Make VNDK namespace isolated
VNDK namespace was not isolated from vendor / product section
previously, which caused to allow symlinks for VNDK libraries from
vendor lib to system lib. This change isolates VNDK namespace to block
any symlinks to unallowed path for VNDK libraries.
Bug: 197949658
Test: N/A
Change-Id: I8b0d881a530497642b38698b8ec2b5a10694a77e
diff --git a/contents/namespace/vndk.cc b/contents/namespace/vndk.cc
index 556dfed..36540c4 100644
--- a/contents/namespace/vndk.cc
+++ b/contents/namespace/vndk.cc
@@ -43,12 +43,12 @@
name = "vndk";
}
- // Isolated but visible when used in the [system] or [unrestricted] section to
+ // Isolated and visible when used in the [system] or [unrestricted] section to
// allow links to be created at runtime, e.g. through android_link_namespaces
- // in libnativeloader. Otherwise it isn't isolated, so visibility doesn't
- // matter.
+ // in libnativeloader. Otherwise namespace should be isolated but not visible
+ // so namespace itself keep strict and links would not be modified at runtime.
Namespace ns(name,
- /*is_isolated=*/ctx.IsSystemSection() || ctx.IsApexBinaryConfig(),
+ /*is_isolated=*/true,
/*is_visible=*/is_system_or_unrestricted_section);
std::vector<std::string> lib_paths;
@@ -78,8 +78,7 @@
// 2. VNDK APEX
ns.AddSearchPath("/apex/com.android.vndk.v" + vndk_version + "/${LIB}");
- if (is_system_or_unrestricted_section &&
- vndk_user == VndkUserPartition::Vendor) {
+ if (vndk_user == VndkUserPartition::Vendor) {
// It is for vendor sp-hal
ns.AddPermittedPath("/odm/${LIB}/hw");
ns.AddPermittedPath("/odm/${LIB}/egl");
diff --git a/testdata/golden_output/guest/com.vendor.service1/ld.config.txt b/testdata/golden_output/guest/com.vendor.service1/ld.config.txt
index b9eb0f4..5510295 100644
--- a/testdata/golden_output/guest/com.vendor.service1/ld.config.txt
+++ b/testdata/golden_output/guest/com.vendor.service1/ld.config.txt
@@ -371,6 +371,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -384,6 +391,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system,com_android_neuralnetworks
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
diff --git a/testdata/golden_output/guest/ld.config.txt b/testdata/golden_output/guest/ld.config.txt
index 408118d..465bad4 100644
--- a/testdata/golden_output/guest/ld.config.txt
+++ b/testdata/golden_output/guest/ld.config.txt
@@ -845,7 +845,7 @@
namespace.system.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
namespace.system.link.com_android_os_statsd.shared_libs = libstatspull.so
namespace.system.link.com_android_os_statsd.shared_libs += libstatssocket.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /odm/${LIB}/vndk
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
@@ -853,6 +853,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -866,6 +873,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system,com_android_neuralnetworks
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
@@ -1190,7 +1210,7 @@
namespace.system.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
namespace.system.link.com_android_os_statsd.shared_libs = libstatspull.so
namespace.system.link.com_android_os_statsd.shared_libs += libstatssocket.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.search.paths = /product/${LIB}/vndk-sp
namespace.vndk.search.paths += /product/${LIB}/vndk
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
@@ -1529,7 +1549,7 @@
namespace.sphal.link.default.shared_libs += libclang_rt.asan-arm-android.so:libclang_rt.asan-i686-android.so:libclang_rt.hwasan-arm-android.so:libclang_rt.hwasan-i686-android.so:libclang_rt.tsan-arm-android.so:libclang_rt.tsan-i686-android.so:libclang_rt.ubsan_standalone-arm-android.so:libclang_rt.ubsan_standalone-i686-android.so
