Merge "adb: disable checksum on new versions"
diff --git a/fs_mgr/Android.bp b/fs_mgr/Android.bp
index ed165ed..f23150d 100644
--- a/fs_mgr/Android.bp
+++ b/fs_mgr/Android.bp
@@ -25,6 +25,9 @@
"-Werror",
"-Wno-unused-variable",
],
+ cppflags: [
+ "-std=gnu++1z",
+ ],
}
cc_library_static {
diff --git a/fs_mgr/fs_mgr_fstab.cpp b/fs_mgr/fs_mgr_fstab.cpp
index 2c18a6d..34afed1 100644
--- a/fs_mgr/fs_mgr_fstab.cpp
+++ b/fs_mgr/fs_mgr_fstab.cpp
@@ -23,6 +23,10 @@
#include <sys/mount.h>
#include <unistd.h>
+#include <algorithm>
+#include <utility>
+#include <vector>
+
#include <android-base/file.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
@@ -397,16 +401,17 @@
}
static std::string read_fstab_from_dt() {
- std::string fstab;
if (!is_dt_compatible() || !is_dt_fstab_compatible()) {
- return fstab;
+ return {};
}
std::string fstabdir_name = get_android_dt_dir() + "/fstab";
std::unique_ptr<DIR, int (*)(DIR*)> fstabdir(opendir(fstabdir_name.c_str()), closedir);
- if (!fstabdir) return fstab;
+ if (!fstabdir) return {};
dirent* dp;
+ // Each element in fstab_dt_entries is <mount point, the line format in fstab file>.
+ std::vector<std::pair<std::string, std::string>> fstab_dt_entries;
while ((dp = readdir(fstabdir.get())) != NULL) {
// skip over name, compatible and .
if (dp->d_type != DT_DIR || dp->d_name[0] == '.') continue;
@@ -427,41 +432,54 @@
file_name = android::base::StringPrintf("%s/%s/dev", fstabdir_name.c_str(), dp->d_name);
if (!read_dt_file(file_name, &value)) {
LERROR << "dt_fstab: Failed to find device for partition " << dp->d_name;
- fstab.clear();
- break;
+ return {};
}
fstab_entry.push_back(value);
- fstab_entry.push_back(android::base::StringPrintf("/%s", dp->d_name));
+
+ std::string mount_point;
+ file_name =
+ android::base::StringPrintf("%s/%s/mnt_point", fstabdir_name.c_str(), dp->d_name);
+ if (read_dt_file(file_name, &value)) {
+ LINFO << "dt_fstab: Using a specified mount point " << value << " for " << dp->d_name;
+ mount_point = value;
+ } else {
+ mount_point = android::base::StringPrintf("/%s", dp->d_name);
+ }
+ fstab_entry.push_back(mount_point);
file_name = android::base::StringPrintf("%s/%s/type", fstabdir_name.c_str(), dp->d_name);
if (!read_dt_file(file_name, &value)) {
LERROR << "dt_fstab: Failed to find type for partition " << dp->d_name;
- fstab.clear();
- break;
+ return {};
}
fstab_entry.push_back(value);
file_name = android::base::StringPrintf("%s/%s/mnt_flags", fstabdir_name.c_str(), dp->d_name);
if (!read_dt_file(file_name, &value)) {
LERROR << "dt_fstab: Failed to find type for partition " << dp->d_name;
- fstab.clear();
- break;
+ return {};
}
fstab_entry.push_back(value);
file_name = android::base::StringPrintf("%s/%s/fsmgr_flags", fstabdir_name.c_str(), dp->d_name);
if (!read_dt_file(file_name, &value)) {
LERROR << "dt_fstab: Failed to find type for partition " << dp->d_name;
- fstab.clear();
- break;
+ return {};
}
fstab_entry.push_back(value);
-
- fstab += android::base::Join(fstab_entry, " ");
- fstab += '\n';
+ // Adds a fstab_entry to fstab_dt_entries, to be sorted by mount_point later.
+ fstab_dt_entries.emplace_back(mount_point, android::base::Join(fstab_entry, " "));
}
- return fstab;
+ // Sort fstab_dt entries, to ensure /vendor is mounted before /vendor/abc is attempted.
+ std::sort(fstab_dt_entries.begin(), fstab_dt_entries.end(),
+ [](const auto& a, const auto& b) { return a.first < b.first; });
+
+ std::string fstab_result;
+ for (const auto& [_, dt_entry] : fstab_dt_entries) {
+ fstab_result += dt_entry + "\n";
+ }
+ return fstab_result;
}
bool is_dt_compatible() {
diff --git a/init/Android.bp b/init/Android.bp
index 2fea359..0ec348c 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -95,8 +95,6 @@
"libprocessgroup",
"libfs_mgr",
"libprotobuf-cpp-lite",
- "libpropertyinfoserializer",
- "libpropertyinfoparser",
],
include_dirs: [
"system/core/mkbootimg",
@@ -195,7 +193,6 @@
"libselinux",
"libcrypto",
"libprotobuf-cpp-lite",
- "libpropertyinfoparser",
],
}
diff --git a/init/Android.mk b/init/Android.mk
index 5239366..516f1b3 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -84,8 +84,6 @@
libavb \
libkeyutils \
libprotobuf-cpp-lite \
- libpropertyinfoserializer \
- libpropertyinfoparser \
LOCAL_REQUIRED_MODULES := \
e2fsdroid \
diff --git a/init/property_service.cpp b/init/property_service.cpp
index 4b6c502..3cf3ab9 100644
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@@ -50,27 +50,17 @@
#include <android-base/strings.h>
#include <bootimg.h>
#include <fs_mgr.h>
-#include <property_info_parser/property_info_parser.h>
-#include <property_info_serializer/property_info_serializer.h>
#include <selinux/android.h>
#include <selinux/label.h>
#include <selinux/selinux.h>
#include "init.h"
#include "persistent_properties.h"
-#include "space_tokenizer.h"
#include "util.h"
-using android::base::ReadFileToString;
-using android::base::Split;
using android::base::StartsWith;
using android::base::StringPrintf;
using android::base::Timer;
-using android::base::Trim;
-using android::base::WriteStringToFile;
-using android::properties::BuildTrie;
-using android::properties::PropertyInfoAreaFile;
-using android::properties::PropertyInfoEntry;
#define RECOVERY_MOUNT_POINT "/recovery"
@@ -81,29 +71,27 @@
static int property_set_fd = -1;
-static PropertyInfoAreaFile property_info_area;
-
-void CreateSerializedPropertyInfo();
+static struct selabel_handle* sehandle_prop;
void property_init() {
- mkdir("/dev/__properties__", S_IRWXU | S_IXGRP | S_IXOTH);
- CreateSerializedPropertyInfo();
if (__system_property_area_init()) {
LOG(FATAL) << "Failed to initialize property area";
}
- if (!property_info_area.LoadDefaultPath()) {
- LOG(FATAL) << "Failed to load serialized property info file";
- }
}
+
static bool check_mac_perms(const std::string& name, char* sctx, struct ucred* cr) {
+
if (!sctx) {
return false;
}
- const char* target_context = nullptr;
- property_info_area->GetPropertyInfo(name.c_str(), &target_context, nullptr);
- if (target_context == nullptr) {
- return false;
+ if (!sehandle_prop) {
+ return false;
+ }
+
+ char* tctx = nullptr;
+ if (selabel_lookup(sehandle_prop, &tctx, name.c_str(), 1) != 0) {
+ return false;
}
property_audit_data audit_data;
@@ -111,9 +99,9 @@
audit_data.name = name.c_str();
audit_data.cr = cr;
- bool has_access =
- (selinux_check_access(sctx, target_context, "property_service", "set", &audit_data) == 0);
+ bool has_access = (selinux_check_access(sctx, tctx, "property_service", "set", &audit_data) == 0);
+ freecon(tctx);
return has_access;
}
@@ -445,7 +433,7 @@
std::string cmdline_path = StringPrintf("proc/%d/cmdline", cr.pid);
std::string process_cmdline;
std::string process_log_string;
- if (ReadFileToString(cmdline_path, &process_cmdline)) {
+ if (android::base::ReadFileToString(cmdline_path, &process_cmdline)) {
// Since cmdline is null deliminated, .c_str() conveniently gives us just the process path.
