1# Copyright (C) 2017 The Android Open Source Project 2# 3# Bionic loader config file. 4# 5 6# Don't change the order here. The first pattern that matches with the 7# absolute path of an executable is selected. 8dir.system = /system/bin/ 9dir.system = /system/xbin/ 10dir.system = /%PRODUCT%/bin/ 11 12dir.vendor = /odm/bin/ 13dir.vendor = /vendor/bin/ 14dir.vendor = /data/nativetest/odm 15dir.vendor = /data/nativetest64/odm 16dir.vendor = /data/benchmarktest/odm 17dir.vendor = /data/benchmarktest64/odm 18dir.vendor = /data/nativetest/vendor 19dir.vendor = /data/nativetest64/vendor 20dir.vendor = /data/benchmarktest/vendor 21dir.vendor = /data/benchmarktest64/vendor 22 23dir.system = /data/nativetest 24dir.system = /data/nativetest64 25dir.system = /data/benchmarktest 26dir.system = /data/benchmarktest64 27 28dir.postinstall = /postinstall 29 30[system] 31additional.namespaces = sphal,vndk,rs 32 33############################################################################### 34# "default" namespace 35# 36# Framework-side code runs in this namespace. Libs from /vendor partition 37# can't be loaded in this namespace. 38############################################################################### 39namespace.default.isolated = true 40 41namespace.default.search.paths = /system/${LIB} 42namespace.default.search.paths += /%PRODUCT%/${LIB} 43 44# We can't have entire /system/${LIB} as permitted paths because doing so 45# makes it possible to load libs in /system/${LIB}/vndk* directories by 46# their absolute paths (e.g. dlopen("/system/lib/vndk/libbase.so");). 47# VNDK libs are built with previous versions of Android and thus must not be 48# loaded into this namespace where libs built with the current version of 49# Android are loaded. Mixing the two types of libs in the same namespace can 50# cause unexpected problem. 51namespace.default.permitted.paths = /system/${LIB}/drm 52namespace.default.permitted.paths += /system/${LIB}/extractors 53namespace.default.permitted.paths += /system/${LIB}/hw 54namespace.default.permitted.paths += /%PRODUCT%/${LIB} 55# These are where odex files are located. libart has to be able to dlopen the files 56namespace.default.permitted.paths += /system/framework 57namespace.default.permitted.paths += /system/app 58namespace.default.permitted.paths += /system/priv-app 59namespace.default.permitted.paths += /vendor/framework 60namespace.default.permitted.paths += /vendor/app 61namespace.default.permitted.paths += /vendor/priv-app 62namespace.default.permitted.paths += /odm/framework 63namespace.default.permitted.paths += /odm/app 64namespace.default.permitted.paths += /odm/priv-app 65namespace.default.permitted.paths += /oem/app 66namespace.default.permitted.paths += /%PRODUCT%/framework 67namespace.default.permitted.paths += /%PRODUCT%/app 68namespace.default.permitted.paths += /%PRODUCT%/priv-app 69namespace.default.permitted.paths += /data 70namespace.default.permitted.paths += /mnt/expand 71 72namespace.default.asan.search.paths = /data/asan/system/${LIB} 73namespace.default.asan.search.paths += /system/${LIB} 74namespace.default.asan.search.paths += /data/asan/product/${LIB} 75namespace.default.asan.search.paths += /product/${LIB} 76 77namespace.default.asan.permitted.paths = /data 78namespace.default.asan.permitted.paths += /system/${LIB}/drm 79namespace.default.asan.permitted.paths += /system/${LIB}/extractors 80namespace.default.asan.permitted.paths += /system/${LIB}/hw 81namespace.default.asan.permitted.paths += /system/framework 82namespace.default.asan.permitted.paths += /system/app 83namespace.default.asan.permitted.paths += /system/priv-app 84namespace.default.asan.permitted.paths += /vendor/framework 85namespace.default.asan.permitted.paths += /vendor/app 86namespace.default.asan.permitted.paths += /vendor/priv-app 87namespace.default.asan.permitted.paths += /odm/framework 88namespace.default.asan.permitted.paths += /odm/app 89namespace.default.asan.permitted.paths += /odm/priv-app 90namespace.default.asan.permitted.paths += /oem/app 91namespace.default.asan.permitted.paths += /%PRODUCT%/${LIB} 92namespace.default.asan.permitted.paths += /%PRODUCT%/framework 93namespace.default.asan.permitted.paths += /%PRODUCT%/app 94namespace.default.asan.permitted.paths += /%PRODUCT%/priv-app 95namespace.default.asan.permitted.paths += /mnt/expand 96 97############################################################################### 98# "sphal" namespace 99# 100# SP-HAL(Sameprocess-HAL)s are the only vendor libraries that are allowed to be 101# loaded inside system processes. libEGL_<chipset>.so, libGLESv2_<chipset>.so, 102# android.hardware.graphics.mapper@2.0-impl.so, etc are SP-HALs. 103# 104# This namespace is exclusivly for SP-HALs. When the framework tries to dynami- 105# cally load SP-HALs, android_dlopen_ext() is used to explicitly specifying 106# that they should be searched and loaded from this namespace. 107# 108# Note that there is no link from the default namespace to this namespace. 109############################################################################### 110namespace.sphal.isolated = true 111namespace.sphal.visible = true 112 113namespace.sphal.search.paths = /odm/${LIB} 114namespace.sphal.search.paths += /vendor/${LIB} 115 116namespace.sphal.permitted.paths = /odm/${LIB} 117namespace.sphal.permitted.paths += /vendor/${LIB} 118 119namespace.sphal.asan.search.paths = /data/asan/odm/${LIB} 120namespace.sphal.asan.search.paths += /odm/${LIB} 121namespace.sphal.asan.search.paths += /data/asan/vendor/${LIB} 122namespace.sphal.asan.search.paths += /vendor/${LIB} 123 124namespace.sphal.asan.permitted.paths = /data/asan/odm/${LIB} 125namespace.sphal.asan.permitted.paths += /odm/${LIB} 126namespace.sphal.asan.permitted.paths += /data/asan/vendor/${LIB} 127namespace.sphal.asan.permitted.paths += /vendor/${LIB} 128 129# Once in this namespace, access to libraries in /system/lib is restricted. Only 130# libs listed here can be used. 131namespace.sphal.links = default,vndk,rs 132 133namespace.sphal.link.default.shared_libs = %LLNDK_LIBRARIES% 134namespace.sphal.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 135 136namespace.sphal.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% 137 138# Renderscript gets separate namespace 139namespace.sphal.link.rs.shared_libs = libRS_internal.so 140 141############################################################################### 142# "rs" namespace 143# 144# This namespace is exclusively for Renderscript internal libraries. 145# This namespace has slightly looser restriction than the vndk namespace because 146# of the genuine characteristics of Renderscript; /data is in the permitted path 147# to load the compiled *.so file and libmediandk.so can be used here. 148############################################################################### 149namespace.rs.isolated = true 150namespace.rs.visible = true 151 152namespace.rs.search.paths = /odm/${LIB}/vndk-sp 153namespace.rs.search.paths += /vendor/${LIB}/vndk-sp 154namespace.rs.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 155namespace.rs.search.paths += /odm/${LIB} 156namespace.rs.search.paths += /vendor/${LIB} 157 158namespace.rs.permitted.paths = /odm/${LIB} 159namespace.rs.permitted.paths += /vendor/${LIB} 160namespace.rs.permitted.paths += /data 161 162namespace.rs.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp 163namespace.rs.asan.search.paths += /odm/${LIB}/vndk-sp 164namespace.rs.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 165namespace.rs.asan.search.paths += /vendor/${LIB}/vndk-sp 166namespace.rs.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 167namespace.rs.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 168namespace.rs.asan.search.paths += /data/asan/odm/${LIB} 169namespace.rs.asan.search.paths += /odm/${LIB} 170namespace.rs.asan.search.paths += /data/asan/vendor/${LIB} 171namespace.rs.asan.search.paths += /vendor/${LIB} 172 173namespace.rs.asan.permitted.paths = /data/asan/odm/${LIB} 174namespace.rs.asan.permitted.paths += /odm/${LIB} 175namespace.rs.asan.permitted.paths += /data/asan/vendor/${LIB} 176namespace.rs.asan.permitted.paths += /vendor/${LIB} 177namespace.rs.asan.permitted.paths += /data 178 179namespace.rs.links = default,vndk 180 181namespace.rs.link.default.shared_libs = %LLNDK_LIBRARIES% 182namespace.rs.