1# Copyright (C) 2017 The Android Open Source Project 2# 3# Bionic loader config file. 4# 5 6# Don't change the order here. The first pattern that matches with the 7# absolute path of an executable is selected. 8dir.system = /system/bin/ 9dir.system = /system/xbin/ 10dir.system = /%PRODUCT%/bin/ 11 12dir.vendor = /odm/bin/ 13dir.vendor = /vendor/bin/ 14dir.vendor = /data/nativetest/odm 15dir.vendor = /data/nativetest64/odm 16dir.vendor = /data/benchmarktest/odm 17dir.vendor = /data/benchmarktest64/odm 18dir.vendor = /data/nativetest/vendor 19dir.vendor = /data/nativetest64/vendor 20dir.vendor = /data/benchmarktest/vendor 21dir.vendor = /data/benchmarktest64/vendor 22 23dir.unrestricted = /data/nativetest/unrestricted 24dir.unrestricted = /data/nativetest64/unrestricted 25 26# TODO(b/123864775): Ensure tests are run from /data/nativetest{,64} or (if 27# necessary) the unrestricted subdirs above. Then clean this up. 28dir.unrestricted = /data/local/tmp 29 30dir.postinstall = /postinstall 31 32# Fallback entry to provide APEX namespace lookups for binaries anywhere else. 33# This must be last. 34dir.system = /data 35 36[system] 37additional.namespaces = runtime,conscrypt,media,resolv,sphal,vndk,rs 38 39############################################################################### 40# "default" namespace 41# 42# Framework-side code runs in this namespace. Libs from /vendor partition 43# can't be loaded in this namespace. 44############################################################################### 45namespace.default.isolated = true 46 47namespace.default.search.paths = /system/${LIB} 48namespace.default.search.paths += /%PRODUCT%/${LIB} 49namespace.default.search.paths += /%PRODUCT_SERVICES%/${LIB} 50 51# We can't have entire /system/${LIB} as permitted paths because doing so 52# makes it possible to load libs in /system/${LIB}/vndk* directories by 53# their absolute paths (e.g. dlopen("/system/lib/vndk/libbase.so");). 54# VNDK libs are built with previous versions of Android and thus must not be 55# loaded into this namespace where libs built with the current version of 56# Android are loaded. Mixing the two types of libs in the same namespace can 57# cause unexpected problem. 58namespace.default.permitted.paths = /system/${LIB}/drm 59namespace.default.permitted.paths += /system/${LIB}/extractors 60namespace.default.permitted.paths += /system/${LIB}/hw 61namespace.default.permitted.paths += /%PRODUCT%/${LIB} 62namespace.default.permitted.paths += /%PRODUCT_SERVICES%/${LIB} 63# These are where odex files are located. libart has to be able to dlopen the files 64namespace.default.permitted.paths += /system/framework 65namespace.default.permitted.paths += /system/app 66namespace.default.permitted.paths += /system/priv-app 67namespace.default.permitted.paths += /vendor/framework 68namespace.default.permitted.paths += /vendor/app 69namespace.default.permitted.paths += /vendor/priv-app 70namespace.default.permitted.paths += /system/vendor/framework 71namespace.default.permitted.paths += /system/vendor/app 72namespace.default.permitted.paths += /system/vendor/priv-app 73namespace.default.permitted.paths += /odm/framework 74namespace.default.permitted.paths += /odm/app 75namespace.default.permitted.paths += /odm/priv-app 76namespace.default.permitted.paths += /oem/app 77namespace.default.permitted.paths += /%PRODUCT%/framework 78namespace.default.permitted.paths += /%PRODUCT%/app 79namespace.default.permitted.paths += /%PRODUCT%/priv-app 80namespace.default.permitted.paths += /%PRODUCT_SERVICES%/framework 81namespace.default.permitted.paths += /%PRODUCT_SERVICES%/app 82namespace.default.permitted.paths += /%PRODUCT_SERVICES%/priv-app 83namespace.default.permitted.paths += /data 84namespace.default.permitted.paths += /mnt/expand 85namespace.default.permitted.paths += /apex/com.android.runtime/${LIB}/bionic 86namespace.default.permitted.paths += /system/${LIB}/bootstrap 87 88namespace.default.asan.search.paths = /data/asan/system/${LIB} 89namespace.default.asan.search.paths += /system/${LIB} 90namespace.default.asan.search.paths += /data/asan/%PRODUCT%/${LIB} 91namespace.default.asan.search.paths += /%PRODUCT%/${LIB} 92namespace.default.asan.search.paths += /data/asan/%PRODUCT_SERVICES%/${LIB} 93namespace.default.