process_log_string = StringPrintf(" (%s)", process_cmdline.c_str());
}
@@ -726,80 +714,9 @@
return 0;
}
-Result<PropertyInfoEntry> ParsePropertyInfoLine(const std::string& line) {
- auto tokenizer = SpaceTokenizer(line);
-
- auto property = tokenizer.GetNext();
- if (property.empty()) return Error() << "Did not find a property entry in '" << line << "'";
-
- auto context = tokenizer.GetNext();
- if (context.empty()) return Error() << "Did not find a context entry in '" << line << "'";
-
- // It is not an error to not find these, as older files will not contain them.
- auto exact_match = tokenizer.GetNext();
- auto schema = tokenizer.GetRemaining();
-
- return {property, context, schema, exact_match == "exact"};
-}
-
-bool LoadPropertyInfoFromFile(const std::string& filename,
- std::vector<PropertyInfoEntry>* property_infos) {
- auto file_contents = std::string();
- if (!ReadFileToString(filename, &file_contents)) {
- PLOG(ERROR) << "Could not read properties from '" << filename << "'";
- return false;
- }
-
- for (const auto& line : Split(file_contents, "\n")) {
- auto trimmed_line = Trim(line);
- if (trimmed_line.empty() || StartsWith(trimmed_line, "#")) {
- continue;
- }
-
- auto property_info = ParsePropertyInfoLine(line);
- if (!property_info) {
- LOG(ERROR) << "Could not read line from '" << filename << "': " << property_info.error();
- continue;
- }
-
- property_infos->emplace_back(*property_info);
- }
- return true;
-}
-
-void CreateSerializedPropertyInfo() {
- auto property_infos = std::vector<PropertyInfoEntry>();
- if (access("/system/etc/selinux/plat_property_contexts", R_OK) != -1) {
- if (!LoadPropertyInfoFromFile("/system/etc/selinux/plat_property_contexts",
- &property_infos)) {
- return;
- }
- // Don't check for failure here, so we always have a sane list of properties.
- // E.g. In case of recovery, the vendor partition will not have mounted and we
- // still need the system / platform properties to function.
- LoadPropertyInfoFromFile("/vendor/etc/selinux/nonplat_property_contexts", &property_infos);
- } else {
- if (!LoadPropertyInfoFromFile("/plat_property_contexts", &property_infos)) {
- return;
- }
- LoadPropertyInfoFromFile("/nonplat_property_contexts", &property_infos);
- }
- auto serialized_contexts = std::string();
- auto error = std::string();
- if (!BuildTrie(property_infos, "u:object_r:default_prop:s0", "\\s*", &serialized_contexts,
- &error)) {
- LOG(ERROR) << "Unable to serialize property contexts: " << error;
- return;
- }
-
- constexpr static const char kPropertyInfosPath[] = "/dev/__properties__/property_info";
- if (!WriteStringToFile(serialized_contexts, kPropertyInfosPath, 0444, 0, 0, false)) {
- PLOG(ERROR) << "Unable to write serialized property infos to file";
- }
- selinux_android_restorecon(kPropertyInfosPath, 0);
-}
-
void start_property_service() {
+ sehandle_prop = selinux_android_prop_context_handle();
+
selinux_callback cb;
cb.func_audit = SelinuxAuditCallback;
selinux_set_callback(SELINUX_CB_AUDIT, cb);
diff --git a/init/space_tokenizer.h b/init/space_tokenizer.h
deleted file mode 100644
index e7e22c5..0000000
--- a/init/space_tokenizer.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef _INIT_SPACE_TOKENIZER_H
-#define _INIT_SPACE_TOKENIZER_H
-
-namespace android {
-namespace init {
-
-class SpaceTokenizer {
- public:
- SpaceTokenizer(const std::string& string)
- : string_(string), it_(string_.begin()), end_(string_.end()) {}
-
- std::string GetNext() {
- auto next = std::string();
- while (it_ != end_ && !isspace(*it_)) {
- next.push_back(*it_++);
- }
- while (it_ != end_ && isspace(*it_)) {
- it_++;
- }
- return next;
- }
-
- std::string GetRemaining() { return std::string(it_, end_); }
-
- private:
- std::string string_;
- std::string::const_iterator it_;
- std::string::const_iterator end_;
-};
-
-} // namespace init
-} // namespace android
-
-#endif
diff --git a/libziparchive/zip_archive_benchmark.cpp b/libziparchive/zip_archive_benchmark.cpp
index cd3e164..46aa5a6 100644
--- a/libziparchive/zip_archive_benchmark.cpp
+++ b/libziparchive/zip_archive_benchmark.cpp
@@ -84,4 +84,4 @@
}
BENCHMARK(Iterate_all_files);
-BENCHMARK_MAIN()
+BENCHMARK_MAIN();
diff --git a/property_service/libpropertyinfoparser/include/property_info_parser/property_info_parser.h b/property_service/libpropertyinfoparser/include/property_info_parser/property_info_parser.h
index c2114cc..8c3507e 100644
--- a/property_service/libpropertyinfoparser/include/property_info_parser/property_info_parser.h
+++ b/property_service/libpropertyinfoparser/include/property_info_parser/property_info_parser.h
@@ -172,6 +172,9 @@
TrieNode root_node() const { return trie(header()->root_offset); }
private:
+ void CheckPrefixMatch(const char* remaining_name, const TrieNode& trie_node,
+ uint32_t* context_index, uint32_t* schema_index) const;
+
const PropertyInfoAreaHeader* header() const {
return reinterpret_cast<const PropertyInfoAreaHeader*>(data_base());
}
diff --git a/property_service/libpropertyinfoparser/property_info_parser.cpp b/property_service/libpropertyinfoparser/property_info_parser.cpp
index 84f8c29..e53c625 100644
--- a/property_service/libpropertyinfoparser/property_info_parser.cpp
