Revert "Linker namespace configuration for the Runtime APEX."

dir.postinstall = /postinstall

[system]

additional.namespaces = runtime,sphal,vndk,rs

additional.namespaces = sphal,vndk,rs

###############################################################################

# "default" namespace

namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/priv-app

namespace.default.asan.permitted.paths += /mnt/expand

# Keep in sync with ld.config.txt in the com.android.runtime APEX.

namespace.default.links = runtime

namespace.default.link.runtime.shared_libs  = libc.so:libdl.so:libm.so

namespace.default.link.runtime.shared_libs += libart.so:libartd.so

namespace.default.link.runtime.shared_libs += libnativebridge.so

namespace.default.link.runtime.shared_libs += libnativehelper.so

namespace.default.link.runtime.shared_libs += libnativeloader.so

###############################################################################

# "runtime" APEX namespace

#

# This namespace exposes externally accessible libraries from the Runtime APEX.

###############################################################################

namespace.runtime.isolated = true

# Keep in sync with ld.config.txt in the com.android.runtime APEX.

namespace.runtime.search.paths = /apex/com.android.runtime/${LIB}

namespace.runtime.links = default

# TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library

# when it exists.

namespace.runtime.link.default.allow_all_shared_libs = true

###############################################################################

# "sphal" namespace

#

# Once in this namespace, access to libraries in /system/lib is restricted. Only

# libs listed here can be used.

namespace.sphal.links = runtime,default,vndk,rs

namespace.sphal.links = default,vndk,rs

namespace.sphal.link.runtime.shared_libs = libc.so:libdl.so:libm.so

# LLNDK_LIBRARIES includes the runtime libs above, but the order here ensures

# that they are loaded from the runtime namespace.

namespace.sphal.link.default.shared_libs  = %LLNDK_LIBRARIES%

namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%

namespace.rs.asan.permitted.paths +=           /vendor/${LIB}

namespace.rs.asan.permitted.paths += /data

namespace.rs.links = runtime,default,vndk

namespace.rs.link.runtime.shared_libs = libc.so:libdl.so:libm.so

namespace.rs.links = default,vndk

namespace.rs.link.default.shared_libs  =  %LLNDK_LIBRARIES%

namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%

namespace.vndk.asan.permitted.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER%/hw

namespace.vndk.asan.permitted.paths +=           /system/${LIB}/vndk-sp%VNDK_VER%/hw

# The "vndk" namespace links to "runtime" for Bionic libs, "default" namespace

# for LLNDK libs, and links to "sphal" namespace for vendor libs. The ordering

# matters. The "default" namespace has higher priority than the "sphal"

# namespace.

namespace.vndk.links = runtime,default,sphal

namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so

# The "vndk" namespace links to "default" namespace for LLNDK libs and links to

# "sphal" namespace for vendor libs.  The ordering matters.  The "default"

# namespace has higher priority than the "sphal" namespace.

namespace.vndk.links = default,sphal

# When these NDK libs are required inside this namespace, then it is redirected

# to the default namespace. This is possible since their ABI is stable across

# Allow VNDK-SP extensions to use vendor libraries

namespace.vndk.link.sphal.allow_all_shared_libs = true

###############################################################################

# Namespace config for vendor processes. In O, no restriction is enforced for

# them. However, in O-MR1, access to /system/${LIB} will not be allowed to

# (LL-NDK only) access.

###############################################################################

[vendor]