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} 94 95namespace.default.asan.permitted.paths = /data 96namespace.default.asan.permitted.paths += /system/${LIB}/drm 97namespace.default.asan.permitted.paths += /system/${LIB}/extractors 98namespace.default.asan.permitted.paths += /system/${LIB}/hw 99namespace.default.asan.permitted.paths += /system/framework 100namespace.default.asan.permitted.paths += /system/app 101namespace.default.asan.permitted.paths += /system/priv-app 102namespace.default.asan.permitted.paths += /vendor/framework 103namespace.default.asan.permitted.paths += /vendor/app 104namespace.default.asan.permitted.paths += /vendor/priv-app 105namespace.default.asan.permitted.paths += /system/vendor/framework 106namespace.default.asan.permitted.paths += /system/vendor/app 107namespace.default.asan.permitted.paths += /system/vendor/priv-app 108namespace.default.asan.permitted.paths += /odm/framework 109namespace.default.asan.permitted.paths += /odm/app 110namespace.default.asan.permitted.paths += /odm/priv-app 111namespace.default.asan.permitted.paths += /oem/app 112namespace.default.asan.permitted.paths += /%PRODUCT%/${LIB} 113namespace.default.asan.permitted.paths += /%PRODUCT%/framework 114namespace.default.asan.permitted.paths += /%PRODUCT%/app 115namespace.default.asan.permitted.paths += /%PRODUCT%/priv-app 116namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/${LIB} 117namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/framework 118namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/app 119namespace.default.asan.permitted.paths += /%PRODUCT_SERVICES%/priv-app 120namespace.default.asan.permitted.paths += /mnt/expand 121namespace.default.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic 122namespace.default.asan.permitted.paths += /system/${LIB}/bootstrap 123 124# Keep in sync with ld.config.txt in the com.android.runtime APEX. 125# If a shared library or an executable requests a shared library that 126# cannot be loaded into the default namespace, the dynamic linker tries 127# to load the shared library from the runtime namespace. And then, if the 128# shared library cannot be loaded from the runtime namespace either, the 129# dynamic linker tries to load the shared library from the resolv namespace. 130# Finally, if all attempts fail, the dynamic linker returns an error. 131namespace.default.links = runtime,resolv 132# Visible because some libraries are dlopen'ed, e.g. libopenjdk is dlopen'ed by 133# libart. 134namespace.default.visible = true 135namespace.default.link.runtime.shared_libs = libdexfile_external.so 136# libicuuc.so and libicui18n.so are kept for app compat reason. http://b/130788466 137namespace.default.link.runtime.shared_libs += libicui18n.so 138namespace.default.link.runtime.shared_libs += libicuuc.so 139namespace.default.link.runtime.shared_libs += libnativebridge.so 140namespace.default.link.runtime.shared_libs += libnativehelper.so 141namespace.default.link.runtime.shared_libs += libnativeloader.so 142namespace.default.link.runtime.shared_libs += libandroidicu.so 143 144# TODO(b/122876336): Remove libpac.so once it's migrated to Webview 145namespace.default.link.runtime.shared_libs += libpac.so 146 147# When libnetd_resolv.so can't be found in the default namespace, search for it 148# in the resolv namespace. Don't allow any other libraries from the resolv namespace 149# to be loaded in the default namespace. 150namespace.default.link.resolv.shared_libs = libnetd_resolv.so 151 152############################################################################### 153# "runtime" APEX namespace 154# 155# This namespace exposes externally accessible libraries from the Runtime APEX. 156############################################################################### 157namespace.runtime.isolated = true 158namespace.runtime.visible = true 159 160# Keep in sync with ld.config.txt in the com.android.runtime APEX. 161namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} 162namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} 163namespace.runtime.links = default 164# TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library 165# when it exists. 