1# Copyright (C) 2017 The Android Open Source Project 2# 3# Bionic loader config file. 4# 5 6# Don't change the order here. The first pattern that matches with the 7# absolute path of an executable is selected. 8dir.system = /system/bin/ 9dir.system = /system/xbin/ 10dir.system = /product/bin/ 11 12dir.vendor = /odm/bin/ 13dir.vendor = /vendor/bin/ 14dir.vendor = /data/nativetest/odm 15dir.vendor = /data/nativetest64/odm 16dir.vendor = /data/benchmarktest/odm 17dir.vendor = /data/benchmarktest64/odm 18dir.vendor = /data/nativetest/vendor 19dir.vendor = /data/nativetest64/vendor 20dir.vendor = /data/benchmarktest/vendor 21dir.vendor = /data/benchmarktest64/vendor 22 23dir.system = /data/nativetest 24dir.system = /data/nativetest64 25dir.system = /data/benchmarktest 26dir.system = /data/benchmarktest64 27 28dir.postinstall = /postinstall 29 30[system] 31additional.namespaces = sphal,vndk,rs 32 33############################################################################### 34# "default" namespace 35# 36# Framework-side code runs in this namespace. However, libs from other 37# partitions are also allowed temporarily. 38############################################################################### 39namespace.default.isolated = false 40 41namespace.default.search.paths = /system/${LIB} 42namespace.default.search.paths += /odm/${LIB} 43namespace.default.search.paths += /vendor/${LIB} 44namespace.default.search.paths += /product/${LIB} 45 46namespace.default.asan.search.paths = /data/asan/system/${LIB} 47namespace.default.asan.search.paths += /system/${LIB} 48namespace.default.asan.search.paths += /data/asan/odm/${LIB} 49namespace.default.asan.search.paths += /odm/${LIB} 50namespace.default.asan.search.paths += /data/asan/vendor/${LIB} 51namespace.default.asan.search.paths += /vendor/${LIB} 52namespace.default.asan.search.paths += /data/asan/product/${LIB} 53namespace.default.asan.search.paths += /product/${LIB} 54 55############################################################################### 56# "sphal" namespace 57# 58# SP-HAL(Sameprocess-HAL)s are the only vendor libraries that are allowed to be 59# loaded inside system processes. libEGL_<chipset>.so, libGLESv2_<chipset>.so, 60# android.hardware.graphics.mapper@2.0-impl.so, etc are SP-HALs. 61# 62# This namespace is exclusivly for SP-HALs. When the framework tries to dynami- 63# cally load SP-HALs, android_dlopen_ext() is used to explicitly specifying 64# that they should be searched and loaded from this namespace. 65# 66# Note that there is no link from the default namespace to this namespace. 67############################################################################### 68namespace.sphal.isolated = true 69namespace.sphal.visible = true 70 71namespace.sphal.search.paths = /odm/${LIB} 72namespace.sphal.search.paths += /vendor/${LIB} 73 74namespace.sphal.permitted.paths = /odm/${LIB} 75namespace.sphal.permitted.paths += /vendor/${LIB} 76 77namespace.sphal.asan.search.paths = /data/asan/odm/${LIB} 78namespace.sphal.asan.search.paths += /odm/${LIB} 79namespace.sphal.asan.search.paths += /data/asan/vendor/${LIB} 80namespace.sphal.asan.search.paths += /vendor/${LIB} 81 82namespace.sphal.asan.permitted.paths = /data/asan/odm/${LIB} 83namespace.sphal.asan.permitted.paths += /odm/${LIB} 84namespace.sphal.asan.permitted.paths += /data/asan/vendor/${LIB} 85namespace.sphal.asan.permitted.paths += /vendor/${LIB} 86 87# Once in this namespace, access to libraries in /system/lib is restricted. Only 88# libs listed here can be used. 89namespace.sphal.links = default,vndk,rs 90 91namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES% 92namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 93 94namespace.sphal.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% 95 96# Renderscript gets separate namespace 97namespace.sphal.link.rs.shared_libs = libRS_internal.so 98 99############################################################################### 100# "rs" namespace 101# 102# This namespace is exclusively for Renderscript internal libraries. 103# This namespace has slightly looser restriction than the vndk namespace because 104# of the genuine characteristics of Renderscript; /data is in the permitted path 105# to load the compiled *.so file and libmediandk.so can be used here. 106############################################################################### 107namespace.rs.isolated = true 108namespace.rs.visible = true 109 110namespace.rs.search.paths = /odm/${LIB}/vndk-sp 111namespace.rs.search.paths += /vendor/${LIB}/vndk-sp 112namespace.rs.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 113namespace.rs.search.paths += /odm/${LIB} 114namespace.rs.search.paths += /vendor/${LIB} 115 116namespace.rs.permitted.paths = /odm/${LIB} 117namespace.rs.permitted.paths += /vendor/${LIB} 118namespace.rs.permitted.paths += /data 119 120namespace.rs.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp 121namespace.rs.asan.search.paths += /odm/${LIB}/vndk-sp 122namespace.rs.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 123namespace.rs.asan.search.paths += /vendor/${LIB}/vndk-sp 124namespace.rs.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 125namespace.rs.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 126namespace.rs.asan.search.paths += /data/asan/odm/${LIB} 127namespace.rs.asan.search.paths += /odm/${LIB} 128namespace.rs.asan.search.paths += /data/asan/vendor/${LIB} 129namespace.rs.asan.search.paths += /vendor/${LIB} 130 131namespace.rs.asan.permitted.paths = /data/asan/odm/${LIB} 132namespace.rs.asan.permitted.paths += /odm/${LIB} 133namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB} 134namespace.rs.asan.permitted.paths += /vendor/${LIB} 135namespace.rs.asan.permitted.paths += /data 136 137namespace.rs.links = default,vndk 138 139namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES% 140namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 141# Private LLNDK libs (e.g. libft2.so) are exceptionally allowed to this 142# namespace because RS framework libs are using them. 143namespace.rs.link.default.shared_libs += %PRIVATE_LLNDK_LIBRARIES% 144 145namespace.rs.