+++ b/property_service/libpropertyinfoparser/property_info_parser.cpp
@@ -21,6 +21,7 @@
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <unistd.h>
namespace android {
namespace properties {
@@ -87,6 +88,21 @@
return true;
}
+void PropertyInfoArea::CheckPrefixMatch(const char* remaining_name, const TrieNode& trie_node,
+ uint32_t* context_index, uint32_t* schema_index) const {
+ const uint32_t remaining_name_size = strlen(remaining_name);
+ for (uint32_t i = 0; i < trie_node.num_prefixes(); ++i) {
+ auto prefix_len = trie_node.prefix(i)->namelen;
+ if (prefix_len > remaining_name_size) continue;
+
+ if (!strncmp(c_string(trie_node.prefix(i)->name_offset), remaining_name, prefix_len)) {
+ *context_index = trie_node.prefix(i)->context_index;
+ *schema_index = trie_node.prefix(i)->schema_index;
+ return;
+ }
+ }
+}
+
void PropertyInfoArea::GetPropertyInfoIndexes(const char* name, uint32_t* context_index,
uint32_t* schema_index) const {
uint32_t return_context_index = ~0u;
@@ -104,6 +120,10 @@
return_schema_index = trie_node.schema_index();
}
+ // Check prefixes at this node. This comes after the node check since these prefixes are by
+ // definition longer than the node itself.
+ CheckPrefixMatch(remaining_name, trie_node, &return_context_index, &return_schema_index);
+
if (sep == nullptr) {
break;
}
@@ -128,18 +148,8 @@
}
}
// Check prefix matches for prefixes not deliminated with '.'
- const uint32_t remaining_name_size = strlen(remaining_name);
- for (uint32_t i = 0; i < trie_node.num_prefixes(); ++i) {
- auto prefix_len = trie_node.prefix(i)->namelen;
- if (prefix_len > remaining_name_size) continue;
-
- if (!strncmp(c_string(trie_node.prefix(i)->name_offset), remaining_name, prefix_len)) {
- if (context_index != nullptr) *context_index = trie_node.prefix(i)->context_index;
- if (schema_index != nullptr) *schema_index = trie_node.prefix(i)->schema_index;
- return;
- }
- }
- // Return previously found '.' deliminated prefix match.
+ CheckPrefixMatch(remaining_name, trie_node, &return_context_index, &return_schema_index);
+ // Return previously found prefix match.
if (context_index != nullptr) *context_index = return_context_index;
if (schema_index != nullptr) *schema_index = return_schema_index;
return;
diff --git a/property_service/libpropertyinfoserializer/property_info_serializer_test.cpp b/property_service/libpropertyinfoserializer/property_info_serializer_test.cpp
index 5fa3463..b3fae26 100644
--- a/property_service/libpropertyinfoserializer/property_info_serializer_test.cpp
+++ b/property_service/libpropertyinfoserializer/property_info_serializer_test.cpp
@@ -763,5 +763,86 @@
}
}
+TEST(propertyinfoserializer, GetPropertyInfo_prefix_without_dot) {
+ auto property_info = std::vector<PropertyInfoEntry>{
+ {"persist.radio", "1st", "1st", false},
+ {"persist.radio.something.else.here", "2nd", "2nd", false},
+ };
+
+ auto serialized_trie = std::string();
+ auto build_trie_error = std::string();
+ ASSERT_TRUE(BuildTrie(property_info, "default", "default", &serialized_trie, &build_trie_error))
+ << build_trie_error;
+
+ auto property_info_area = reinterpret_cast<const PropertyInfoArea*>(serialized_trie.data());
+
+ const char* context;
+ const char* schema;
+ property_info_area->GetPropertyInfo("persist.radio", &context, &schema);
+ EXPECT_STREQ("1st", context);
+ EXPECT_STREQ("1st", schema);
+ property_info_area->GetPropertyInfo("persist.radio.subproperty", &context, &schema);
+ EXPECT_STREQ("1st", context);
+ EXPECT_STREQ("1st", schema);
+ property_info_area->GetPropertyInfo("persist.radiowords", &context, &schema);
+ EXPECT_STREQ("1st", context);
+ EXPECT_STREQ("1st", schema);
+ property_info_area->GetPropertyInfo("persist.radio.long.long.long.sub.property", &context,
+ &schema);
+ EXPECT_STREQ("1st", context);
+ EXPECT_STREQ("1st", schema);
+ property_info_area->GetPropertyInfo("persist.radio.something.else.here", &context, &schema);
+ EXPECT_STREQ("2nd", context);
+ EXPECT_STREQ("2nd", schema);
+ property_info_area->GetPropertyInfo("persist.radio.something.else.here2", &context, &schema);
+ EXPECT_STREQ("2nd", context);
+ EXPECT_STREQ("2nd", schema);
+ property_info_area->GetPropertyInfo("persist.radio.something.else.here.after", &context, &schema);
+ EXPECT_STREQ("2nd", context);
+ EXPECT_STREQ("2nd", schema);
+ property_info_area->GetPropertyInfo("persist.radio.something.else.nothere", &context, &schema);
+ EXPECT_STREQ("1st", context);
+ EXPECT_STREQ("1st", schema);
+ property_info_area->GetPropertyInfo("persist.radio.something.else", &context, &schema);
+ EXPECT_STREQ("1st", context);
+ EXPECT_STREQ("1st", schema);
+}
+
+TEST(propertyinfoserializer, GetPropertyInfo_prefix_with_dot_vs_without) {
+ auto property_info = std::vector<PropertyInfoEntry>{
+ {"persist.", "1st", "1st", false},
+ {"persist.radio", "2nd", "2nd", false},
+ {"persist.radio.long.property.exact.match", "3rd", "3rd", true},
+ };
+
+ auto serialized_trie = std::string();
+ auto build_trie_error = std::string();
+ ASSERT_TRUE(BuildTrie(property_info, "default", "default", &serialized_trie, &build_trie_error))
+ << build_trie_error;
+
+ auto property_info_area = reinterpret_cast<const PropertyInfoArea*>(serialized_trie.data());