166namespace.runtime.link.default.allow_all_shared_libs = true 167 168############################################################################### 169# "media" APEX namespace 170# 171# This namespace is for libraries within the media APEX. 172############################################################################### 173namespace.media.isolated = true 174namespace.media.visible = true 175 176namespace.media.search.paths = /apex/com.android.media/${LIB} 177namespace.media.asan.search.paths = /apex/com.android.media/${LIB} 178 179namespace.media.permitted.paths = /apex/com.android.media/${LIB}/extractors 180namespace.media.asan.permitted.paths = /apex/com.android.media/${LIB}/extractors 181 182namespace.media.links = default 183namespace.media.link.default.shared_libs = %LLNDK_LIBRARIES% 184namespace.media.link.default.shared_libs += libbinder_ndk.so 185namespace.media.link.default.shared_libs += libcgrouprc.so 186namespace.media.link.default.shared_libs += libmediametrics.so 187namespace.media.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 188 189############################################################################### 190# "conscrypt" APEX namespace 191# 192# This namespace is for libraries within the conscrypt APEX. 193############################################################################### 194namespace.conscrypt.isolated = true 195namespace.conscrypt.visible = true 196 197# Keep in sync with ld.config.txt in the com.android.runtime APEX. 198namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} 199namespace.conscrypt.asan.search.paths = /apex/com.android.conscrypt/${LIB} 200namespace.conscrypt.links = runtime,default 201namespace.conscrypt.link.runtime.shared_libs = libandroidio.so 202namespace.conscrypt.link.default.shared_libs = libc.so 203namespace.conscrypt.link.default.shared_libs += libm.so 204namespace.conscrypt.link.default.shared_libs += libdl.so 205namespace.conscrypt.link.default.shared_libs += liblog.so 206 207############################################################################### 208# "resolv" APEX namespace 209# 210# This namespace is for libraries within the resolv APEX. 211############################################################################### 212namespace.resolv.isolated = true 213namespace.resolv.visible = true 214 215namespace.resolv.search.paths = /apex/com.android.resolv/${LIB} 216namespace.resolv.asan.search.paths = /apex/com.android.resolv/${LIB} 217namespace.resolv.links = default 218namespace.resolv.link.default.shared_libs = libc.so 219namespace.resolv.link.default.shared_libs += libcgrouprc.so 220namespace.resolv.link.default.shared_libs += libm.so 221namespace.resolv.link.default.shared_libs += libdl.so 222namespace.resolv.link.default.shared_libs += libbinder_ndk.so 223namespace.resolv.link.default.shared_libs += liblog.so 224namespace.resolv.link.default.shared_libs += libvndksupport.so 225 226############################################################################### 227# "sphal" namespace 228# 229# SP-HAL(Sameprocess-HAL)s are the only vendor libraries that are allowed to be 230# loaded inside system processes. libEGL_<chipset>.so, libGLESv2_<chipset>.so, 231# android.hardware.graphics.mapper@2.0-impl.so, etc are SP-HALs. 232# 233# This namespace is exclusivly for SP-HALs. When the framework tries to dynami- 234# cally load SP-HALs, android_dlopen_ext() is used to explicitly specifying 235# that they should be searched and loaded from this namespace. 236# 237# Note that there is no link from the default namespace to this namespace. 238############################################################################### 239namespace.sphal.isolated = true 240namespace.sphal.visible = true 241 242namespace.sphal.search.paths = /odm/${LIB} 243namespace.sphal.search.paths += /vendor/${LIB} 244namespace.sphal.search.paths += /vendor/${LIB}/hw 245 246namespace.sphal.permitted.paths = /odm/${LIB} 247namespace.sphal.permitted.paths += /vendor/${LIB} 248namespace.sphal.permitted.paths += /system/vendor/${LIB} 249 250namespace.sphal.asan.search.paths = /data/asan/odm/${LIB} 251namespace.sphal.asan.search.paths += /odm/${LIB} 252namespace.sphal.asan.search.paths += /data/asan/vendor/${LIB} 253namespace.sphal.asan.search.paths += /vendor/${LIB} 254 255namespace.sphal.asan.permitted.paths = /data/asan/odm/${LIB} 256namespace.sphal.asan.permitted.paths += /odm/${LIB} 257namespace.sphal.asan.permitted.paths += /data/asan/vendor/${LIB} 258namespace.sphal.asan.permitted.paths += /vendor/${LIB} 259 260# Once in this namespace, access to libraries in /system/lib is restricted. Only 261# libs listed here can be used. Order is important here as the namespaces are 262# tried in this order. rs should be before vndk because both are capable 263# of loading libRS_internal.so 264namespace.sphal.links = rs,default,vndk 265 266# Renderscript gets separate namespace 267namespace.sphal.link.rs.shared_libs = libRS_internal.so 268 269namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES% 270namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 271 272namespace.sphal.