Use the same set of permitted paths for the "system" namespace for
APEXes.
E.g. /apex/com.android.art/bin/dalvikvm{32,64} relies on permitted
paths in it to load oat and odex files in the system/product/vendor
images.
Cherry-picked from https://r.android.com/1734696.
Test: adb logcat -c
atest art-run-test-615-checker-arm64-store-zero
adb logcat -d
Check that no "E linker" lines are logged.
Test: system/linkerconfig/rundiff.sh
Bug: 190807485
Change-Id: I2feb9deb86c9a6aefe9612d4bda8f5c8700d9864
Merged-In: I2feb9deb86c9a6aefe9612d4bda8f5c8700d9864
diff --git a/contents/include/linkerconfig/common.h b/contents/include/linkerconfig/common.h
index 3d4a8df..3955722 100644
--- a/contents/include/linkerconfig/common.h
+++ b/contents/include/linkerconfig/common.h
@@ -30,6 +30,9 @@
// /system/${LIB} for standard libraries like Bionic (libc.so, libm.so,
// libdl.so) and applicable libclang_rt.*.
void AddStandardSystemLinks(const Context& ctx, modules::Section* section);
+
+const std::vector<std::string> GetSystemPermittedPaths();
+
} // namespace contents
} // namespace linkerconfig
} // namespace android
diff --git a/contents/namespace/apexplatform.cc b/contents/namespace/apexplatform.cc
index 54ba87d..2c2f630 100644
--- a/contents/namespace/apexplatform.cc
+++ b/contents/namespace/apexplatform.cc
@@ -38,7 +38,11 @@
if (!IsProductVndkVersionDefined()) {
ns.AddSearchPath(Var("PRODUCT") + "/${LIB}");
}
- ns.AddPermittedPath("/apex/com.android.runtime/${LIB}/bionic");
+
+ const std::vector<std::string> permitted_paths = GetSystemPermittedPaths();
+ for (const auto& path : permitted_paths) {
+ ns.AddPermittedPath(path);
+ }
ns.AddProvides(ctx.GetSystemProvideLibs());
ns.AddRequires(ctx.GetSystemRequireLibs());
diff --git a/contents/namespace/systemdefault.cc b/contents/namespace/systemdefault.cc
index d28cc21..6e7f286 100644
--- a/contents/namespace/systemdefault.cc
+++ b/contents/namespace/systemdefault.cc
@@ -28,6 +28,53 @@
namespace android {
namespace linkerconfig {
namespace contents {
+
+const std::vector<std::string> GetSystemPermittedPaths() {
+ std::string product = Var("PRODUCT");
+ std::string system_ext = Var("SYSTEM_EXT");
+
+ // We can't have entire /system/${LIB} as permitted paths because doing so
+ // makes it possible to load libs in /system/${LIB}/vndk* directories by
+ // their absolute paths, e.g. dlopen("/system/lib/vndk/libbase.so"). VNDK
+ // libs are built with previous versions of Android and thus must not be
+ // loaded into this namespace where libs built with the current version of
+ // Android are loaded. Mixing the two types of libs in the same namespace
+ // can cause unexpected problems.
+ return {
+ "/system/${LIB}/drm",
+ "/system/${LIB}/extractors",
+ "/system/${LIB}/hw",
+ system_ext + "/${LIB}",
+
+ // These are where odex files are located. libart has to be able to dlopen
+ // the files
+ "/system/framework",
+
+ "/system/app",
+ "/system/priv-app",
+ system_ext + "/framework",
+ system_ext + "/app",
+ system_ext + "/priv-app",
+ "/vendor/framework",
+ "/vendor/app",
+ "/vendor/priv-app",
+ "/system/vendor/framework",
+ "/system/vendor/app",
+ "/system/vendor/priv-app",
+ "/odm/framework",
+ "/odm/app",
+ "/odm/priv-app",
+ "/oem/app",
+ product + "/framework",
+ product + "/app",
+ product + "/priv-app",
+ "/data",
+ "/mnt/expand",
+ "/apex/com.android.runtime/${LIB}/bionic",
+ "/system/${LIB}/bootstrap",
+ };
+}
+
Namespace BuildSystemDefaultNamespace([[maybe_unused]] const Context& ctx) {
bool is_fully_treblelized = ctx.IsDefaultConfig();
std::string product = Var("PRODUCT");
@@ -52,46 +99,7 @@
}
if (is_fully_treblelized) {
- // We can't have entire /system/${LIB} as permitted paths because doing so
- // makes it possible to load libs in /system/${LIB}/vndk* directories by
- // their absolute paths, e.g. dlopen("/system/lib/vndk/libbase.so"). VNDK
- // libs are built with previous versions of Android and thus must not be
- // loaded into this namespace where libs built with the current version of
- // Android are loaded. Mixing the two types of libs in the same namespace
- // can cause unexpected problems.