additional.namespaces = runtime,system,vndk

additional.namespaces = system,vndk

###############################################################################

# "default" namespace

namespace.default.asan.permitted.paths += /data/asan/vendor

namespace.default.asan.permitted.paths +=           /vendor

namespace.default.links = runtime,system,vndk

namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so

namespace.default.links = system,vndk

namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES%

namespace.default.link.vndk.shared_libs  = %VNDK_SAMEPROCESS_LIBRARIES%

namespace.default.link.vndk.shared_libs += %VNDK_CORE_LIBRARIES%

###############################################################################

# "runtime" APEX namespace

#

# This namespace pulls in externally accessible libs from the Runtime APEX.

###############################################################################

namespace.runtime.isolated = true

namespace.runtime.search.paths = /apex/com.android.runtime/${LIB}

namespace.runtime.links = default

# TODO(b/119867084): Restrict to Bionic dlopen dependencies.

namespace.runtime.link.default.allow_all_shared_libs = true

###############################################################################

# "vndk" namespace

#

# When these NDK libs are required inside this namespace, then it is redirected

# to the system namespace. This is possible since their ABI is stable across

# Android releases.

namespace.vndk.links = runtime,system,default

namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so

namespace.vndk.links = system,default

namespace.vndk.link.system.shared_libs  = %LLNDK_LIBRARIES%

namespace.vndk.link.system.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%

namespace.system.asan.search.paths += /data/asan/product_services/${LIB}

namespace.system.asan.search.paths +=           /%PRODUCT_SERVICES%/${LIB}

namespace.system.links = runtime

namespace.system.link.runtime.shared_libs = libc.so:libdl.so:libm.so

###############################################################################

# Namespace config for binaries under /postinstall.

# Only default and runtime namespaces are defined and default has no directories

# other than /system/lib in the search paths. This is because linker calls

# realpath on the search paths and this causes selinux denial if the paths

# (/vendor, /odm) are not allowed to the postinstall binaries. There is no

# reason to allow the binaries to access the paths.

# Only one default namespace is defined and it has no directories other than

# /system/lib in the search paths. This is because linker calls realpath on the

# search paths and this causes selinux denial if the paths (/vendor, /odm) are

# not allowed to the poinstall binaries. There is no reason to allow the

# binaries to access the paths.

###############################################################################

[postinstall]

additional.namespaces = runtime

namespace.default.isolated = false

namespace.default.search.paths  = /system/${LIB}

namespace.default.search.paths += /%PRODUCT%/${LIB}

namespace.default.search.paths += /%PRODUCT_SERVICES%/${LIB}

namespace.default.links = runtime

namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so

###############################################################################

# "runtime" APEX namespace

#

# This namespace pulls in externally accessible libs from the Runtime APEX.

###############################################################################

namespace.runtime.isolated = true

namespace.runtime.search.paths = /apex/com.android.runtime/${LIB}

namespace.runtime.links = default

# TODO(b/119867084): Restrict to Bionic dlopen dependencies.

namespace.runtime.link.default.allow_all_shared_libs = true

dir.postinstall = /postinstall

[system]