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 183# Private LLNDK libs (e.g. libft2.so) are exceptionally allowed to this 184# namespace because RS framework libs are using them. 185namespace.rs.link.default.shared_libs += %PRIVATE_LLNDK_LIBRARIES% 186 187namespace.rs.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% 188 189############################################################################### 190# "vndk" namespace 191# 192# This namespace is exclusively for vndk-sp libs. 193############################################################################### 194namespace.vndk.isolated = true 195namespace.vndk.visible = true 196 197namespace.vndk.search.paths = /odm/${LIB}/vndk-sp 198namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp 199namespace.vndk.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 200 201namespace.vndk.permitted.paths = /odm/${LIB}/hw 202namespace.vndk.permitted.paths += /odm/${LIB}/egl 203namespace.vndk.permitted.paths += /vendor/${LIB}/hw 204namespace.vndk.permitted.paths += /vendor/${LIB}/egl 205# This is exceptionally required since android.hidl.memory@1.0-impl.so is here 206namespace.vndk.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER%/hw 207 208namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk-sp 209namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp 210namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 211namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk-sp 212namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 213namespace.vndk.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 214 215namespace.vndk.asan.permitted.paths = /data/asan/odm/${LIB}/hw 216namespace.vndk.asan.permitted.paths += /odm/${LIB}/hw 217namespace.vndk.asan.permitted.paths += /data/asan/odm/${LIB}/egl 218namespace.vndk.asan.permitted.paths += /odm/${LIB}/egl 219namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/hw 220namespace.vndk.asan.permitted.paths += /vendor/${LIB}/hw 221namespace.vndk.asan.permitted.paths += /data/asan/vendor/${LIB}/egl 222namespace.vndk.asan.permitted.paths += /vendor/${LIB}/egl 223 224namespace.vndk.asan.permitted.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER%/hw 225namespace.vndk.asan.permitted.paths += /system/${LIB}/vndk-sp%VNDK_VER%/hw 226 227# The "vndk" namespace links to "default" namespace for LLNDK libs and links to 228# "sphal" namespace for vendor libs. The ordering matters. The "default" 229# namespace has higher priority than the "sphal" namespace. 230namespace.vndk.links = default,sphal 231 232# When these NDK libs are required inside this namespace, then it is redirected 233# to the default namespace. This is possible since their ABI is stable across 234# Android releases. 235namespace.vndk.link.default.shared_libs = %LLNDK_LIBRARIES% 236namespace.vndk.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 237 238# Allow VNDK-SP extensions to use vendor libraries 239namespace.vndk.link.sphal.allow_all_shared_libs = true 240 241############################################################################### 242# Namespace config for vendor processes. In O, no restriction is enforced for 243# them. However, in O-MR1, access to /system/${LIB} will not be allowed to 244# the default namespace. 'system' namespace will be added to give limited 245# (LL-NDK only) access. 246############################################################################### 247[vendor] 248additional.namespaces = system,vndk 249 250############################################################################### 251# "default" namespace 252# 253# This is the default linker namespace for a vendor process (a process started 254# from /vendor/bin/*). The main executable and the libs under /vendor/lib[64] 255# are loaded directly into this namespace. However, other libs under the system 256# partition (VNDK and LLNDK libraries) are not loaded here but from the 257# separate namespace 'system'. The delegation to the system namespace is done 258# via the 'namespace.default.link.system.shared_libs' property below. 