Reland "Prevent vendors from accessing private VNDK libs"

LOCAL_MODULE_STEM := $(LOCAL_MODULE)

include $(BUILD_SYSTEM)/base_rules.mk

llndk_libraries := $(subst $(space),:,$(addsuffix .so,$(LLNDK_LIBRARIES)))

llndk_libraries := $(subst $(space),:,$(addsuffix .so,\

$(filter-out $(VNDK_PRIVATE_LIBRARIES),$(LLNDK_LIBRARIES))))

vndk_sameprocess_libraries := $(subst $(space),:,$(addsuffix .so,$(VNDK_SAMEPROCESS_LIBRARIES)))

private_llndk_libraries := $(subst $(space),:,$(addsuffix .so,\

$(filter $(VNDK_PRIVATE_LIBRARIES),$(LLNDK_LIBRARIES))))

vndk_core_libraries := $(subst $(space),:,$(addsuffix .so,$(VNDK_CORE_LIBRARIES)))

vndk_sameprocess_libraries := $(subst $(space),:,$(addsuffix .so,\

$(filter-out $(VNDK_PRIVATE_LIBRARIES),$(VNDK_SAMEPROCESS_LIBRARIES))))

vndk_core_libraries := $(subst $(space),:,$(addsuffix .so,\

$(filter-out $(VNDK_PRIVATE_LIBRARIES),$(VNDK_CORE_LIBRARIES))))

sanitizer_runtime_libraries := $(subst $(space),:,$(addsuffix .so,\

$(ADDRESS_SANITIZER_RUNTIME_LIBRARY) \

$(2ND_TSAN_RUNTIME_LIBRARY)))

$(LOCAL_BUILT_MODULE): PRIVATE_LLNDK_LIBRARIES := $(llndk_libraries)

$(LOCAL_BUILT_MODULE): PRIVATE_PRIVATE_LLNDK_LIBRARIES := $(private_llndk_libraries)

$(LOCAL_BUILT_MODULE): PRIVATE_VNDK_SAMEPROCESS_LIBRARIES := $(vndk_sameprocess_libraries)

$(LOCAL_BUILT_MODULE): PRIVATE_LLNDK_PRIVATE_LIBRARIES := $(llndk_private_libraries)

$(LOCAL_BUILT_MODULE): PRIVATE_VNDK_CORE_LIBRARIES := $(vndk_core_libraries)

	@echo "Generate: $< -> $@"

	@mkdir -p $(dir $@)

	$(hide) sed -e 's?%LLNDK_LIBRARIES%?$(PRIVATE_LLNDK_LIBRARIES)?g' $< >$@

	$(hide) sed -i -e 's?%PRIVATE_LLNDK_LIBRARIES%?$(PRIVATE_PRIVATE_LLNDK_LIBRARIES)?g' $@

	$(hide) sed -i -e 's?%VNDK_SAMEPROCESS_LIBRARIES%?$(PRIVATE_VNDK_SAMEPROCESS_LIBRARIES)?g' $@

	$(hide) sed -i -e 's?%VNDK_CORE_LIBRARIES%?$(PRIVATE_VNDK_CORE_LIBRARIES)?g' $@

	$(hide) sed -i -e 's?%SANITIZER_RUNTIME_LIBRARIES%?$(PRIVATE_SANITIZER_RUNTIME_LIBRARIES)?g' $@

namespace.rs.links = default,vndk

namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES%:%SANITIZER_RUNTIME_LIBRARIES%

# Private LLNDK libs (e.g. libft2.so) are exceptionally allowed to this

# namespace because RS framework libs are using them.

namespace.rs.link.default.shared_libs += %PRIVATE_LLNDK_LIBRARIES%

namespace.rs.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES%

###############################################################################

###############################################################################

# "default" namespace

#

# Vendor-side code runs in this namespace.

# This is the default linker namespace for a vendor process (a process started

# from /vendor/bin/*). The main executable and the libs under /vendor/lib[64]

# are loaded directly into this namespace. However, other libs under the system

# partition (VNDK and LLNDK libraries) are not loaded here but from the

# separate namespace 'system'. The delegation to the system namespace is done

# via the 'namespace.default.link.system.shared_libs' property below.

###############################################################################

namespace.default.isolated = true

namespace.default.visible = true

namespace.default.search.paths = /vendor/${LIB}/hw:/vendor/${LIB}/egl:/vendor/${LIB}:/vendor/${LIB}/vndk${VNDK_VER}:/system/${LIB}/vndk${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}

namespace.default.permitted.paths = /vendor:/system/${LIB}/vndk${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}

namespace.default.search.paths = /vendor/${LIB}/hw:/vendor/${LIB}/egl:/vendor/${LIB}:/vendor/${LIB}/vndk${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}

namespace.default.permitted.paths = /vendor

namespace.default.asan.search.paths = /data/asan/vendor/${LIB}/hw:/vendor/${LIB}/hw:/data/asan/vendor/${LIB}/egl:/vendor/${LIB}/egl:/data/asan/vendor/${LIB}:/vendor/${LIB}:/data/asan/vendor/${LIB}/vndk${VNDK_VER}:/vendor/${LIB}/vndk${VNDK_VER}:/data/asan/system/${LIB}/vndk${VNDK_VER}:/system/${LIB}/vndk${VNDK_VER}:/data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}

namespace.default.asan.permitted.paths = /data/asan/vendor:/vendor:/data/asan/system/${LIB}/vndk${VNDK_VER}:/system/${LIB}/vndk${VNDK_VER}:/data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}

namespace.default.asan.search.paths = /data/asan/vendor/${LIB}/hw:/vendor/${LIB}/hw:/data/asan/vendor/${LIB}/egl:/vendor/${LIB}/egl:/data/asan/vendor/${LIB}:/vendor/${LIB}:/data/asan/vendor/${LIB}/vndk${VNDK_VER}:/vendor/${LIB}/vndk${VNDK_VER}:/data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:namespace.default.asan.permitted.paths = /data/asan/vendor:/vendor

namespace.default.links = system

namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES%

namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES%:%VNDK_SAMEPROCESS_LIBRARIES%:%VNDK_CORE_LIBRARIES%

###############################################################################

# "system" namespace

#

# This is for vendor process to use LL-NDK in system partition.

# This namespace is where system libs (VNDK and LLNDK libs) are loaded for

# a vendor process.

###############################################################################

namespace.system.isolated = false

namespace.system.search.paths = /system/${LIB}

namespace.system.permitted.paths = /system/${LIB}

namespace.system.search.paths = /system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk${VNDK_VER}:/system/${LIB}

namespace.system.asan.search.paths = /data/asan/system/${LIB}:/system/${LIB}

namespace.system.asan.permitted.paths = /data/asan/system/${LIB}:/system/${LIB}

namespace.system.asan.search.paths = /data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}/vndk${VNDK_VER}:/system/${LIB}/vndk${VNDK_VER}:/data/asan/system/${LIB}:/system/${LIB}