namespace.sphal.link.vndk.shared_libs = android.hardware.graphics.common@1.0.so:android.hardware.graphics.common@1.1.so:android.hardware.graphics.common@1.2.so:android.hardware.graphics.mapper@2.0.so:android.hardware.graphics.mapper@2.1.so:android.hardware.graphics.mapper@3.0.so:android.hardware.renderscript@1.0.so:android.hidl.memory.token@1.0.so:android.hidl.memory@1.0-impl.so:android.hidl.memory@1.0.so:android.hidl.safe_union@1.0.so:libRSCpuRef.so:libRSDriver.so:libRS_internal.so:libbase.so:libbcinfo.so:libc++.so:libcutils.so:libhardware.so:libhidlbase.so:libhidlmemory.so:libion.so:libjsoncpp.so:liblzma.so:libprocessgroup.so:libunwindstack.so:libutils.so:libutilscallstack.so:libz.so
namespace.sphal.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.visible = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
diff --git a/testdata/golden_output/product-enabled/com.vendor.service1/ld.config.txt b/testdata/golden_output/product-enabled/com.vendor.service1/ld.config.txt
index b9eb0f4..5510295 100644
--- a/testdata/golden_output/product-enabled/com.vendor.service1/ld.config.txt
+++ b/testdata/golden_output/product-enabled/com.vendor.service1/ld.config.txt
@@ -371,6 +371,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -384,6 +391,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system,com_android_neuralnetworks
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
diff --git a/testdata/golden_output/product-enabled/ld.config.txt b/testdata/golden_output/product-enabled/ld.config.txt
index 408118d..465bad4 100644
--- a/testdata/golden_output/product-enabled/ld.config.txt
+++ b/testdata/golden_output/product-enabled/ld.config.txt
@@ -845,7 +845,7 @@
namespace.system.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
namespace.system.link.com_android_os_statsd.shared_libs = libstatspull.so
namespace.system.link.com_android_os_statsd.shared_libs += libstatssocket.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /odm/${LIB}/vndk
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
@@ -853,6 +853,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -866,6 +873,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system,com_android_neuralnetworks
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
@@ -1190,7 +1210,7 @@
namespace.system.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
namespace.system.link.com_android_os_statsd.shared_libs = libstatspull.so
namespace.system.link.com_android_os_statsd.shared_libs += libstatssocket.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.search.paths = /product/${LIB}/vndk-sp
namespace.vndk.search.paths += /product/${LIB}/vndk
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
@@ -1529,7 +1549,7 @@
namespace.sphal.link.default.shared_libs += libclang_rt.asan-arm-android.so:libclang_rt.asan-i686-android.so:libclang_rt.hwasan-arm-android.so:libclang_rt.hwasan-i686-android.so:libclang_rt.tsan-arm-android.so:libclang_rt.tsan-i686-android.so:libclang_rt.ubsan_standalone-arm-android.so:libclang_rt.ubsan_standalone-i686-android.so
namespace.sphal.link.vndk.shared_libs = android.hardware.graphics.common@1.0.so:android.hardware.graphics.common@1.1.so:android.hardware.graphics.common@1.2.so:android.hardware.graphics.mapper@2.0.so:android.hardware.graphics.mapper@2.1.so:android.hardware.graphics.mapper@3.0.so:android.hardware.renderscript@1.0.so:android.hidl.memory.token@1.0.so:android.hidl.memory@1.0-impl.so:android.hidl.memory@1.0.so:android.hidl.safe_union@1.0.so:libRSCpuRef.so:libRSDriver.so:libRS_internal.so:libbase.so:libbcinfo.so:libc++.so:libcutils.so:libhardware.so:libhidlbase.so:libhidlmemory.so:libion.so:libjsoncpp.so:liblzma.so:libprocessgroup.so:libunwindstack.so:libutils.so:libutilscallstack.so:libz.so
namespace.sphal.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.visible = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
diff --git a/testdata/golden_output/stage1/ld.config.txt b/testdata/golden_output/stage1/ld.config.txt
index 90f4e37..51c9464 100644
--- a/testdata/golden_output/stage1/ld.config.txt
+++ b/testdata/golden_output/stage1/ld.config.txt
@@ -515,7 +515,7 @@
namespace.system.link.com_android_art.shared_libs += libnativebridge.so
namespace.system.link.com_android_art.shared_libs += libnativehelper.so
namespace.system.link.com_android_art.shared_libs += libnativeloader.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /odm/${LIB}/vndk