+
+ const char* context;
+ const char* schema;
+ property_info_area->GetPropertyInfo("persist.notradio", &context, &schema);
+ EXPECT_STREQ("1st", context);
+ EXPECT_STREQ("1st", schema);
+ property_info_area->GetPropertyInfo("persist.radio", &context, &schema);
+ EXPECT_STREQ("2nd", context);
+ EXPECT_STREQ("2nd", schema);
+ property_info_area->GetPropertyInfo("persist.radio.subproperty", &context, &schema);
+ EXPECT_STREQ("2nd", context);
+ EXPECT_STREQ("2nd", schema);
+ property_info_area->GetPropertyInfo("persist.radiowords", &context, &schema);
+ EXPECT_STREQ("2nd", context);
+ EXPECT_STREQ("2nd", schema);
+ property_info_area->GetPropertyInfo("persist.radio.long.property.prefix.match", &context, &schema);
+ EXPECT_STREQ("2nd", context);
+ EXPECT_STREQ("2nd", schema);
+ property_info_area->GetPropertyInfo("persist.radio.long.property.exact.match", &context, &schema);
+ EXPECT_STREQ("3rd", context);
+ EXPECT_STREQ("3rd", schema);
+}
+
} // namespace properties
} // namespace android
diff --git a/rootdir/etc/ld.config.legacy.txt b/rootdir/etc/ld.config.legacy.txt
index 4d058db..d55ec57 100644
--- a/rootdir/etc/ld.config.legacy.txt
+++ b/rootdir/etc/ld.config.legacy.txt
@@ -12,5 +12,14 @@
[legacy]
namespace.default.isolated = false
-namespace.default.search.paths = /system/${LIB}:/vendor/${LIB}:/odm/${LIB}
-namespace.default.asan.search.paths = /data/asan/system/${LIB}:/system/${LIB}:/data/asan/odm/${LIB}:/odm/${LIB}:/data/asan/vendor/${LIB}:/vendor/${LIB}
+
+namespace.default.search.paths = /system/${LIB}
+namespace.default.search.paths += /vendor/${LIB}
+namespace.default.search.paths += /odm/${LIB}
+
+namespace.default.asan.search.paths = /data/asan/system/${LIB}
+namespace.default.asan.search.paths += /system/${LIB}
+namespace.default.asan.search.paths += /data/asan/odm/${LIB}
+namespace.default.asan.search.paths += /odm/${LIB}
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}
+namespace.default.asan.search.paths += /vendor/${LIB}
diff --git a/rootdir/etc/ld.config.txt b/rootdir/etc/ld.config.txt
index 3183b80..60afdd7 100644
--- a/rootdir/etc/ld.config.txt
+++ b/rootdir/etc/ld.config.txt
@@ -3,9 +3,11 @@
# Bionic loader config file.
#
-# Don't change the order here.
+# Don't change the order here. The first pattern that matches with the
+# absolute path of an executable is selected.
dir.system = /system/bin/
dir.system = /system/xbin/
+
dir.vendor = /odm/bin/
dir.vendor = /vendor/bin/
dir.vendor = /data/nativetest/odm
@@ -16,6 +18,7 @@
dir.vendor = /data/nativetest64/vendor
dir.vendor = /data/benchmarktest/vendor
dir.vendor = /data/benchmarktest64/vendor
+
dir.system = /data/nativetest
dir.system = /data/nativetest64
dir.system = /data/benchmarktest
@@ -27,25 +30,21 @@
###############################################################################
# "default" namespace
#
-# Framework-side code runs in this namespace. Anything from /vendor partition
-# can't be loaded in this namespace.
+# Framework-side code runs in this namespace. However, libs from other
+# partitions are also allowed temporarily.
###############################################################################
namespace.default.isolated = false
-namespace.default.search.paths = /system/${LIB}:/odm/${LIB}:/vendor/${LIB}
-namespace.default.permitted.paths = /system/${LIB}:/odm/${LIB}:/vendor/${LIB}
-namespace.default.asan.search.paths = /data/asan/system/${LIB}:/system/${LIB}:/data/asan/vendor/${LIB}:/vendor/${LIB}
-namespace.default.asan.permitted.paths = /data/asan/system/${LIB}:/system/${LIB}:/data/asan/vendor/${LIB}:/vendor/${LIB}
+namespace.default.search.paths = /system/${LIB}
+namespace.default.search.paths += /odm/${LIB}
+namespace.default.search.paths += /vendor/${LIB}
-# TODO(b/37013858): remove all dependencies to /vendor/lib from system processes
-# When this is done, comment out following three lines and remove the three
-# lines above
-#namespace.default.isolated = true
-#namespace.default.search.paths = /system/${LIB}
-#namespace.default.permitted.paths = /system/${LIB}
-#
-#namespace.default.asan.search.paths = /data/asan/system/${LIB}:/system/${LIB}
-#namespace.default.asan.permitted.paths = /data/asan/system/${LIB}:/system/${LIB}
+namespace.default.asan.search.paths = /data/asan/system/${LIB}
+namespace.default.asan.search.paths += /system/${LIB}
+namespace.default.asan.search.paths += /data/asan/odm/${LIB}
+namespace.default.asan.search.paths += /odm/${LIB}
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}
+namespace.default.asan.search.paths += /vendor/${LIB}
###############################################################################
# "sphal" namespace
@@ -62,21 +61,56 @@
###############################################################################
namespace.sphal.isolated = true
namespace.sphal.visible = true
-namespace.sphal.search.paths = /vendor/${LIB}/egl:/vendor/${LIB}/hw:/vendor/${LIB}
-namespace.sphal.permitted.paths = /vendor/${LIB}:/system/${LIB}/vndk-sp${VNDK_VER}/hw
-namespace.sphal.asan.search.paths = /data/asan/vendor/${LIB}/egl:/vendor/${LIB}/egl:/data/asan/vendor/${LIB}/hw:/vendor/${LIB}/hw:/data/asan/vendor/${LIB}:/vendor/${LIB}
