Add /system/lib to the permitted paths for ns of APEXes With b/144533348, there will be symlinks from libs in APEXes to the libs in the system partition. This is to reduce the size of APEXes when the APEX is bundled with the platform. Adding the /system/lib to the permitted paths so that the realpaths of the symlinks are allowed for the namespaces. Note that this however does not open all libs in the system partition to the APEX namespaces, because searching of the libs are NOT done in /system/lib, but in /apex/<module>/lib directory. Bug: 144533348 Bug: 147640067 Test: m Test: atest CtsJdwpTestCases Change-Id: I845277e989b952cf8db03fcaaba2df2bf93d5e96

commit: 2f544c2b7afdcb03c9fe97931424f31afe831f23 [log] [tgz]
author: Jiyong Park <jiyong@google.com> Tue Jan 14 16:41:32 2020 +0900
committer: Treehugger Robot <treehugger-gerrit@google.com> Wed Jan 22 01:41:13 2020 +0000
tree: 57840eaf8d0bd3ab7bf77b8478d3bacace6052b2
parent: abafbe759a354dd6c6d81d4aba3f0aec9aca3d5b [diff]
diff --git a/build/apex/ld.config.txt b/build/apex/ld.config.txt
index 86c3137..b2eefcf 100644
--- a/build/apex/ld.config.txt
+++ b/build/apex/ld.config.txt

@@ -42,6 +42,11 @@
 # dalvikvm has to be able to dlopen the files for CTS.
 namespace.art.permitted.paths += /system/framework
 namespace.art.permitted.paths += /apex/com.android.art/javalib
+# TODO(b/144533348): to allow symlinks pointing the libs under /system/lib
+# Note that this however does not open all libs in the system partition to
+# the APEX namespaces, because searching of the libs are NOT done in
+# /system/lib, but in /apex/<module>/lib directory.
+namespace.art.permitted.paths += /system/${LIB}
 namespace.art.links = platform,neuralnetworks
 # Need allow_all_shared_libs because libart.so can dlopen oat files in
 # /system/framework and /data.
@@ -113,6 +118,11 @@
 
 namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB}
 namespace.conscrypt.asan.search.paths = /apex/com.android.conscrypt/${LIB}
+# TODO(b/144533348): to allow symlinks pointing the libs under /system/lib
+# Note that this however does not open all libs in the system partition to
+# the APEX namespaces, because searching of the libs are NOT done in
+# /system/lib, but in /apex/<module>/lib directory.
+namespace.conscrypt.permitted.paths = /system/${LIB}
 namespace.conscrypt.links = art,platform
 namespace.conscrypt.link.art.shared_libs = libandroidio.so
 namespace.conscrypt.link.platform.shared_libs  = libc.so
@@ -130,6 +140,11 @@
 
 namespace.neuralnetworks.search.paths = /apex/com.android.neuralnetworks/${LIB}
 namespace.neuralnetworks.asan.search.paths = /apex/com.android.neuralnetworks/${LIB}
+# TODO(b/144533348): to allow symlinks pointing the libs under /system/lib
+# Note that this however does not open all libs in the system partition to
+# the APEX namespaces, because searching of the libs are NOT done in
+# /system/lib, but in /apex/<module>/lib directory.
+namespace.neuralnetworks.permitted.paths = /system/${LIB}
 namespace.neuralnetworks.links = platform
 namespace.neuralnetworks.link.platform.shared_libs  = libc.so
 namespace.neuralnetworks.link.platform.shared_libs += libcgrouprc.so
commit	2f544c2b7afdcb03c9fe97931424f31afe831f23	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Tue Jan 14 16:41:32 2020 +0900
committer	Treehugger Robot <treehugger-gerrit@google.com>	Wed Jan 22 01:41:13 2020 +0000
tree	57840eaf8d0bd3ab7bf77b8478d3bacace6052b2
parent	abafbe759a354dd6c6d81d4aba3f0aec9aca3d5b [diff]