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
@@ -523,6 +523,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -536,6 +543,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
@@ -709,7 +729,7 @@
namespace.sphal.link.default.shared_libs += libm.so
namespace.sphal.link.default.shared_libs += libclang_rt.asan-arm-android.so:libclang_rt.asan-i686-android.so:libclang_rt.hwasan-arm-android.so:libclang_rt.hwasan-i686-android.so:libclang_rt.tsan-arm-android.so:libclang_rt.tsan-i686-android.so:libclang_rt.ubsan_standalone-arm-android.so:libclang_rt.ubsan_standalone-i686-android.so
namespace.sphal.link.vndk.shared_libs = android.hardware.graphics.common@1.0.so:android.hardware.graphics.common@1.1.so:android.hardware.graphics.common@1.2.so:android.hardware.graphics.mapper@2.0.so:android.hardware.graphics.mapper@2.1.so:android.hardware.graphics.mapper@3.0.so:android.hardware.renderscript@1.0.so:android.hidl.memory.token@1.0.so:android.hidl.memory@1.0-impl.so:android.hidl.memory@1.0.so:android.hidl.safe_union@1.0.so:libRSCpuRef.so:libRSDriver.so:libRS_internal.so:libbase.so:libbcinfo.so:libc++.so:libcutils.so:libhardware.so:libhidlbase.so:libhidlmemory.so:libion.so:libjsoncpp.so:liblzma.so:libprocessgroup.so:libunwindstack.so:libutils.so:libutilscallstack.so:libz.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.visible = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
diff --git a/testdata/golden_output/stage2/com.vendor.service1/ld.config.txt b/testdata/golden_output/stage2/com.vendor.service1/ld.config.txt
index b5d89bc..ab2a1af 100644
--- a/testdata/golden_output/stage2/com.vendor.service1/ld.config.txt
+++ b/testdata/golden_output/stage2/com.vendor.service1/ld.config.txt
@@ -377,6 +377,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -390,6 +397,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system,com_android_neuralnetworks
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
diff --git a/testdata/golden_output/stage2/ld.config.txt b/testdata/golden_output/stage2/ld.config.txt
index a71e939..05a5f1a 100644
--- a/testdata/golden_output/stage2/ld.config.txt
+++ b/testdata/golden_output/stage2/ld.config.txt
@@ -801,7 +801,7 @@
namespace.system.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
namespace.system.link.com_android_os_statsd.shared_libs = libstatspull.so
namespace.system.link.com_android_os_statsd.shared_libs += libstatssocket.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /odm/${LIB}/vndk
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
@@ -809,6 +809,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -822,6 +829,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system,com_android_neuralnetworks
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
@@ -1149,7 +1169,7 @@
namespace.sphal.link.default.shared_libs += libclang_rt.asan-arm-android.so:libclang_rt.asan-i686-android.so:libclang_rt.hwasan-arm-android.so:libclang_rt.hwasan-i686-android.so:libclang_rt.tsan-arm-android.so:libclang_rt.tsan-i686-android.so:libclang_rt.ubsan_standalone-arm-android.so:libclang_rt.ubsan_standalone-i686-android.so
namespace.sphal.link.vndk.shared_libs = android.hardware.graphics.common@1.0.so:android.hardware.graphics.common@1.1.so:android.hardware.graphics.common@1.2.so:android.hardware.graphics.mapper@2.0.so:android.hardware.graphics.mapper@2.1.so:android.hardware.graphics.mapper@3.0.so:android.hardware.renderscript@1.0.so:android.hidl.memory.token@1.0.so:android.hidl.memory@1.0-impl.so:android.hidl.memory@1.0.so:android.hidl.safe_union@1.0.so:libRSCpuRef.so:libRSDriver.so:libRS_internal.so:libbase.so:libbcinfo.so:libc++.so:libcutils.so:libhardware.so:libhidlbase.so:libhidlmemory.so:libion.so:libjsoncpp.so:liblzma.so:libprocessgroup.so:libunwindstack.so:libutils.so:libutilscallstack.so:libz.so
namespace.sphal.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.visible = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
diff --git a/testdata/golden_output/vndk-in-system/com.vendor.service1/ld.config.txt b/testdata/golden_output/vndk-in-system/com.vendor.service1/ld.config.txt