- const std::vector<std::string> permitted_paths = {
- "/system/${LIB}/drm",
- "/system/${LIB}/extractors",
- "/system/${LIB}/hw",
- system_ext + "/${LIB}",
-
- // These are where odex files are located. libart has to be able to
- // dlopen the files
- "/system/framework",
-
- "/system/app",
- "/system/priv-app",
- system_ext + "/framework",
- system_ext + "/app",
- system_ext + "/priv-app",
- "/vendor/framework",
- "/vendor/app",
- "/vendor/priv-app",
- "/system/vendor/framework",
- "/system/vendor/app",
- "/system/vendor/priv-app",
- "/odm/framework",
- "/odm/app",
- "/odm/priv-app",
- "/oem/app",
- product + "/framework",
- product + "/app",
- product + "/priv-app",
- "/data",
- "/mnt/expand",
- "/apex/com.android.runtime/${LIB}/bionic",
- "/system/${LIB}/bootstrap"};
-
+ const std::vector<std::string> permitted_paths = GetSystemPermittedPaths();
for (const auto& path : permitted_paths) {
ns.AddPermittedPath(path);
}
@@ -105,6 +113,7 @@
ns.AddProvides(ctx.GetSystemProvideLibs());
return ns;
}
+
} // namespace contents
} // namespace linkerconfig
} // namespace android
diff --git a/testdata/golden_output/legacy/com.android.adbd/ld.config.txt b/testdata/golden_output/legacy/com.android.adbd/ld.config.txt
index 8034ac7..321f2fc 100644
--- a/testdata/golden_output/legacy/com.android.adbd/ld.config.txt
+++ b/testdata/golden_output/legacy/com.android.adbd/ld.config.txt
@@ -177,14 +177,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/legacy/com.android.art/ld.config.txt b/testdata/golden_output/legacy/com.android.art/ld.config.txt
index 435a7cf..52b9d00 100644
--- a/testdata/golden_output/legacy/com.android.art/ld.config.txt
+++ b/testdata/golden_output/legacy/com.android.art/ld.config.txt
@@ -241,14 +241,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/legacy/com.android.conscrypt/ld.config.txt b/testdata/golden_output/legacy/com.android.conscrypt/ld.config.txt
index 394a408..7342e03 100644
--- a/testdata/golden_output/legacy/com.android.conscrypt/ld.config.txt
+++ b/testdata/golden_output/legacy/com.android.conscrypt/ld.config.txt
@@ -196,14 +196,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/legacy/com.android.media.swcodec/ld.config.txt b/testdata/golden_output/legacy/com.android.media.swcodec/ld.config.txt
index 52338c6..52e8824 100644
--- a/testdata/golden_output/legacy/com.android.media.swcodec/ld.config.txt
+++ b/testdata/golden_output/legacy/com.android.media.swcodec/ld.config.txt
@@ -235,14 +235,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/legacy/com.android.runtime/ld.config.txt b/testdata/golden_output/legacy/com.android.runtime/ld.config.txt
index a643fec..49ef611 100644
--- a/testdata/golden_output/legacy/com.android.runtime/ld.config.txt
+++ b/testdata/golden_output/legacy/com.android.runtime/ld.config.txt
@@ -186,14 +186,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/legacy/com.android.sdkext/ld.config.txt b/testdata/golden_output/legacy/com.android.sdkext/ld.config.txt
index 1b00563..4d9215a 100644
--- a/testdata/golden_output/legacy/com.android.sdkext/ld.config.txt
+++ b/testdata/golden_output/legacy/com.android.sdkext/ld.config.txt
@@ -191,14 +191,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/legacy/com.vendor.service1/ld.config.txt b/testdata/golden_output/legacy/com.vendor.service1/ld.config.txt
index 8a0a8ab..ec7681d 100644
--- a/testdata/golden_output/legacy/com.vendor.service1/ld.config.txt
+++ b/testdata/golden_output/legacy/com.vendor.service1/ld.config.txt
@@ -196,14 +196,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/product-enabled/com.android.adbd/ld.config.txt b/testdata/golden_output/product-enabled/com.android.adbd/ld.config.txt
index 0f044f1..9523bcb 100644
--- a/testdata/golden_output/product-enabled/com.android.adbd/ld.config.txt