259############################################################################### 260namespace.default.isolated = true 261namespace.default.visible = true 262 263namespace.default.search.paths = /odm/${LIB} 264namespace.default.search.paths += /vendor/${LIB} 265 266namespace.default.permitted.paths = /odm 267namespace.default.permitted.paths += /vendor 268 269namespace.default.asan.search.paths = /data/asan/odm/${LIB} 270namespace.default.asan.search.paths += /odm/${LIB} 271namespace.default.asan.search.paths += /data/asan/vendor/${LIB} 272namespace.default.asan.search.paths += /vendor/${LIB} 273 274namespace.default.asan.permitted.paths = /data/asan/odm 275namespace.default.asan.permitted.paths += /odm 276namespace.default.asan.permitted.paths += /data/asan/vendor 277namespace.default.asan.permitted.paths += /vendor 278 279namespace.default.links = system,vndk 280namespace.default.link.system.shared_libs = %LLNDK_LIBRARIES% 281namespace.default.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% 282namespace.default.link.vndk.shared_libs += %VNDK_CORE_LIBRARIES% 283 284############################################################################### 285# "vndk" namespace 286# 287# This namespace is where VNDK and VNDK-SP libraries are loaded for 288# a vendor process. 289############################################################################### 290namespace.vndk.isolated = false 291 292namespace.vndk.search.paths = /odm/${LIB}/vndk 293namespace.vndk.search.paths += /odm/${LIB}/vndk-sp 294namespace.vndk.search.paths += /vendor/${LIB}/vndk 295namespace.vndk.search.paths += /vendor/${LIB}/vndk-sp 296namespace.vndk.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 297namespace.vndk.search.paths += /system/${LIB}/vndk%VNDK_VER% 298 299namespace.vndk.asan.search.paths = /data/asan/odm/${LIB}/vndk 300namespace.vndk.asan.search.paths += /odm/${LIB}/vndk 301namespace.vndk.asan.search.paths += /data/asan/odm/${LIB}/vndk-sp 302namespace.vndk.asan.search.paths += /odm/${LIB}/vndk-sp 303namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk 304namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk 305namespace.vndk.asan.search.paths += /data/asan/vendor/${LIB}/vndk-sp 306namespace.vndk.asan.search.paths += /vendor/${LIB}/vndk-sp 307namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk-sp%VNDK_VER% 308namespace.vndk.asan.search.paths += /system/${LIB}/vndk-sp%VNDK_VER% 309namespace.vndk.asan.search.paths += /data/asan/system/${LIB}/vndk%VNDK_VER% 310namespace.vndk.asan.search.paths += /system/${LIB}/vndk%VNDK_VER% 311 312# When these NDK libs are required inside this namespace, then it is redirected 313# to the system namespace. This is possible since their ABI is stable across 314# Android releases. 315namespace.vndk.links = system,default 316namespace.vndk.link.system.shared_libs = %LLNDK_LIBRARIES% 317namespace.vndk.link.system.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% 318 319namespace.vndk.link.default.allow_all_shared_libs = true 320 321############################################################################### 322# "system" namespace 323# 324# This namespace is where system libs (VNDK and LLNDK libs) are loaded for 325# a vendor process. 326############################################################################### 327namespace.system.isolated = false 328 329namespace.system.search.paths = /system/${LIB} 330namespace.system.search.paths += /%PRODUCT%/${LIB} 331 332namespace.system.asan.search.paths = /data/asan/system/${LIB} 333namespace.system.asan.search.paths += /system/${LIB} 334namespace.system.asan.search.paths += /data/asan/product/${LIB} 335namespace.system.asan.search.paths += /product/${LIB} 336 337############################################################################### 338# Namespace config for binaries under /postinstall. 339# Only one default namespace is defined and it has no directories other than 340# /system/lib in the search paths. This is because linker calls realpath on the 341# search paths and this causes selinux denial if the paths (/vendor, /odm) are 342# not allowed to the poinstall binaries. There is no reason to allow the 343# binaries to access the paths. 344############################################################################### 345[postinstall] 346namespace.default.isolated = false 347namespace.default.search.paths = /system/${LIB} 348namespace.default.search.paths += /%PRODUCT%/${LIB} 349