| <html devsite> |
| <head> |
| <title>Directories, Rules, and sepolicy</title> |
| <meta name="project_path" value="/_project.yaml" /> |
| <meta name="book_path" value="/_book.yaml" /> |
| </head> |
| <body> |
| <!-- |
| Copyright 2017 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <p>This page describes the directory layout for devices running Android 8.0 and |
| higher, VNDK rules, and associated sepolicy.</p> |
| |
| <h2 id="directory">Directory layout</h2> |
| <p>The <em>Degenerated Directory Layout</em> consists of the following |
| directories:</p> |
| <ul> |
| <li><code>/system/lib[64]</code> contains all framework shared libraries, |
| including LL-NDK, VNDK, and framework-only libraries (including |
| LL-NDK-Private and some libraries with the same names as the |
| ones in VNDK-SP).</li> |
| <li><code>/system/lib[64]/vndk-sp</code> contains VNDK-SP libraries for |
| same-process HALs.</li> |
| <li><code>/vendor/lib[64]</code> contains the extended VNDK libraries (either |
| DXUA or DXUX VNDK libraries), same-process HAL implementations, and other vendor |
| shared libraries.</li> |
| <li><code>/vendor/lib[64]/vndk-sp</code> may contain extra libraries that are |
| used by VNDK-SP libraries.</li> |
| </ul> |
| |
| <p>Vendor modules load the VNDK libraries from <code>/system/lib[64]</code>.</p> |
| |
| <h2 id="rules">VNDK rules</h2> |
| <p>This section provides a comprehensive list of VNDK rules:</p> |
| |
| <ul> |
| <li>Framework processes must not load non-SP-HAL shared libraries from vendor |
| partitions (not strictly enforced in Android O but will be in a future release). |
| </li> |
| <li>Vendor processes must not load non-LL-NDK, non-VNDK-SP, and |
| non-VNDK libraries from the system partition. (not strictly enforced in Android |
| O but will be in a future release).</li> |
| |
| <aside class="note"><strong>Note</strong>: To benefit from the framework-only |
| OTA beyond Android 8.0, this rule must not be violated in devices launched with |
| Android 8.0.</aside> |
| |
| <li>Installed VNDK libraries must be a subset of Google-defined eligible VNDK |
| libraries.</li> |
| <li>The outer dependencies of SP-HAL and SP-HAL-Dep must be restricted to |
| LL-NDK or Google-defined VNDK-SP libraries. |
| <ul> |
| <li>The dependencies of an SP-HAL shared library must be restricted to LL-NDK |
| libraries, Google-defined VNDK-SP libraries, other SP-HAL libraries, and/or |
| other vendor shared libraries that can be labeled as SP-HAL-Dep |
| libraries.</li> |
| <li>A vendor shared library can be labeled as a SP-HAL-Dep library only if it |
| is not an AOSP library and its dependencies are restricted to LL-NDK libraries, |
| Google-defined VNDK-SP libraries, SP-HAL libraries, and/or other SP-HAL-Dep |
| libraries.</li> |
| </ul> |
| </li> |
| <li>VNDK-SP must be self-contained. <code>libRS_internal.so</code> gets special |
| treatment in Android 8.0, but will be revisited in a future release.</li> |
| <li>No framework-vendor communication through non-HIDL interfaces, including |
| (but not limited to) binder, sockets, shared memories, files, etc.</li> |
| <li>The size of the system partition must be large enough to contain two copies |
| of all eligible VNDK libraries and a copy of ineligible framework shared |
| libraries.</li> |
| </ul> |
| |
| <h2 id="sepolicy">sepolicy</h2> |
| <p>Framework processes described in this section correspond to |
| <code>coredomain</code> in sepolicies while vendor processes correspond to |
| <code>non-coredomain</code>. For example, <code>/dev/binder</code> can be |
| accessed only in <code>coredomain</code> and <code>/dev/vndbinder</code> can be |
| accessed only in non-<code>coredomain</code>.</p> |
| |
| <p>Similar policies restrict the access to the shared libraries on system and |
| vendor partitions. The following table shows the rights to access shared |
| libraries of different categories:</p> |
| |
| <table> |
| <tr> |
| <th style="width:35%">Category</th> |
| <th>Partition</th> |
| <th>Accessible from<br>coredomain</th> |
| <th>Accessible from<br>non-coredomain</th> |
| </tr> |
| <tr> |
| <td>LL-NDK</td> |
| <td>System</td> |
| <td>Y</td> |
| <td>Y</td> |
| </tr> |
| <tr> |
| <td>LL-NDK-Private</td> |
| <td>System</td> |
| <td>Y</td> |
| <td>Y</td> |
| </tr> |
| <tr> |
| <td>VNDK-SP/VNDK-SP-Private</td> |
| <td>System</td> |
| <td>Y</td> |
| <td>Y</td> |
| </tr> |
| <tr> |
| <td>VNDK-SP-Ext</td> |
| <td>Vendor</td> |
| <td>Y</td> |
| <td>Y</td> |
| </tr> |
| <tr> |
| <td>VNDK</td> |
| <td>System</td> |
| <td>Y</td> |
| <td>Y</td> |
| </tr> |
| <tr> |
| <td>VNDK-Ext</td> |
| <td>Vendor</td> |
| <td>N</td> |
| <td>Y</td> |
| </tr> |
| <tr> |
| <td>FWK-ONLY</td> |
| <td>System</td> |
| <td>Y</td> |
| <td>N</td> |
| </tr> |
| <tr> |
| <td>FWK-ONLY-RS</td> |
| <td>System</td> |
| <td>Y</td> |
| <td>N</td> |
| </tr> |
| <tr> |
| <td>SP-HAL</td> |
| <td>Vendor</td> |
| <td>Y</td> |
| <td>Y</td> |
| </tr> |
| <tr> |
| <td>SP-HAL-Dep</td> |
| <td>Vendor</td> |
| <td>Y</td> |
| <td>Y</td> |
| </tr> |
| <tr> |
| <td>VND-ONLY</td> |
| <td>Vendor</td> |
| <td>N</td> |
| <td>Y</td> |
| </tr> |
| </table> |
| |
| <p>LL-NDK-Private and VNDK-SP-Private must be |
| accessible from both domains because non-<code>coredomain</code> will |
| indirectly access them. Similarly, SP-HAL-Dep must be accessible from |
| <code>coredomain</code> because SP-HAL relies on it.</p> |
| |
| </body> |
| </html> |