diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2017-09-22 02:32:50 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2017-09-22 02:32:50 +0000 |
commit | 52cd1e7a4202799d71f2400381e94307599aef5b (patch) | |
tree | 51d071ce6316fc92c2ababeaa3eb793bce05fe6a | |
parent | 146fa6b458faec2c09e9e6a24605ebd96c24e66c (diff) | |
parent | 527757e16b450849865461fd0f8e7086c1efa89e (diff) | |
download | bionic-52cd1e7a4202799d71f2400381e94307599aef5b.tar.gz |
Merge "Don't resolve permitted.paths" into oc-mr1-dev
-rw-r--r-- | linker/linker_config.cpp | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/linker/linker_config.cpp b/linker/linker_config.cpp index 0a9aeab2a..e036c05d9 100644 --- a/linker/linker_config.cpp +++ b/linker/linker_config.cpp @@ -320,7 +320,7 @@ class Properties { return (it == properties_.end()) ? "" : it->second.value(); } - std::vector<std::string> get_paths(const std::string& name, size_t* lineno = nullptr) { + std::vector<std::string> get_paths(const std::string& name, bool resolve, size_t* lineno = nullptr) { std::string paths_str = get_string(name, lineno); std::vector<std::string> paths; @@ -338,12 +338,16 @@ class Properties { format_string(&path, params); } - std::vector<std::string> resolved_paths; + if (resolve) { + std::vector<std::string> resolved_paths; - // do not remove paths that do not exist - resolve_paths(paths, &resolved_paths); + // do not remove paths that do not exist + resolve_paths(paths, &resolved_paths); - return resolved_paths; + return resolved_paths; + } else { + return paths; + } } void set_target_sdk_version(int target_sdk_version) { @@ -465,8 +469,18 @@ bool Config::read_binary_config(const char* ld_config_file_path, property_name_prefix += ".asan"; } - ns_config->set_search_paths(properties.get_paths(property_name_prefix + ".search.paths")); - ns_config->set_permitted_paths(properties.get_paths(property_name_prefix + ".permitted.paths")); + // search paths are resolved (canonicalized). This is required mainly for + // the case when /vendor is a symlink to /system/vendor, which is true for + // non Treble-ized legacy devices. + ns_config->set_search_paths(properties.get_paths(property_name_prefix + ".search.paths", true)); + + // However, for permitted paths, we are not required to resolve the paths + // since they are only set for isolated namespaces, which implies the device + // is Treble-ized (= /vendor is not a symlink to /system/vendor). + // In fact, the resolving is causing an unexpected side effect of selinux + // denials on some executables which are not allowed to access some of the + // permitted paths. + ns_config->set_permitted_paths(properties.get_paths(property_name_prefix + ".permitted.paths", false)); } failure_guard.Disable(); |