Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 955029aa authored by Jiyong Park's avatar Jiyong Park
Browse files

/postinstall/* does not search for a lib in /vendor or /odm 

There has been no section in the linker config file for the binaries
under /postinstall. As a result, the binaries were run with the legacy
default config where /vendor/lib and /odm/lib are added to the search
paths. This is causing selinux denials as the binaries for OTA are not
allowed to access /vendor/lib or /odm/lib, but the dynamic linker calls
realpath(3) on the paths to canonicalize them.

Fixing the issue by letting /postinstall/* binaries to run with a
dedicated linker namespace config, where /vendor/lib and /odm/lib are
not added to the search paths. Not having the paths is okay because
he OTA binaries should not have dependency to the libs there.

Bug: 75287236
Test: do the OTA, selinux denials on postinstall_file is not shown
Test: above test should pass on  wahoo, marlin and pre-treble devices
Merged-In: I49c11a0929002adfef667890c0a375c2b41054f4
Change-Id: I49c11a0929002adfef667890c0a375c2b41054f4
(cherry picked from commit d7e6cb27)
parent 8dca85f0

rootdir/etc/ld.config.legacy.txt

+15 −0
Original line number Diff line number Diff line
@@ -10,6 +10,9 @@ dir.legacy = /vendor 
dir.legacy = /odm

dir.legacy = /sbin



# Except for /postinstall, where only /system is searched

dir.postinstall = /postinstall



[legacy]

namespace.default.isolated = false
@@ -23,3 +26,15 @@ namespace.default.asan.search.paths += /data/asan/odm/${LIB} 
namespace.default.asan.search.paths +=           /odm/${LIB}

namespace.default.asan.search.paths += /data/asan/vendor/${LIB}

namespace.default.asan.search.paths +=           /vendor/${LIB}



###############################################################################

# Namespace config for binaries under /postinstall.

# Only one default namespace is defined and it has no directories other than

# /system/lib in the search paths. This is because linker calls realpath on the

# search paths and this causes selinux denial if the paths (/vendor, /odm) are

# not allowed to the poinstall binaries. There is no reason to allow the

# binaries to access the paths.

###############################################################################

[postinstall]

namespace.default.isolated = false

namespace.default.search.paths = /system/${LIB}

rootdir/etc/ld.config.txt

+14 −0
Original line number Diff line number Diff line
@@ -24,6 +24,8 @@ dir.system = /data/nativetest64 
dir.system = /data/benchmarktest

dir.system = /data/benchmarktest64



dir.postinstall = /postinstall



[system]

additional.namespaces = sphal,vndk,rs
@@ -315,3 +317,15 @@ namespace.system.search.paths = /system/${LIB} 


namespace.system.asan.search.paths  = /data/asan/system/${LIB}

namespace.system.asan.search.paths +=           /system/${LIB}



###############################################################################

# Namespace config for binaries under /postinstall.

# Only one default namespace is defined and it has no directories other than

# /system/lib in the search paths. This is because linker calls realpath on the

# search paths and this causes selinux denial if the paths (/vendor, /odm) are

# not allowed to the poinstall binaries. There is no reason to allow the

# binaries to access the paths.

###############################################################################

[postinstall]

namespace.default.isolated = false

namespace.default.search.paths = /system/${LIB}

rootdir/etc/ld.config.vndk_lite.txt

+14 −0
Original line number Diff line number Diff line
@@ -24,6 +24,8 @@ dir.system = /data/nativetest64 
dir.system = /data/benchmarktest

dir.system = /data/benchmarktest64



dir.postinstall = /postinstall



[system]

additional.namespaces = sphal,vndk,rs
@@ -222,3 +224,15 @@ namespace.default.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER 
namespace.default.asan.search.paths +=           /system/${LIB}/vndk-sp%VNDK_VER%

namespace.default.asan.search.paths += /data/asan/system/${LIB}

namespace.default.asan.search.paths +=           /system/${LIB}



###############################################################################

# Namespace config for binaries under /postinstall.

# Only one default namespace is defined and it has no directories other than

# /system/lib in the search paths. This is because linker calls realpath on the

# search paths and this causes selinux denial if the paths (/vendor, /odm) are

# not allowed to the poinstall binaries. There is no reason to allow the

# binaries to access the paths.

###############################################################################

[postinstall]

namespace.default.isolated = false

namespace.default.search.paths = /system/${LIB}