+++ b/testdata/golden_output/product-enabled/com.android.adbd/ld.config.txt
@@ -176,12 +176,90 @@
namespace.system.visible = true
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/product-enabled/com.android.art/ld.config.txt b/testdata/golden_output/product-enabled/com.android.art/ld.config.txt
index f6f302f..1a7baed 100644
--- a/testdata/golden_output/product-enabled/com.android.art/ld.config.txt
+++ b/testdata/golden_output/product-enabled/com.android.art/ld.config.txt
@@ -240,12 +240,90 @@
namespace.system.visible = true
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/product-enabled/com.android.conscrypt/ld.config.txt b/testdata/golden_output/product-enabled/com.android.conscrypt/ld.config.txt
index d67eef4..f321d2d 100644
--- a/testdata/golden_output/product-enabled/com.android.conscrypt/ld.config.txt
+++ b/testdata/golden_output/product-enabled/com.android.conscrypt/ld.config.txt
@@ -195,12 +195,90 @@
namespace.system.visible = true
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/product-enabled/com.android.media.swcodec/ld.config.txt b/testdata/golden_output/product-enabled/com.android.media.swcodec/ld.config.txt
index bfcf5ec..8363731 100644
--- a/testdata/golden_output/product-enabled/com.android.media.swcodec/ld.config.txt
+++ b/testdata/golden_output/product-enabled/com.android.media.swcodec/ld.config.txt
@@ -230,12 +230,90 @@
namespace.system.visible = true
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/product-enabled/com.android.runtime/ld.config.txt b/testdata/golden_output/product-enabled/com.android.runtime/ld.config.txt
index c3514ad..707ac7e 100644
--- a/testdata/golden_output/product-enabled/com.android.runtime/ld.config.txt
+++ b/testdata/golden_output/product-enabled/com.android.runtime/ld.config.txt
@@ -185,12 +185,90 @@
namespace.system.visible = true
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/product-enabled/com.android.sdkext/ld.config.txt b/testdata/golden_output/product-enabled/com.android.sdkext/ld.config.txt
index eab5b83..630bf2d 100644
--- a/testdata/golden_output/product-enabled/com.android.sdkext/ld.config.txt
+++ b/testdata/golden_output/product-enabled/com.android.sdkext/ld.config.txt
@@ -190,12 +190,90 @@
namespace.system.visible = true
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/product-enabled/com.vendor.service1/ld.config.txt b/testdata/golden_output/product-enabled/com.vendor.service1/ld.config.txt
index 060a63e..6d0edc9 100644
--- a/testdata/golden_output/product-enabled/com.vendor.service1/ld.config.txt
+++ b/testdata/golden_output/product-enabled/com.vendor.service1/ld.config.txt
@@ -197,12 +197,90 @@
namespace.system.visible = true
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage1/com.android.art/ld.config.txt b/testdata/golden_output/stage1/com.android.art/ld.config.txt
index 8e6b596..8eaf515 100644
--- a/testdata/golden_output/stage1/com.android.art/ld.config.txt
+++ b/testdata/golden_output/stage1/com.android.art/ld.config.txt
@@ -92,14 +92,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage1/com.android.runtime/ld.config.txt b/testdata/golden_output/stage1/com.android.runtime/ld.config.txt
index 982d38f..b7ee7c5 100644
--- a/testdata/golden_output/stage1/com.android.runtime/ld.config.txt
+++ b/testdata/golden_output/stage1/com.android.runtime/ld.config.txt
@@ -81,14 +81,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage2/com.android.adbd/ld.config.txt b/testdata/golden_output/stage2/com.android.adbd/ld.config.txt
index 8034ac7..321f2fc 100644
--- a/testdata/golden_output/stage2/com.android.adbd/ld.config.txt
+++ b/testdata/golden_output/stage2/com.android.adbd/ld.config.txt
@@ -177,14 +177,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage2/com.android.art/ld.config.txt b/testdata/golden_output/stage2/com.android.art/ld.config.txt