-namespace.sphal.asan.permitted.paths = /data/asan/vendor/${LIB}:/vendor/${LIB}
+namespace.sphal.search.paths = /odm/${LIB}
+namespace.sphal.search.paths += /vendor/${LIB}
+
+namespace.sphal.permitted.paths = /odm/${LIB}
+namespace.sphal.permitted.paths += /vendor/${LIB}
+
+namespace.sphal.asan.search.paths = /data/asan/odm/${LIB}
+namespace.sphal.asan.search.paths += /odm/${LIB}
+namespace.sphal.asan.search.paths += /data/asan/vendor/${LIB}
+namespace.sphal.asan.search.paths += /vendor/${LIB}
+
+namespace.sphal.asan.permitted.paths = /data/asan/odm/${LIB}
+namespace.sphal.asan.permitted.paths += /odm/${LIB}
+namespace.sphal.asan.permitted.paths += /data/asan/vendor/${LIB}
+namespace.sphal.asan.permitted.paths += /vendor/${LIB}
# Once in this namespace, access to libraries in /system/lib is restricted. Only
# libs listed here can be used.
namespace.sphal.links = default,vndk,rs
# WARNING: only NDK libs can be listed here.
-namespace.sphal.link.default.shared_libs = libc.so:libm.so:libdl.so:libstdc++.so:liblog.so:libnativewindow.so:libEGL.so:libsync.so:libGLESv1_CM.so:libGLESv2.so:libvndksupport.so:libz.so
+namespace.sphal.link.default.shared_libs = libc.so
+namespace.sphal.link.default.shared_libs += libEGL.so
+namespace.sphal.link.default.shared_libs += libGLESv1_CM.so
+namespace.sphal.link.default.shared_libs += libGLESv2.so
+namespace.sphal.link.default.shared_libs += libdl.so
+namespace.sphal.link.default.shared_libs += liblog.so
+namespace.sphal.link.default.shared_libs += libm.so
+namespace.sphal.link.default.shared_libs += libnativewindow.so
+namespace.sphal.link.default.shared_libs += libstdc++.so
+namespace.sphal.link.default.shared_libs += libsync.so
+namespace.sphal.link.default.shared_libs += libvndksupport.so
+namespace.sphal.link.default.shared_libs += libz.so
# WARNING: only VNDK-SP libs can be listed here. DO NOT EDIT this line.
-namespace.sphal.link.vndk.shared_libs = android.hardware.renderscript@1.0.so:android.hardware.graphics.allocator@2.0.so:android.hardware.graphics.mapper@2.0.so:android.hardware.graphics.common@1.0.so:android.hidl.memory@1.0.so:libhwbinder.so:libbase.so:libcutils.so:libhardware.so:libhidlbase.so:libhidlmemory.so:libhidltransport.so:libion.so:libutils.so:libc++.so
+namespace.sphal.link.vndk.shared_libs = android.hardware.renderscript@1.0.so
+namespace.sphal.link.vndk.shared_libs += android.hardware.graphics.common@1.0.so
+namespace.sphal.link.vndk.shared_libs += android.hardware.graphics.mapper@2.0.so
+namespace.sphal.link.vndk.shared_libs += android.hidl.memory@1.0.so
+namespace.sphal.link.vndk.shared_libs += libbase.so
+namespace.sphal.link.vndk.shared_libs += libc++.so
+namespace.sphal.link.vndk.shared_libs += libcutils.so
+namespace.sphal.link.vndk.shared_libs += libhardware.so
+namespace.sphal.link.vndk.shared_libs += libhidlbase.so
+namespace.sphal.link.vndk.shared_libs += libhidlmemory.so
+namespace.sphal.link.vndk.shared_libs += libhidltransport.so
+namespace.sphal.link.vndk.shared_libs += libhwbinder.so
+namespace.sphal.link.vndk.shared_libs += libion.so
+namespace.sphal.link.vndk.shared_libs += libutils.so
# Renderscript gets separate namespace
namespace.sphal.link.rs.shared_libs = libRS_internal.so
@@ -91,15 +125,68 @@
###############################################################################
namespace.rs.isolated = true
namespace.rs.visible = true
-namespace.rs.search.paths = /vendor/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}
-namespace.rs.permitted.paths = /vendor/${LIB}:/data
-namespace.rs.asan.search.paths = /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}:/data/asan/vendor/${LIB}:/vendor/${LIB}
-namespace.rs.asan.permitted.paths = /data/asan/vendor/${LIB}:/vendor/${LIB}:/data
+namespace.rs.search.paths = /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.search.paths += /odm/${LIB}
+namespace.rs.search.paths += /vendor/${LIB}
+
+namespace.rs.permitted.paths = /odm/${LIB}
+namespace.rs.permitted.paths += /vendor/${LIB}
+namespace.rs.permitted.paths += /data
+
+namespace.rs.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /data/asan/system/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /data/asan/odm/${LIB}
+namespace.rs.asan.search.paths += /odm/${LIB}
+namespace.rs.asan.search.paths += /data/asan/vendor/${LIB}
+namespace.rs.asan.search.paths += /vendor/${LIB}
+
+namespace.rs.asan.permitted.paths = /data/asan/odm/${LIB}
+namespace.rs.asan.permitted.paths += /odm/${LIB}
+namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB}
+namespace.rs.asan.permitted.paths += /vendor/${LIB}
+namespace.rs.asan.permitted.paths += /data
namespace.rs.links = default,vndk
-namespace.rs.link.default.shared_libs = libc.so:libm.so:libdl.so:libstdc++.so:liblog.so:libnativewindow.so:libEGL.so:libsync.so:libGLESv1_CM.so:libGLESv2.so:libmediandk.so:libvndksupport.so:libz.so:libft2.so
-namespace.rs.link.vndk.shared_libs = android.hardware.renderscript@1.0.so:android.hardware.graphics.allocator@2.0.so:android.hardware.graphics.mapper@2.0.so:android.hardware.graphics.common@1.0.so:android.hidl.memory@1.0.so:libhwbinder.so:libbase.so:libcutils.so:libhardware.so:libhidlbase.so:libhidlmemory.so:libhidltransport.so:libion.so:libutils.so:libc++.so
+
+namespace.rs.link.default.shared_libs = libc.so
+namespace.rs.link.default.shared_libs += libEGL.so
+namespace.rs.link.default.shared_libs += libGLESv1_CM.so
+namespace.rs.link.default.shared_libs += libGLESv2.so
+namespace.rs.link.default.shared_libs += libdl.so
+namespace.rs.link.default.shared_libs += liblog.so
+namespace.rs.link.default.shared_libs += libm.so
+namespace.rs.link.default.shared_libs += libnativewindow.so
+namespace.rs.link.default.shared_libs += libstdc++.so
+namespace.rs.link.default.shared_libs += libsync.so
+namespace.rs.link.default.shared_libs += libvndksupport.so
+namespace.rs.link.default.shared_libs += libz.so
+# These two libs are private LLNDK libs but are exceptionally visible
+# in this 'rs' namespace because RenderScript framework libraries
+# which are loaded into this namespace are using them.