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% 273 274############################################################################### 275# "rs" namespace 276# 277# This namespace is exclusively for Renderscript internal libraries. 278# This namespace has slightly looser restriction than the vndk namespace because 279# of the genuine characteristics of Renderscript; /data is in the permitted path 280# to load the compiled *.so file and libmediandk.so can be used here. 281############################################################################### 282namespace.rs.isolated = true 283namespace.rs.visible = true 284 285namespace.rs.search.paths = /odm/${LIB}/vndk-sp 286namespace.rs.search.paths += /vendor/${LIB}/vndk-sp 287namespace.rs.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 288namespace.rs.search.paths += /odm/${LIB} 289namespace.rs.search.paths += /vendor/${LIB} 290 291namespace.rs.permitted.paths = /odm/${LIB} 292namespace.rs.permitted.paths += /vendor/${LIB} 293namespace.rs.permitted.paths += /system/vendor/${LIB} 294namespace.rs.permitted.paths += /data 295 296namespace.rs.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp 297namespace.rs.asan.search.paths += /odm/${LIB}/vndk-sp 298namespace.rs.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 299namespace.rs.asan.search.paths += /vendor/${LIB}/vndk-sp 300namespace.rs.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 301namespace.rs.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 302namespace.rs.asan.search.paths += /data/asan/odm/${LIB} 303namespace.rs.asan.search.paths += /odm/${LIB} 304namespace.rs.asan.search.paths += /data/asan/vendor/${LIB} 305namespace.rs.asan.search.paths += /vendor/${LIB} 306 307namespace.rs.asan.permitted.paths = /data/asan/odm/${LIB} 308namespace.rs.asan.permitted.paths += /odm/${LIB} 309namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB} 310namespace.rs.asan.permitted.paths += /vendor/${LIB} 311namespace.rs.asan.permitted.paths += /data 312 313namespace.rs.links = default,vndk 314 315namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES% 316namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 317# Private LLNDK libs (e.g. libft2.so) are exceptionally allowed to this 318# namespace because RS framework libs are using them. 319namespace.rs.link.default.shared_libs += %PRIVATE_LLNDK_LIBRARIES% 320 321namespace.rs.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% 322 323############################################################################### 324# "vndk" namespace 325# 326# This namespace is exclusively for vndk-sp libs. 327############################################################################### 328namespace.vndk.isolated = true 329namespace.vndk.visible = true 330 331namespace.vndk.search.paths = /odm/${LIB}/vndk-sp 332namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp 333namespace.vndk.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 334 335namespace.vndk.permitted.paths = /odm/${LIB}/hw 336namespace.vndk.permitted.paths += /odm/${LIB}/egl 337namespace.vndk.permitted.paths += /vendor/${LIB}/hw 338namespace.vndk.permitted.paths += /vendor/${LIB}/egl 339namespace.vndk.permitted.paths += /system/vendor/${LIB}/hw 340namespace.vndk.permitted.paths += /system/vendor/${LIB}/egl 341# This is exceptionally required since android.hidl.memory@1.0-impl.so is here 342namespace.vndk.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER%/hw 343 344namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp 345namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp 346namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 347namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk-sp 348namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 349namespace.vndk.