and it has no directories other than # /system/lib in the search paths. This is because linker calls realpath on the # search paths and this causes selinux denial if the paths (/vendor, /odm) are # not allowed to the poinstall binaries. There is no reason to allow the # binaries to access the paths. # Only default and runtime namespaces are defined and default has no directories # other than /system/lib in the search paths. This is because linker calls # realpath on the search paths and this causes selinux denial if the paths # (/vendor, /odm) are not allowed to the postinstall binaries. There is no # reason to allow the binaries to access the paths. ############################################################################### [postinstall] additional.namespaces = runtime namespace.default.isolated = false namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /%PRODUCT%/${LIB} namespace.default.search.paths += /%PRODUCT_SERVICES%/${LIB} namespace.default.links = runtime namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so ############################################################################### # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. ############################################################################### namespace.runtime.isolated = true namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default # TODO(b/119867084): Restrict to Bionic dlopen dependencies. namespace.runtime.link.default.allow_all_shared_libs = true
