From bb8f985d773f63f9e943103cb1faae5bfba8e1e1 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Tue, 7 Jan 2020 19:54:39 +0900
Subject: [PATCH] Add /system/lib to the permitted paths for ns of APEXes

With b/144533348, there will be symlinks from libs in APEXes to the libs
in the system partition. This is to reduce the size of APEXes when the
APEX is bundled with the platform.

Adding the /system/lib to the permitted paths so that the realpaths of
the symlinks are allowed for the namespaces.

Note that this however does not open all libs in the system partition to
the APEX namespaces, because searching of the libs are NOT done in
/system/lib, but in /apex/<module>/lib directory.

Bug: 144533348
Test: m
Change-Id: I959d4312a7bc5427c4d84885fbac4bc235cffa86
---
 apex/ld.config.txt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apex/ld.config.txt b/apex/ld.config.txt
index f56e1b5f27..bd6af83585 100644
--- a/apex/ld.config.txt
+++ b/apex/ld.config.txt
@@ -22,6 +22,12 @@ namespace.default.visible = true
 namespace.default.search.paths      = /apex/com.android.media.swcodec/${LIB}
 namespace.default.asan.search.paths = /apex/com.android.media.swcodec/${LIB}
 
+# Below lines are required to be able to access libs in APEXes which are
+# actually symlinks to the files under /system/lib. The symlinks exist for
+# bundled APEXes to reduce space.
+namespace.default.permitted.paths   = /system/${LIB}
+namespace.default.asan.permitted.paths = /system/${LIB}
+
 namespace.default.links = platform
 
 # TODO: replace the following when apex has a way to auto-generate this list