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 350 351namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw 352namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw 353namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl 354namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl 355namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw 356namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw 357namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl 358namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl 359 360namespace.vndk.asan.permitted.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER%/hw 361namespace.vndk.asan.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER%/hw 362 363# The "vndk" namespace links to "default" namespace for LLNDK libs and links to 364# "sphal" namespace for vendor libs. The ordering matters. The "default" 365# namespace has higher priority than the "sphal" namespace. 366namespace.vndk.links = default,sphal 367 368# When these NDK libs are required inside this namespace, then it is redirected 369# to the default namespace. This is possible since their ABI is stable across 370# Android releases. 371namespace.vndk.link.default.shared_libs = %LLNDK_LIBRARIES% 372namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 373 374# Allow VNDK-SP extensions to use vendor libraries 375namespace.vndk.link.sphal.allow_all_shared_libs = true 376 377 378############################################################################### 379# Namespace config for vendor processes. In O, no restriction is enforced for 380# them. However, in O-MR1, access to /system/${LIB} will not be allowed to 381# the default namespace. 'system' namespace will be added to give limited 382# (LL-NDK only) access. 383############################################################################### 384[vendor] 385additional.namespaces = runtime,system,vndk%VNDK_IN_SYSTEM_NS% 386 387############################################################################### 388# "default" namespace 389# 390# This is the default linker namespace for a vendor process (a process started 391# from /vendor/bin/*). The main executable and the libs under /vendor/lib[64] 392# are loaded directly into this namespace. However, other libs under the system 393# partition (VNDK and LLNDK libraries) are not loaded here but from the 394# separate namespace 'system'. The delegation to the system namespace is done 395# via the 'namespace.default.link.system.shared_libs' property below. 396# 397# '#VNDK27#' TAG is only for building ld.config.27.txt for backward 398# compatibility. (TODO:b/123390078) Move them to a separate file. 399############################################################################### 400namespace.default.isolated = true 401namespace.default.visible = true 402 403namespace.default.search.paths = /odm/${LIB} 404namespace.default.search.paths += /vendor/${LIB} 405 406namespace.default.permitted.paths = /odm 407namespace.default.permitted.paths += /vendor 408namespace.default.permitted.paths += /system/vendor 409#VNDK27#namespace.default.search.paths += /vendor/${LIB}/hw 410#VNDK27#namespace.default.search.paths += /vendor/${LIB}/egl 411 412namespace.default.asan.search.paths = /data/asan/odm/${LIB} 413namespace.default.asan.search.paths += /odm/${LIB} 414namespace.default.asan.search.paths += /data/asan/vendor/${LIB} 415namespace.default.asan.search.paths += /vendor/${LIB} 416#VNDK27#namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/hw 417#VNDK27#namespace.default.asan.search.paths += /vendor/${LIB}/hw 418#VNDK27#namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/egl 419#VNDK27#namespace.default.asan.search.paths += /vendor/${LIB}/egl 420 421namespace.default.asan.permitted.paths = /data/asan/odm 422namespace.default.asan.permitted.paths += /odm 423namespace.default.asan.permitted.paths += /data/asan/vendor 424namespace.default.asan.permitted.paths += /vendor 425 426namespace.default.links = system,vndk%VNDK_IN_SYSTEM_NS% 427namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES% 428namespace.default.link.vndk_in_system.shared_libs = %VNDK_USING_CORE_VARIANT_LIBRARIES% 429namespace.default.