index 435a7cf..52b9d00 100644
--- a/testdata/golden_output/stage2/com.android.art/ld.config.txt
+++ b/testdata/golden_output/stage2/com.android.art/ld.config.txt
@@ -241,14 +241,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage2/com.android.conscrypt/ld.config.txt b/testdata/golden_output/stage2/com.android.conscrypt/ld.config.txt
index 394a408..7342e03 100644
--- a/testdata/golden_output/stage2/com.android.conscrypt/ld.config.txt
+++ b/testdata/golden_output/stage2/com.android.conscrypt/ld.config.txt
@@ -196,14 +196,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage2/com.android.media.swcodec/ld.config.txt b/testdata/golden_output/stage2/com.android.media.swcodec/ld.config.txt
index f2d194a..f5b5b96 100644
--- a/testdata/golden_output/stage2/com.android.media.swcodec/ld.config.txt
+++ b/testdata/golden_output/stage2/com.android.media.swcodec/ld.config.txt
@@ -231,14 +231,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage2/com.android.runtime/ld.config.txt b/testdata/golden_output/stage2/com.android.runtime/ld.config.txt
index a643fec..49ef611 100644
--- a/testdata/golden_output/stage2/com.android.runtime/ld.config.txt
+++ b/testdata/golden_output/stage2/com.android.runtime/ld.config.txt
@@ -186,14 +186,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage2/com.android.sdkext/ld.config.txt b/testdata/golden_output/stage2/com.android.sdkext/ld.config.txt
index 1b00563..4d9215a 100644
--- a/testdata/golden_output/stage2/com.android.sdkext/ld.config.txt
+++ b/testdata/golden_output/stage2/com.android.sdkext/ld.config.txt
@@ -191,14 +191,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so
diff --git a/testdata/golden_output/stage2/com.vendor.service1/ld.config.txt b/testdata/golden_output/stage2/com.vendor.service1/ld.config.txt
index 8d80ab5..31fe63d 100644
--- a/testdata/golden_output/stage2/com.vendor.service1/ld.config.txt
+++ b/testdata/golden_output/stage2/com.vendor.service1/ld.config.txt
@@ -198,14 +198,92 @@
namespace.system.search.paths = /system/${LIB}
namespace.system.search.paths += /system_ext/${LIB}
namespace.system.search.paths += /product/${LIB}
-namespace.system.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths = /system/${LIB}/drm
+namespace.system.permitted.paths += /system/${LIB}/extractors
+namespace.system.permitted.paths += /system/${LIB}/hw
+namespace.system.permitted.paths += /system_ext/${LIB}
+namespace.system.permitted.paths += /system/framework
+namespace.system.permitted.paths += /system/app
+namespace.system.permitted.paths += /system/priv-app
+namespace.system.permitted.paths += /system_ext/framework
+namespace.system.permitted.paths += /system_ext/app
+namespace.system.permitted.paths += /system_ext/priv-app
+namespace.system.permitted.paths += /vendor/framework
+namespace.system.permitted.paths += /vendor/app
+namespace.system.permitted.paths += /vendor/priv-app
+namespace.system.permitted.paths += /system/vendor/framework
+namespace.system.permitted.paths += /system/vendor/app
+namespace.system.permitted.paths += /system/vendor/priv-app
+namespace.system.permitted.paths += /odm/framework
+namespace.system.permitted.paths += /odm/app
+namespace.system.permitted.paths += /odm/priv-app
+namespace.system.permitted.paths += /oem/app
+namespace.system.permitted.paths += /product/framework
+namespace.system.permitted.paths += /product/app
+namespace.system.permitted.paths += /product/priv-app
+namespace.system.permitted.paths += /data
+namespace.system.permitted.paths += /mnt/expand
+namespace.system.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.permitted.paths += /system/${LIB}/bootstrap
namespace.system.asan.search.paths = /data/asan/system/${LIB}
namespace.system.asan.search.paths += /system/${LIB}