index 5f46475..7aeecc4 100644
--- a/testdata/golden_output/vndk-in-system/com.vendor.service1/ld.config.txt
+++ b/testdata/golden_output/vndk-in-system/com.vendor.service1/ld.config.txt
@@ -372,6 +372,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -385,6 +392,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system,com_android_neuralnetworks
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
diff --git a/testdata/golden_output/vndk-in-system/ld.config.txt b/testdata/golden_output/vndk-in-system/ld.config.txt
index fdb6c8f..27a2c08 100644
--- a/testdata/golden_output/vndk-in-system/ld.config.txt
+++ b/testdata/golden_output/vndk-in-system/ld.config.txt
@@ -846,7 +846,7 @@
namespace.system.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
namespace.system.link.com_android_os_statsd.shared_libs = libstatspull.so
namespace.system.link.com_android_os_statsd.shared_libs += libstatssocket.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /odm/${LIB}/vndk
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
@@ -854,6 +854,13 @@
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
namespace.vndk.search.paths += /odm/${LIB}
namespace.vndk.search.paths += /vendor/${LIB}
+namespace.vndk.permitted.paths = /odm/${LIB}/hw
+namespace.vndk.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp
namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk
@@ -867,6 +874,19 @@
namespace.vndk.asan.search.paths += /odm/${LIB}
namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}
namespace.vndk.asan.search.paths += /vendor/${LIB}
+namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/hw
+namespace.vndk.asan.permitted.paths += /data/asan/system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /system/vendor/${LIB}/egl
+namespace.vndk.asan.permitted.paths += /apex/com.android.vndk.vR/${LIB}/hw
namespace.vndk.links = system,vndk_in_system,com_android_neuralnetworks
namespace.vndk.link.system.shared_libs = libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libRS.so:libandroid_net.so:libbinder_ndk.so:libc.so:libcgrouprc.so:libclang_rt.asan-i686-android.so:libdl.so:liblog.so:libm.so:libmediandk.so:libnativewindow.so:libneuralnetworks.so:libsync.so:libvndksupport.so:libvulkan.so
namespace.vndk.link.system.shared_libs += libc.so
@@ -1210,7 +1230,7 @@
namespace.system.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
namespace.system.link.com_android_os_statsd.shared_libs = libstatspull.so
namespace.system.link.com_android_os_statsd.shared_libs += libstatssocket.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.search.paths = /product/${LIB}/vndk-sp
namespace.vndk.search.paths += /product/${LIB}/vndk
namespace.vndk.search.paths += /apex/com.android.vndk.vR/${LIB}
@@ -1567,7 +1587,7 @@
namespace.sphal.link.default.shared_libs += libclang_rt.asan-arm-android.so:libclang_rt.asan-i686-android.so:libclang_rt.hwasan-arm-android.so:libclang_rt.hwasan-i686-android.so:libclang_rt.tsan-arm-android.so:libclang_rt.tsan-i686-android.so:libclang_rt.ubsan_standalone-arm-android.so:libclang_rt.ubsan_standalone-i686-android.so
namespace.sphal.link.vndk.shared_libs = android.hardware.graphics.common@1.0.so:android.hardware.graphics.common@1.1.so:android.hardware.graphics.common@1.2.so:android.hardware.graphics.mapper@2.0.so:android.hardware.graphics.mapper@2.1.so:android.hardware.graphics.mapper@3.0.so:android.hardware.renderscript@1.0.so:android.hidl.memory.token@1.0.so:android.hidl.memory@1.0-impl.so:android.hidl.memory@1.0.so:android.hidl.safe_union@1.0.so:libRSCpuRef.so:libRSDriver.so:libRS_internal.so:libbase.so:libbcinfo.so:libc++.so:libcutils.so:libhardware.so:libhidlbase.so:libhidlmemory.so:libion.so:libjsoncpp.so:liblzma.so:libprocessgroup.so:libunwindstack.so:libutils.so:libutilscallstack.so:libz.so
namespace.sphal.link.com_android_neuralnetworks.shared_libs = libneuralnetworks.so
-namespace.vndk.isolated = false
+namespace.vndk.isolated = true
namespace.vndk.visible = true
namespace.vndk.search.paths = /odm/${LIB}/vndk-sp
namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp