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% 430namespace.default.link.vndk.shared_libs += %VNDK_CORE_LIBRARIES% 431 432############################################################################### 433# "runtime" APEX namespace 434# 435# This namespace exposes externally accessible libraries from the Runtime APEX. 436############################################################################### 437namespace.runtime.isolated = true 438 439# Keep in sync with ld.config.txt in the com.android.runtime APEX. 440namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} 441namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} 442namespace.runtime.links = system 443# TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library 444# when it exists. 445namespace.runtime.link.system.allow_all_shared_libs = true 446 447############################################################################### 448# "vndk" namespace 449# 450# This namespace is where VNDK and VNDK-SP libraries are loaded for 451# a vendor process. 452############################################################################### 453namespace.vndk.isolated = false 454 455namespace.vndk.search.paths = /odm/${LIB}/vndk 456namespace.vndk.search.paths += /odm/${LIB}/vndk-sp 457namespace.vndk.search.paths += /vendor/${LIB}/vndk 458namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp 459namespace.vndk.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 460namespace.vndk.search.paths += /system/${LIB}/vndk%VNDK_VER% 461 462namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk 463namespace.vndk.asan.search.paths += /odm/${LIB}/vndk 464namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk-sp 465namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp 466namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk 467namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk 468namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 469namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk-sp 470namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 471namespace.vndk.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 472namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk%VNDK_VER% 473namespace.vndk.asan.search.paths += /system/${LIB}/vndk%VNDK_VER% 474 475# When these NDK libs are required inside this namespace, then it is redirected 476# to the system namespace. This is possible since their ABI is stable across 477# Android releases. The links here should be identical to that of the 478# 'vndk_in_system' namespace, except for the link between 'vndk' and 479# 'vndk_in_system'. 480namespace.vndk.links = system,default%VNDK_IN_SYSTEM_NS% 481 482namespace.vndk.link.system.shared_libs = %LLNDK_LIBRARIES% 483namespace.vndk.link.system.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 484 485namespace.vndk.link.default.allow_all_shared_libs = true 486 487namespace.vndk.link.vndk_in_system.shared_libs = %VNDK_USING_CORE_VARIANT_LIBRARIES% 488 489############################################################################### 490# "system" namespace 491# 492# This namespace is where system libs (VNDK and LLNDK libs) are loaded for 493# a vendor process. 494############################################################################### 495namespace.system.isolated = false 496 497namespace.system.search.paths = /system/${LIB} 498namespace.system.search.paths += /%PRODUCT%/${LIB} 499namespace.system.search.paths += /%PRODUCT_SERVICES%/${LIB} 500 501namespace.system.asan.search.paths = /data/asan/system/${LIB} 502namespace.system.asan.search.paths += /system/${LIB} 503namespace.system.asan.search.paths += /data/asan/product/${LIB} 504namespace.system.asan.search.paths += /%PRODUCT%/${LIB} 505namespace.system.asan.search.paths += /data/asan/product_services/${LIB} 506namespace.system.