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% 146 147############################################################################### 148# "vndk" namespace 149# 150# This namespace is exclusively for vndk-sp libs. 151############################################################################### 152namespace.vndk.isolated = true 153namespace.vndk.visible = true 154 155namespace.vndk.search.paths = /odm/${LIB}/vndk-sp 156namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp 157namespace.vndk.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 158 159namespace.vndk.permitted.paths = /odm/${LIB}/hw 160namespace.vndk.permitted.paths += /odm/${LIB}/egl 161namespace.vndk.permitted.paths += /vendor/${LIB}/hw 162namespace.vndk.permitted.paths += /vendor/${LIB}/egl 163# This is exceptionally required since android.hidl.memory@1.0-impl.so is here 164namespace.vndk.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER%/hw 165 166namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp 167namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp 168namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 169namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk-sp 170namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 171namespace.vndk.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 172 173namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw 174namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw 175namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl 176namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl 177namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw 178namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw 179namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl 180namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl 181 182namespace.vndk.asan.permitted.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER%/hw 183namespace.vndk.asan.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER%/hw 184 185# When these NDK libs are required inside this namespace, then it is redirected 186# to the default namespace. This is possible since their ABI is stable across 187# Android releases. 188namespace.vndk.links = default 189namespace.vndk.link.default.shared_libs = %LLNDK_LIBRARIES% 190namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 191 192############################################################################### 193# Namespace config for vendor processes. In O, no restriction is enforced for 194# them. However, in O-MR1, access to /system/${LIB} will not be allowed to 195# the default namespace. 'system' namespace will be added to give limited 196# (LL-NDK only) access. 197############################################################################### 198[vendor] 199namespace.default.isolated = false 200 201namespace.default.search.paths = /odm/${LIB} 202namespace.default.search.paths += /odm/${LIB}/vndk 203namespace.default.search.paths += /odm/${LIB}/vndk-sp 204namespace.default.search.paths += /vendor/${LIB} 205namespace.default.search.paths += /vendor/${LIB}/vndk 206namespace.default.search.paths += /vendor/${LIB}/vndk-sp 207 208# Access to system libraries are allowed 209namespace.default.search.paths += /system/${LIB}/vndk%VNDK_VER% 210namespace.default.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 211namespace.default.search.paths += /system/${LIB} 212namespace.default.search.paths += /product/${LIB} 213 214namespace.default.asan.search.paths = /data/asan/odm/${LIB} 215namespace.default.asan.search.paths += /odm/${LIB} 216namespace.default.asan.search.paths += /data/asan/odm/${LIB}/vndk 217namespace.default.asan.search.paths += /odm/${LIB}/vndk 218namespace.default.asan.search.paths += /data/asan/odm/${LIB}/vndk-sp 219namespace.default.asan.search.paths += /odm/${LIB}/vndk-sp 220namespace.default.asan.search.paths += /data/asan/vendor/${LIB} 221namespace.default.asan.search.paths += /vendor/${LIB} 222namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/vndk 223namespace.default.asan.search.paths += /vendor/${LIB}/vndk 224namespace.default.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 225namespace.default.asan.search.paths += /vendor/${LIB}/vndk-sp 226namespace.default.asan.search.paths += /data/asan/system/${LIB}/vndk%VNDK_VER% 227namespace.default.asan.search.paths += /system/${LIB}/vndk%VNDK_VER% 228namespace.default.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 229namespace.default.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 230namespace.default.asan.search.paths += /data/asan/system/${LIB} 231namespace.default.asan.search.paths += /system/${LIB} 232namespace.default.asan.search.paths += /data/asan/product/${LIB} 233namespace.default.asan.search.paths += /product/${LIB} 234 235############################################################################### 236# Namespace config for binaries under /postinstall. 237# Only one default namespace is defined and it has no directories other than 238# /system/lib in the search paths. This is because linker calls realpath on the 239# search paths and this causes selinux denial if the paths (/vendor, /odm) are 240# not allowed to the poinstall binaries. There is no reason to allow the 241# binaries to access the paths. 242############################################################################### 243[postinstall] 244namespace.default.isolated = false 245namespace.default.search.paths = /system/${LIB} 246namespace.default.search.paths += /product/${LIB} 247