+namespace.rs.link.default.shared_libs += libft2.so
+namespace.rs.link.default.shared_libs += libmediandk.so
+
+namespace.rs.link.vndk.shared_libs = android.hardware.renderscript@1.0.so
+namespace.rs.link.vndk.shared_libs += android.hardware.graphics.common@1.0.so
+namespace.rs.link.vndk.shared_libs += android.hardware.graphics.mapper@2.0.so
+namespace.rs.link.vndk.shared_libs += android.hidl.memory@1.0.so
+namespace.rs.link.vndk.shared_libs += libbase.so
+namespace.rs.link.vndk.shared_libs += libc++.so
+namespace.rs.link.vndk.shared_libs += libcutils.so
+namespace.rs.link.vndk.shared_libs += libhardware.so
+namespace.rs.link.vndk.shared_libs += libhidlbase.so
+namespace.rs.link.vndk.shared_libs += libhidlmemory.so
+namespace.rs.link.vndk.shared_libs += libhidltransport.so
+namespace.rs.link.vndk.shared_libs += libhwbinder.so
+namespace.rs.link.vndk.shared_libs += libion.so
+namespace.rs.link.vndk.shared_libs += libutils.so
###############################################################################
# "vndk" namespace
@@ -108,17 +195,47 @@
###############################################################################
namespace.vndk.isolated = true
namespace.vndk.visible = true
-namespace.vndk.search.paths = /vendor/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}
-namespace.vndk.permitted.paths = /vendor/${LIB}/hw:/vendor/${LIB}/egl
-namespace.vndk.asan.search.paths = /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}
-namespace.vndk.asan.permitted.paths = /data/asan/vendor/${LIB}/hw:/vendor/${LIB}/hw:/data/asan/vendor/${LIB}/egl:/vendor/${LIB}/egl
+namespace.vndk.search.paths = /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+
+namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
# When these NDK libs are required inside this namespace, then it is redirected
# to the default namespace. This is possible since their ABI is stable across
# Android releases.
namespace.vndk.links = default
-namespace.vndk.link.default.shared_libs = android.hidl.memory@1.0-impl.so:libc.so:libm.so:libdl.so:libstdc++.so:liblog.so:libnativewindow.so:libEGL.so:libsync.so:libvndksupport.so:libz.so
+namespace.vndk.link.default.shared_libs = android.hidl.memory@1.0-impl.so
+namespace.vndk.link.default.shared_libs += libEGL.so
+namespace.vndk.link.default.shared_libs += libc.so
+namespace.vndk.link.default.shared_libs += libdl.so
+namespace.vndk.link.default.shared_libs += liblog.so
+namespace.vndk.link.default.shared_libs += libm.so
+namespace.vndk.link.default.shared_libs += libnativewindow.so
+namespace.vndk.link.default.shared_libs += libstdc++.so
+namespace.vndk.link.default.shared_libs += libsync.so
+namespace.vndk.link.default.shared_libs += libvndksupport.so
+namespace.vndk.link.default.shared_libs += libz.so
###############################################################################
# Namespace config for vendor processes. In O, no restriction is enforced for
@@ -128,6 +245,45 @@
###############################################################################
[vendor]
namespace.default.isolated = false
-namespace.default.search.paths = /odm/${LIB}/hw:/odm/${LIB}/egl:/odm/${LIB}:/vendor/${LIB}/hw:/vendor/${LIB}/egl:/vendor/${LIB}:/system/${LIB}/vndk${VNDK_VER}:/odm/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}
-namespace.default.asan.search.paths = /data/asan/odm/${LIB}/hw:/odm/${LIB}/hw:/data/asan/odm/${LIB}/egl:/odm/${LIB}/egl:/data/asan/odm/${LIB}:/odm/${LIB}:/data/asan/vendor/${LIB}/hw:/vendor/${LIB}/hw:/data/asan/vendor/${LIB}/egl:/vendor/${LIB}/egl:/data/asan/vendor/${LIB}:/vendor/${LIB}:/data/asan/system/${LIB}/vndk${VNDK_VER}:/system/${LIB}/vndk${VNDK_VER}:/data/asan/odm/${LIB}/vndk-sp${VNDK_VER}:/odm/${LIB}/vndk-sp${VNDK_VER}:/data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}:/system/${LIB}
+namespace.default.search.paths = /odm/${LIB}
+namespace.default.search.paths += /odm/${LIB}/vndk${VNDK_VER}
+namespace.default.search.paths += /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.search.paths += /vendor/${LIB}
+namespace.default.search.paths += /vendor/${LIB}/vndk${VNDK_VER}
+namespace.default.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+
+# Access to system libraries are allowed
+namespace.default.search.paths += /system/${LIB}/vndk${VNDK_VER}
+namespace.default.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.search.paths += /system/${LIB}
+
+# TODO(b/70551668) Remove /vendor/${LIB}/hw from search paths.
+# Shared libraries in the directory should be dlopened with full file paths.
+# This is a workaround for some legacy prebuilt binaries.
+namespace.default.search.paths += /vendor/${LIB}/hw
+
+namespace.default.asan.search.paths += /data/asan/odm/${LIB}
+namespace.default.asan.search.paths += /odm/${LIB}
+namespace.default.asan.search.paths += /data/asan/odm/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /odm/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}
+namespace.default.asan.search.paths += /vendor/${LIB}
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /vendor/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/system/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /system/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/system/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/system/${LIB}
+namespace.default.asan.search.paths += /system/${LIB}
+
+# TODO(b/70551668) Remove /vendor/${LIB}/hw from search paths.
+# Shared libraries in the directory should be dlopened with full file paths.
+# This is a workaround for some legacy prebuilt binaries.