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} 507 508namespace.system.links = runtime 509namespace.system.link.runtime.shared_libs = libdexfile_external.so 510# libicuuc.so and libicui18n.so are kept for app compat reason. http://b/130788466 511namespace.system.link.runtime.shared_libs += libicui18n.so 512namespace.system.link.runtime.shared_libs += libicuuc.so 513namespace.system.link.runtime.shared_libs += libnativebridge.so 514namespace.system.link.runtime.shared_libs += libnativehelper.so 515namespace.system.link.runtime.shared_libs += libnativeloader.so 516# Workaround for b/124772622 517namespace.system.link.runtime.shared_libs += libandroidicu.so 518 519############################################################################### 520# "vndk_in_system" namespace 521# 522# This namespace is where no-vendor-variant VNDK libraries are loaded for a 523# vendor process. Note that we do not simply export these libraries from 524# "system" namespace, because in some case both the core variant and the 525# vendor variant of a VNDK library may be loaded. In such case, we do not 526# want to eliminate double-loading because doing so means the global states 527# of the library would be shared. 528# 529# Only the no-vendor-variant VNDK libraries are whitelisted in this namespace. 530# This is to ensure that we do not load libraries needed by no-vendor-variant 531# VNDK libraries into vndk_in_system namespace. 532############################################################################### 533namespace.vndk_in_system.isolated = true 534namespace.vndk_in_system.visible = true 535 536# The search paths here should be kept the same as that of the 'system' 537# namespace. 538namespace.vndk_in_system.search.paths = /system/${LIB} 539namespace.vndk_in_system.search.paths += /%PRODUCT%/${LIB} 540namespace.vndk_in_system.search.paths += /%PRODUCT_SERVICES%/${LIB} 541 542namespace.vndk_in_system.asan.search.paths = /data/asan/system/${LIB} 543namespace.vndk_in_system.asan.search.paths += /system/${LIB} 544namespace.vndk_in_system.asan.search.paths += /data/asan/product/${LIB} 545namespace.vndk_in_system.asan.search.paths += /%PRODUCT%/${LIB} 546namespace.vndk_in_system.asan.search.paths += /data/asan/product_services/${LIB} 547namespace.vndk_in_system.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} 548 549namespace.vndk_in_system.whitelisted = %VNDK_USING_CORE_VARIANT_LIBRARIES% 550 551# The links here should be identical to that of the 'vndk' namespace, with the 552# following exception: 553# 1. 'vndk_in_system' needs to be freely linked back to 'vndk'. 554# 2. 'vndk_in_system' does not need to link to 'default', as any library that 555# requires anything vendor would not be a vndk_in_system library. 556namespace.vndk_in_system.links = vndk,system 557 558namespace.vndk_in_system.link.system.shared_libs = %LLNDK_LIBRARIES% 559namespace.vndk_in_system.link.system.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 560 561namespace.vndk_in_system.link.vndk.allow_all_shared_libs = true 562 563 564############################################################################### 565# Namespace config for native tests that need access to both system and vendor 566# libraries. This replicates the default linker config (done by 567# init_default_namespace_no_config in bionic/linker/linker.cpp), except that it 568# includes the requisite namespace setup for APEXes. 569############################################################################### 570[unrestricted] 571additional.namespaces = runtime,media,conscrypt,resolv 572 573namespace.default.search.paths = /system/${LIB} 574namespace.default.search.paths += /odm/${LIB} 575namespace.default.search.paths += /vendor/${LIB} 576 577namespace.default.asan.search.paths = /data/asan/system/${LIB} 578namespace.default.asan.search.paths += /system/${LIB} 579namespace.default.asan.search.paths += /data/asan/odm/${LIB} 580namespace.default.asan.search.paths += /odm/${LIB} 581namespace.default.asan.search.paths += /data/asan/vendor/${LIB} 582namespace.default.asan.search.paths += /vendor/${LIB} 583 584# Keep in sync with ld.config.txt in the com.android.runtime APEX. 585namespace.default.links = runtime,resolv 586namespace.default.visible = true 587 588namespace.default.link.runtime.shared_libs = libdexfile_external.so 589# libicuuc.so and libicui18n.so are kept for app compat reason. http://b/130788466 590namespace.default.link.runtime.shared_libs += libicui18n.so 591namespace.default.link.runtime.shared_libs += libicuuc.so 592namespace.default.link.runtime.shared_libs += libnativebridge.so 593namespace.default.link.runtime.shared_libs += libnativehelper.so 594namespace.default.link.runtime.shared_libs += libnativeloader.so 595namespace.default.link.runtime.shared_libs += libandroidicu.so 596 597# TODO(b/122876336): Remove libpac.so once it's migrated to Webview 