additional.namespaces = runtime,sphal,vndk,rs

additional.namespaces = sphal,vndk,rs

###############################################################################

# "default" namespace

namespace.default.asan.search.paths += /data/asan/product_services/${LIB}

namespace.default.asan.search.paths +=           /%PRODUCT_SERVICES%/${LIB}

# Keep in sync with ld.config.txt in the com.android.runtime APEX.

namespace.default.links = runtime

namespace.default.link.runtime.shared_libs  = libc.so:libdl.so:libm.so

namespace.default.link.runtime.shared_libs += libart.so:libartd.so

namespace.default.link.runtime.shared_libs += libnativehelper.so

namespace.default.link.runtime.shared_libs += libnativeloader.so

###############################################################################

# "runtime" APEX namespace

#

# This namespace pulls in externally accessible libs from the Runtime APEX.

###############################################################################

namespace.runtime.isolated = true

# Keep in sync with ld.config.txt in the com.android.runtime APEX.

namespace.runtime.search.paths = /apex/com.android.runtime/${LIB}

namespace.runtime.links = default

# TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library

# when it exists.

namespace.runtime.link.default.allow_all_shared_libs = true

###############################################################################

# "sphal" namespace

#

# Once in this namespace, access to libraries in /system/lib is restricted. Only

# libs listed here can be used.

namespace.sphal.links = runtime,default,vndk,rs

namespace.sphal.links = default,vndk,rs

namespace.sphal.link.runtime.shared_libs = libc.so:libdl.so:libm.so

# LLNDK_LIBRARIES includes the runtime libs above, but the order here ensures

# that they are loaded from the runtime namespace.

namespace.sphal.link.default.shared_libs  = %LLNDK_LIBRARIES%

namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%

namespace.rs.asan.permitted.paths +=           /vendor/${LIB}

namespace.rs.asan.permitted.paths += /data

namespace.rs.links = runtime,default,vndk

namespace.rs.link.runtime.shared_libs = libc.so:libdl.so:libm.so

namespace.rs.links = default,vndk

namespace.rs.link.default.shared_libs  =  %LLNDK_LIBRARIES%

namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%

# When these NDK libs are required inside this namespace, then it is redirected

# to the default namespace. This is possible since their ABI is stable across

# Android releases.

namespace.vndk.links = runtime,default

namespace.vndk.link.runtime.shared_libs = libc.so:libdl.so:libm.so

namespace.vndk.links = default

namespace.vndk.link.default.shared_libs  = %LLNDK_LIBRARIES%

namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%

###############################################################################

# Namespace config for vendor processes. In O, no restriction is enforced for

# them. However, in O-MR1, access to /system/${LIB} will not be allowed to

# (LL-NDK only) access.

###############################################################################

[vendor]

additional.namespaces = runtime

namespace.default.isolated = false

namespace.default.search.paths  = /odm/${LIB}

namespace.default.search.paths += /vendor/${LIB}/vndk

namespace.default.search.paths += /vendor/${LIB}/vndk-sp

# Access to system libraries is allowed

# Access to system libraries are allowed

namespace.default.search.paths += /system/${LIB}/vndk%VNDK_VER%

namespace.default.search.paths += /system/${LIB}/vndk-sp%VNDK_VER%

namespace.default.search.paths += /system/${LIB}

namespace.default.asan.search.paths += /data/asan/product_services/${LIB}

namespace.default.asan.search.paths +=           /%PRODUCT_SERVICES%/${LIB}

namespace.default.links = runtime

namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so

###############################################################################

# "runtime" APEX namespace

#

# This namespace pulls in externally accessible libs from the Runtime APEX.

###############################################################################

namespace.runtime.isolated = true

namespace.runtime.search.paths = /apex/com.android.runtime/${LIB}

namespace.runtime.links = default

# TODO(b/119867084): Restrict to Bionic dlopen dependencies.

namespace.runtime.link.default.allow_all_shared_libs = true

###############################################################################

# Namespace config for binaries under /postinstall.

# Only default and runtime namespaces are defined and default has no directories

# other than /system/lib in the search paths. This is because linker calls

# realpath on the search paths and this causes selinux denial if the paths

# (/vendor, /odm) are not allowed to the postinstall binaries. There is no

# reason to allow the binaries to access the paths.

# Only one default namespace is defined and it has no directories other than

# /system/lib in the search paths. This is because linker calls realpath on the

# search paths and this causes selinux denial if the paths (/vendor, /odm) are

# not allowed to the poinstall binaries. There is no reason to allow the

# binaries to access the paths.

###############################################################################

[postinstall]

additional.namespaces = runtime

namespace.default.isolated = false

namespace.default.search.paths  = /system/${LIB}

namespace.default.search.paths += /%PRODUCT%/${LIB}

namespace.default.search.paths += /%PRODUCT_SERVICES%/${LIB}

namespace.default.links = runtime

namespace.default.link.runtime.shared_libs = libc.so:libdl.so:libm.so

###############################################################################

# "runtime" APEX namespace

#

# This namespace pulls in externally accessible libs from the Runtime APEX.

###############################################################################

namespace.runtime.isolated = true

namespace.runtime.search.paths = /apex/com.android.runtime/${LIB}

namespace.runtime.links = default

# TODO(b/119867084): Restrict to Bionic dlopen dependencies.

namespace.runtime.link.default.allow_all_shared_libs = true