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/hw
+namespace.default.asan.search.paths += /vendor/${LIB}/hw
diff --git a/rootdir/etc/ld.config.txt.in b/rootdir/etc/ld.config.txt.in
index 7055393..0e43de7 100644
--- a/rootdir/etc/ld.config.txt.in
+++ b/rootdir/etc/ld.config.txt.in
@@ -7,11 +7,18 @@
# absolute path of an executable is selected.
dir.system = /system/bin/
dir.system = /system/xbin/
+
+dir.vendor = /odm/bin/
dir.vendor = /vendor/bin/
+dir.vendor = /data/nativetest/odm
+dir.vendor = /data/nativetest64/odm
+dir.vendor = /data/benchmarktest/odm
+dir.vendor = /data/benchmarktest64/odm
dir.vendor = /data/nativetest/vendor
dir.vendor = /data/nativetest64/vendor
dir.vendor = /data/benchmarktest/vendor
dir.vendor = /data/benchmarktest64/vendor
+
dir.system = /data/nativetest
dir.system = /data/nativetest64
dir.system = /data/benchmarktest
@@ -27,13 +34,45 @@
# can't be loaded in this namespace.
###############################################################################
namespace.default.isolated = true
-namespace.default.search.paths = /system/${LIB}
-# /vendor/app, /vendor/framework were added since libart should be able to dlopen
-# the odex files from the directory.
-namespace.default.permitted.paths = /system/${LIB}/drm:/system/${LIB}/extractors:/system/${LIB}/hw:/system/framework:/system/app:/system/priv-app:/vendor/app:/vendor/priv-app:/vendor/framework:/oem/app:/data:/mnt/expand
-namespace.default.asan.search.paths = /data/asan/system/${LIB}:/system/${LIB}
-namespace.default.asan.permitted.paths = /data:/system/${LIB}/drm:/system/${LIB}/extractors:/system/${LIB}/hw:/system/framework:/system/app:/system/priv-app:/vendor/app:/vendor/priv-app:/vendor/framework:/oem/app:/mnt/expand
+namespace.default.search.paths = /system/${LIB}
+
+# We can't have entire /system/${LIB} as permitted paths because doing so
+# makes it possible to load libs in /system/${LIB}/vndk* directories by
+# their absolute paths (e.g. dlopen("/system/lib/vndk/libbase.so");).
+# VNDK libs are built with previous versions of Android and thus must not be
+# loaded into this namespace where libs built with the current version of
+# Android are loaded. Mixing the two types of libs in the same namespace can
+# cause unexpected problem.
+namespace.default.permitted.paths = /system/${LIB}/drm
+namespace.default.permitted.paths += /system/${LIB}/extractors
+namespace.default.permitted.paths += /system/${LIB}/hw
+# These are where odex files are located. libart has to be able to dlopen the files
+namespace.default.permitted.paths += /system/framework
+namespace.default.permitted.paths += /system/app
+namespace.default.permitted.paths += /system/priv-app
+namespace.default.permitted.paths += /vendor/framework
+namespace.default.permitted.paths += /vendor/app
+namespace.default.permitted.paths += /vendor/priv-app
+namespace.default.permitted.paths += /oem/app
+namespace.default.permitted.paths += /data
+namespace.default.permitted.paths += /mnt/expand
+
+namespace.default.asan.search.paths = /data/asan/system/${LIB}
+namespace.default.asan.search.paths += /system/${LIB}
+
+namespace.default.asan.permitted.paths = /data
+namespace.default.asan.permitted.paths += /system/${LIB}/drm
+namespace.default.asan.permitted.paths += /system/${LIB}/extractors
+namespace.default.asan.permitted.paths += /system/${LIB}/hw
+namespace.default.asan.permitted.paths += /system/framework
+namespace.default.asan.permitted.paths += /system/app
+namespace.default.asan.permitted.paths += /system/priv-app
+namespace.default.asan.permitted.paths += /vendor/framework
+namespace.default.asan.permitted.paths += /vendor/app
+namespace.default.asan.permitted.paths += /vendor/priv-app
+namespace.default.asan.permitted.paths += /oem/app
+namespace.default.asan.permitted.paths += /mnt/expand
###############################################################################
# "sphal" namespace
@@ -50,20 +89,30 @@
###############################################################################
namespace.sphal.isolated = true
namespace.sphal.visible = true
-namespace.sphal.search.paths = /vendor/${LIB}/egl:/vendor/${LIB}/hw:/vendor/${LIB}
-namespace.sphal.permitted.paths = /vendor/${LIB}:/system/${LIB}/vndk-sp${VNDK_VER}/hw
-namespace.sphal.asan.search.paths = /data/asan/vendor/${LIB}/egl:/vendor/${LIB}/egl:/data/asan/vendor/${LIB}/hw:/vendor/${LIB}/hw:/data/asan/vendor/${LIB}:/vendor/${LIB}
-namespace.sphal.asan.permitted.paths = /data/asan/vendor/${LIB}:/vendor/${LIB}
+namespace.sphal.search.paths = /odm/${LIB}
+namespace.sphal.search.paths += /vendor/${LIB}
+
+namespace.sphal.permitted.paths = /odm/${LIB}
+namespace.sphal.permitted.paths += /vendor/${LIB}
+
+namespace.sphal.asan.search.paths = /data/asan/odm/${LIB}
+namespace.sphal.asan.search.paths += /odm/${LIB}
+namespace.sphal.asan.search.paths += /data/asan/vendor/${LIB}
+namespace.sphal.asan.search.paths += /vendor/${LIB}
+
+namespace.sphal.asan.permitted.paths = /data/asan/odm/${LIB}
+namespace.sphal.asan.permitted.paths += /odm/${LIB}
+namespace.sphal.asan.permitted.paths += /data/asan/vendor/${LIB}
+namespace.sphal.asan.permitted.paths += /vendor/${LIB}
# Once in this namespace, access to libraries in /system/lib is restricted. Only
# libs listed here can be used.
namespace.sphal.links = default,vndk,rs
-# WARNING: only NDK libs can be listed here.
-namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES%:%SANITIZER_RUNTIME_LIBRARIES%
+namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES%
+namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%
-# WARNING: only VNDK-SP libs can be listed here. DO NOT EDIT this line.