598namespace.default.link.runtime.shared_libs += libpac.so 599 600namespace.default.link.resolv.shared_libs = libnetd_resolv.so 601 602############################################################################### 603# "runtime" APEX namespace 604# 605# This namespace exposes externally accessible libraries from the Runtime APEX. 606############################################################################### 607namespace.runtime.isolated = true 608namespace.runtime.visible = true 609 610# Keep in sync with ld.config.txt in the com.android.runtime APEX. 611namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} 612namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} 613namespace.runtime.links = default 614# TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library 615# when it exists. 616namespace.runtime.link.default.allow_all_shared_libs = true 617 618############################################################################### 619# "media" APEX namespace 620# 621# This namespace is for libraries within the media APEX. 622############################################################################### 623namespace.media.isolated = true 624namespace.media.visible = true 625 626namespace.media.search.paths = /apex/com.android.media/${LIB} 627namespace.media.asan.search.paths = /apex/com.android.media/${LIB} 628 629namespace.media.permitted.paths = /apex/com.android.media/${LIB}/extractors 630namespace.media.asan.permitted.paths = /apex/com.android.media/${LIB}/extractors 631 632namespace.media.links = default 633namespace.media.link.default.shared_libs = %LLNDK_LIBRARIES% 634namespace.media.link.default.shared_libs += libbinder_ndk.so 635namespace.media.link.default.shared_libs += libmediametrics.so 636namespace.media.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 637 638############################################################################### 639# "conscrypt" APEX namespace 640# 641# This namespace is for libraries within the conscrypt APEX. 642############################################################################### 643namespace.conscrypt.isolated = true 644namespace.conscrypt.visible = true 645 646# Keep in sync with ld.config.txt in the com.android.runtime APEX. 647namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} 648namespace.conscrypt.asan.search.paths = /apex/com.android.conscrypt/${LIB} 649namespace.conscrypt.links = runtime,default 650namespace.conscrypt.link.runtime.shared_libs = libandroidio.so 651namespace.conscrypt.link.default.shared_libs = libc.so 652namespace.conscrypt.link.default.shared_libs += libm.so 653namespace.conscrypt.link.default.shared_libs += libdl.so 654namespace.conscrypt.link.default.shared_libs += liblog.so 655 656############################################################################### 657# "resolv" APEX namespace 658# 659# This namespace is for libraries within the resolv APEX. 660############################################################################### 661namespace.resolv.isolated = true 662namespace.resolv.visible = true 663 664namespace.resolv.search.paths = /apex/com.android.resolv/${LIB} 665namespace.resolv.asan.search.paths = /apex/com.android.resolv/${LIB} 666namespace.resolv.links = default 667namespace.resolv.link.default.shared_libs = libc.so 668namespace.resolv.link.default.shared_libs += libm.so 669namespace.resolv.link.default.shared_libs += libdl.so 670namespace.resolv.link.default.shared_libs += libbinder_ndk.so 671namespace.resolv.link.default.shared_libs += liblog.so 672 673 674############################################################################### 675# Namespace config for binaries under /postinstall. 676# Only default namespace is defined and default has no directories 677# other than /system/lib in the search paths. This is because linker calls 678# realpath on the search paths and this causes selinux denial if the paths 679# (/vendor, /odm) are not allowed to the postinstall binaries. There is no 680# reason to allow the binaries to access the paths. 681############################################################################### 682[postinstall] 683namespace.default.isolated = false 684namespace.default.search.paths = /system/${LIB} 685namespace.default.search.paths += /%PRODUCT%/${LIB} 686namespace.default.search.paths += /%PRODUCT_SERVICES%/${LIB} 687