namespace.system.asan.search.paths += /data/asan/system_ext/${LIB}
namespace.system.asan.search.paths += /system_ext/${LIB}
namespace.system.asan.search.paths += /data/asan/product/${LIB}
namespace.system.asan.search.paths += /product/${LIB}
-namespace.system.asan.permitted.paths = /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths = /data/asan/system/${LIB}/drm
+namespace.system.asan.permitted.paths += /system/${LIB}/drm
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /system/${LIB}/extractors
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/hw
+namespace.system.asan.permitted.paths += /system/${LIB}/hw
+namespace.system.asan.permitted.paths += /data/asan/system_ext/${LIB}
+namespace.system.asan.permitted.paths += /system_ext/${LIB}
+namespace.system.asan.permitted.paths += /data/asan/system/framework
+namespace.system.asan.permitted.paths += /system/framework
+namespace.system.asan.permitted.paths += /data/asan/system/app
+namespace.system.asan.permitted.paths += /system/app
+namespace.system.asan.permitted.paths += /data/asan/system/priv-app
+namespace.system.asan.permitted.paths += /system/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/framework
+namespace.system.asan.permitted.paths += /system_ext/framework
+namespace.system.asan.permitted.paths += /data/asan/system_ext/app
+namespace.system.asan.permitted.paths += /system_ext/app
+namespace.system.asan.permitted.paths += /data/asan/system_ext/priv-app
+namespace.system.asan.permitted.paths += /system_ext/priv-app
+namespace.system.asan.permitted.paths += /data/asan/vendor/framework
+namespace.system.asan.permitted.paths += /vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/vendor/app
+namespace.system.asan.permitted.paths += /vendor/app
+namespace.system.asan.permitted.paths += /data/asan/vendor/priv-app
+namespace.system.asan.permitted.paths += /vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/framework
+namespace.system.asan.permitted.paths += /system/vendor/framework
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/app
+namespace.system.asan.permitted.paths += /system/vendor/app
+namespace.system.asan.permitted.paths += /data/asan/system/vendor/priv-app
+namespace.system.asan.permitted.paths += /system/vendor/priv-app
+namespace.system.asan.permitted.paths += /data/asan/odm/framework
+namespace.system.asan.permitted.paths += /odm/framework
+namespace.system.asan.permitted.paths += /data/asan/odm/app
+namespace.system.asan.permitted.paths += /odm/app
+namespace.system.asan.permitted.paths += /data/asan/odm/priv-app
+namespace.system.asan.permitted.paths += /odm/priv-app
+namespace.system.asan.permitted.paths += /data/asan/oem/app
+namespace.system.asan.permitted.paths += /oem/app
+namespace.system.asan.permitted.paths += /data/asan/product/framework
+namespace.system.asan.permitted.paths += /product/framework
+namespace.system.asan.permitted.paths += /data/asan/product/app
+namespace.system.asan.permitted.paths += /product/app
+namespace.system.asan.permitted.paths += /data/asan/product/priv-app
+namespace.system.asan.permitted.paths += /product/priv-app
+namespace.system.asan.permitted.paths += /data/asan/data
+namespace.system.asan.permitted.paths += /data
+namespace.system.asan.permitted.paths += /data/asan/mnt/expand
+namespace.system.asan.permitted.paths += /mnt/expand
+namespace.system.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic
+namespace.system.asan.permitted.paths += /data/asan/system/${LIB}/bootstrap
+namespace.system.asan.permitted.paths += /system/${LIB}/bootstrap
namespace.system.links = com_android_i18n,com_android_art,com_android_resolv,com_android_neuralnetworks,com_android_os_statsd
namespace.system.link.com_android_i18n.shared_libs = libandroidicu.so
namespace.system.link.com_android_i18n.shared_libs += libicu.so