/postinstall/* does not search for a lib in /vendor or /odm There has been no section in the linker config file for the binaries under /postinstall. As a result, the binaries were run with the legacy default config where /vendor/lib and /odm/lib are added to the search paths. This is causing selinux denials as the binaries for OTA are not allowed to access /vendor/lib or /odm/lib, but the dynamic linker calls realpath(3) on the paths to canonicalize them. Fixing the issue by letting /postinstall/* binaries to run with a dedicated linker namespace config, where /vendor/lib and /odm/lib are not added to the search paths. Not having the paths is okay because he OTA binaries should not have dependency to the libs there. Bug: 75287236 Test: do the OTA, selinux denials on postinstall_file is not shown Test: above test should pass on wahoo, marlin and pre-treble devices Change-Id: I49c11a0929002adfef667890c0a375c2b41054f4

commit: d7e6cb27b6758fe96b200dde33b75dbe5ba5bf6b [log] [tgz]
author: Jiyong Park <jiyong@google.com> Tue Mar 20 01:12:31 2018 +0900
committer: Jiyong Park <jiyong@google.com> Tue Mar 20 10:12:00 2018 +0900
tree: 041c2b5c53050a3d03f24e015ff55bb474183d32
parent: 4fa763290e2052ff1f0409d98a92004faa300128 [diff]
diff --git a/rootdir/etc/ld.config.legacy.txt b/rootdir/etc/ld.config.legacy.txt
index d55ec57..ca6aafe 100644
--- a/rootdir/etc/ld.config.legacy.txt
+++ b/rootdir/etc/ld.config.legacy.txt

@@ -10,6 +10,9 @@
 dir.legacy = /odm
 dir.legacy = /sbin
 
+# Except for /postinstall, where only /system is searched
+dir.postinstall = /postinstall
+
 [legacy]
 namespace.default.isolated = false
 
@@ -23,3 +26,15 @@
 namespace.default.asan.search.paths +=           /odm/${LIB}
 namespace.default.asan.search.paths += /data/asan/vendor/${LIB}
 namespace.default.asan.search.paths +=           /vendor/${LIB}
+
+###############################################################################
+# Namespace config for binaries under /postinstall.
+# Only one default namespace is defined and it has no directories other than
+# /system/lib in the search paths. This is because linker calls realpath on the
+# search paths and this causes selinux denial if the paths (/vendor, /odm) are
+# not allowed to the poinstall binaries. There is no reason to allow the
+# binaries to access the paths.
+###############################################################################
+[postinstall]
+namespace.default.isolated = false
+namespace.default.search.paths = /system/${LIB}

diff --git a/rootdir/etc/ld.config.txt b/rootdir/etc/ld.config.txt
index 6e46295..94465f4 100644
--- a/rootdir/etc/ld.config.txt
+++ b/rootdir/etc/ld.config.txt

@@ -24,6 +24,8 @@
 dir.system = /data/benchmarktest
 dir.system = /data/benchmarktest64
 
+dir.postinstall = /postinstall
+
 [system]
 additional.namespaces = sphal,vndk,rs
 
@@ -315,3 +317,15 @@
 
 namespace.system.asan.search.paths  = /data/asan/system/${LIB}
 namespace.system.asan.search.paths +=           /system/${LIB}
+
+###############################################################################
+# Namespace config for binaries under /postinstall.
+# Only one default namespace is defined and it has no directories other than
+# /system/lib in the search paths. This is because linker calls realpath on the
+# search paths and this causes selinux denial if the paths (/vendor, /odm) are
+# not allowed to the poinstall binaries. There is no reason to allow the
+# binaries to access the paths.
+###############################################################################
+[postinstall]
+namespace.default.isolated = false
+namespace.default.search.paths = /system/${LIB}

diff --git a/rootdir/etc/ld.config.vndk_lite.txt b/rootdir/etc/ld.config.vndk_lite.txt
index 5256cb1..1fd4195 100644
--- a/rootdir/etc/ld.config.vndk_lite.txt
+++ b/rootdir/etc/ld.config.vndk_lite.txt

@@ -24,6 +24,8 @@
 dir.system = /data/benchmarktest
 dir.system = /data/benchmarktest64
 
+dir.postinstall = /postinstall
+
 [system]
 additional.namespaces = sphal,vndk,rs
 
@@ -222,3 +224,15 @@
 namespace.default.asan.search.paths +=           /system/${LIB}/vndk-sp%VNDK_VER%
 namespace.default.asan.search.paths += /data/asan/system/${LIB}
 namespace.default.asan.search.paths +=           /system/${LIB}
+
+###############################################################################
+# Namespace config for binaries under /postinstall.
+# Only one default namespace is defined and it has no directories other than
+# /system/lib in the search paths. This is because linker calls realpath on the
+# search paths and this causes selinux denial if the paths (/vendor, /odm) are
+# not allowed to the poinstall binaries. There is no reason to allow the
+# binaries to access the paths.
+###############################################################################
+[postinstall]
+namespace.default.isolated = false
+namespace.default.search.paths = /system/${LIB}
commit	d7e6cb27b6758fe96b200dde33b75dbe5ba5bf6b	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Tue Mar 20 01:12:31 2018 +0900
committer	Jiyong Park <jiyong@google.com>	Tue Mar 20 10:12:00 2018 +0900
tree	041c2b5c53050a3d03f24e015ff55bb474183d32
parent	4fa763290e2052ff1f0409d98a92004faa300128 [diff]