namespace.sphal.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES%
# Renderscript gets separate namespace
@@ -79,17 +128,42 @@
###############################################################################
namespace.rs.isolated = true
namespace.rs.visible = true
-namespace.rs.search.paths = /vendor/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}
-namespace.rs.permitted.paths = /vendor/${LIB}:/data
-namespace.rs.asan.search.paths = /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}:/data/asan/vendor/${LIB}:/vendor/${LIB}
-namespace.rs.asan.permitted.paths = /data/asan/vendor/${LIB}:/vendor/${LIB}:/data
+namespace.rs.search.paths = /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.search.paths += /odm/${LIB}
+namespace.rs.search.paths += /vendor/${LIB}
+
+namespace.rs.permitted.paths = /odm/${LIB}
+namespace.rs.permitted.paths += /vendor/${LIB}
+namespace.rs.permitted.paths += /data
+
+namespace.rs.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /data/asan/system/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+namespace.rs.asan.search.paths += /data/asan/odm/${LIB}
+namespace.rs.asan.search.paths += /odm/${LIB}
+namespace.rs.asan.search.paths += /data/asan/vendor/${LIB}
+namespace.rs.asan.search.paths += /vendor/${LIB}
+
+namespace.rs.asan.permitted.paths = /data/asan/odm/${LIB}
+namespace.rs.asan.permitted.paths += /odm/${LIB}
+namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB}
+namespace.rs.asan.permitted.paths += /vendor/${LIB}
+namespace.rs.asan.permitted.paths += /data
namespace.rs.links = default,vndk
-namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES%:%SANITIZER_RUNTIME_LIBRARIES%
+
+namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES%
+namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%
# Private LLNDK libs (e.g. libft2.so) are exceptionally allowed to this
# namespace because RS framework libs are using them.
namespace.rs.link.default.shared_libs += %PRIVATE_LLNDK_LIBRARIES%
+
namespace.rs.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES%
###############################################################################
@@ -99,17 +173,43 @@
###############################################################################
namespace.vndk.isolated = true
namespace.vndk.visible = true
-namespace.vndk.search.paths = /vendor/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}
-namespace.vndk.permitted.paths = /vendor/${LIB}/hw:/vendor/${LIB}/egl
-namespace.vndk.asan.search.paths = /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}
-namespace.vndk.asan.permitted.paths = /data/asan/vendor/${LIB}/hw:/vendor/${LIB}/hw:/data/asan/vendor/${LIB}/egl:/vendor/${LIB}/egl
+namespace.vndk.search.paths = /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+# This is exceptionally required since android.hidl.memory@1.0-impl.so is here
+namespace.vndk.permitted.paths += /system/${LIB}/vndk-sp${VNDK_VER}/hw
+
+namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk-sp${VNDK_VER}
+namespace.vndk.asan.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+
+namespace.vndk.asan.permitted.paths += /data/asan/system/${LIB}/vndk-sp${VNDK_VER}/hw
+namespace.vndk.asan.permitted.paths += /system/${LIB}/vndk-sp${VNDK_VER}/hw
# When these NDK libs are required inside this namespace, then it is redirected
# to the default namespace. This is possible since their ABI is stable across
# Android releases.
namespace.vndk.links = default
-namespace.vndk.link.default.shared_libs = %LLNDK_LIBRARIES%:%SANITIZER_RUNTIME_LIBRARIES%
+namespace.vndk.link.default.shared_libs = %LLNDK_LIBRARIES%
+namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES%
###############################################################################
# Namespace config for vendor processes. In O, no restriction is enforced for
@@ -133,14 +233,45 @@
namespace.default.isolated = true
namespace.default.visible = true
-namespace.default.search.paths = /vendor/${LIB}/hw:/vendor/${LIB}/egl:/vendor/${LIB}:/vendor/${LIB}/vndk${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}
-namespace.default.permitted.paths = /vendor
+namespace.default.search.paths = /odm/${LIB}
+namespace.default.search.paths += /odm/${LIB}/vndk${VNDK_VER}
+namespace.default.search.paths += /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.search.paths += /vendor/${LIB}
+namespace.default.search.paths += /vendor/${LIB}/vndk${VNDK_VER}
+namespace.default.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
-namespace.default.asan.search.paths = /data/asan/vendor/${LIB}/hw:/vendor/${LIB}/hw:/data/asan/vendor/${LIB}/egl:/vendor/${LIB}/egl:/data/asan/vendor/${LIB}:/vendor/${LIB}:/data/asan/vendor/${LIB}/vndk${VNDK_VER}:/vendor/${LIB}/vndk${VNDK_VER}:/data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}:/vendor/${LIB}/vndk-sp${VNDK_VER}
-namespace.default.asan.permitted.paths = /data/asan/vendor:/vendor
+# TODO(b/70551668) remove this
+namespace.default.search.paths += /vendor/${LIB}/hw
+
+namespace.default.permitted.paths = /odm
+namespace.default.permitted.paths += /vendor
+
+namespace.default.asan.search.paths = /data/asan/odm/${LIB}
+namespace.default.asan.search.paths += /odm/${LIB}
+namespace.default.asan.search.paths += /data/asan/odm/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /odm/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /odm/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}
+namespace.default.asan.search.paths += /vendor/${LIB}
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /vendor/${LIB}/vndk${VNDK_VER}
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp${VNDK_VER}
+namespace.default.asan.search.paths += /vendor/${LIB}/vndk-sp${VNDK_VER}
+
+# TODO(b/70551668) remove this
+namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/hw
+namespace.default.asan.search.paths += /vendor/${LIB}/hw
+
+namespace.default.asan.permitted.paths = /data/asan/odm
+namespace.default.asan.permitted.paths += /odm
+namespace.default.asan.permitted.paths += /data/asan/vendor
+namespace.default.asan.permitted.paths += /vendor
namespace.default.links = system
-namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES%:%VNDK_SAMEPROCESS_LIBRARIES%:%VNDK_CORE_LIBRARIES%
+namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES%
+namespace.default.link.system.shared_libs += %VNDK_SAMEPROCESS_LIBRARIES%
+namespace.default.link.system.shared_libs += %VNDK_CORE_LIBRARIES%
###############################################################################
# "system" namespace
@@ -149,6 +280,14 @@
# a vendor process.
###############################################################################
namespace.system.isolated = false
-namespace.system.search.paths = /system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk${VNDK_VER}:/system/${LIB}
-namespace.system.asan.search.paths = /data/asan/system/${LIB}/vndk-sp${VNDK_VER}:/system/${LIB}/vndk-sp${VNDK_VER}:/data/asan/system/${LIB}/vndk${VNDK_VER}:/system/${LIB}/vndk${VNDK_VER}:/data/asan/system/${LIB}:/system/${LIB}
+namespace.system.search.paths = /system/${LIB}/vndk-sp${VNDK_VER}
+namespace.system.search.paths += /system/${LIB}/vndk${VNDK_VER}
+namespace.system.search.paths += /system/${LIB}
+
+namespace.system.asan.search.paths = /data/asan/system/${LIB}/vndk-sp${VNDK_VER}
+namespace.system.asan.search.paths += /system/${LIB}/vndk-sp${VNDK_VER}
+namespace.system.asan.search.paths += /data/asan/system/${LIB}/vndk${VNDK_VER}
+namespace.system.asan.search.paths += /system/${LIB}/vndk${VNDK_VER}
+namespace.system.asan.search.paths += /data/asan/system/${LIB}
+namespace.system.asan.search.paths += /system/${LIB}