RESTRICT AUTOMERGE: Revert "Give full access to system libs from other system libs."
Extending the search path to /system/${LIB} may result in system libs
being loaded in an app classloader namespace. If those libs then depend
on other non-public libraries, e.g. in APEXes, that are only accessible
through links from the system namespace, then those dependencies will
fail to load because the app classloader namespace doesn't have the
same links.
This reverts commit 32aaa89c321a7e51bf97856b935f2dfb4f64399b.
Test: banchan com.google.android.art
m dist
adb install out/dist/com.google.android.art.apex
atest -a libnativeloader_test libnativeloader_lazy_test \
libnativeloader_e2e_tests
on a tm-release platform image
Bug: 258340826
Bug: 237577392
Ignore-AOSP-First: Reverting for February train boarding. Revert in
AOSP still TBD.
Change-Id: I57fee1b208fe56cf6519dd00967d971144a4b33f
diff --git a/libnativeloader/library_namespaces.cpp b/libnativeloader/library_namespaces.cpp
index f3c93a0..bcc19aa 100644
--- a/libnativeloader/library_namespaces.cpp
+++ b/libnativeloader/library_namespaces.cpp
@@ -85,18 +85,15 @@
// below, because they can't be two separate directories - either one has to be
// a symlink to the other.
constexpr const char* kProductLibPath = "/product/" LIB ":/system/product/" LIB;
-constexpr const char* kSystemLibPath = "/system/" LIB ":/system_ext/" LIB;
const std::regex kVendorDexPathRegex("(^|:)(/system)?/vendor/");
const std::regex kProductDexPathRegex("(^|:)(/system)?/product/");
-const std::regex kSystemDexPathRegex("(^|:)/system(_ext)?/"); // MUST be tested last.
-// Define origin partition of APK
+// Define origin of APK if it is from vendor partition or product partition
using ApkOrigin = enum {
APK_ORIGIN_DEFAULT = 0,
APK_ORIGIN_VENDOR = 1, // Includes both /vendor and /system/vendor
APK_ORIGIN_PRODUCT = 2, // Includes both /product and /system/product
- APK_ORIGIN_SYSTEM = 3, // Includes both /system and /system_ext but not /system/{vendor,product}
};
jobject GetParentClassLoader(JNIEnv* env, jobject class_loader) {
@@ -119,9 +116,6 @@
apk_origin = APK_ORIGIN_PRODUCT;
}
- if (apk_origin == APK_ORIGIN_DEFAULT && std::regex_search(dex_path, kSystemDexPathRegex)) {
- apk_origin = APK_ORIGIN_SYSTEM;
- }
return apk_origin;
}
@@ -243,18 +237,7 @@
const char* apk_origin_msg = "other apk"; // Only for debug logging.
if (!is_shared) {
- if (apk_origin == APK_ORIGIN_SYSTEM) {
- // System apps commonly get shared namespaces and hence don't need this.
- // In practice it's necessary for shared system libraries (i.e. JARs
- // rather than actual APKs) that are loaded by ordinary apps which don't
- // get shared namespaces.
- apk_origin_msg = "system apk";
-
- // Give access to all libraries in the system and system_ext partitions
- // (they can freely access each other's private APIs).
- library_path = library_path + ":" + kSystemLibPath;
- permitted_path = permitted_path + ":" + kSystemLibPath;
- } else if (apk_origin == APK_ORIGIN_VENDOR) {
+ if (apk_origin == APK_ORIGIN_VENDOR) {
unbundled_app_origin = APK_ORIGIN_VENDOR;
apk_origin_msg = "unbundled vendor apk";
@@ -308,7 +291,8 @@
// they are to other apps, including those in system, system_ext, and
// product partitions. The reason is that when GSI is used, the system
// partition may get replaced, and then vendor apps may fail. It's fine for
- // product apps, because that partition isn't mounted in GSI tests.
+ // product (and system_ext) apps, because those partitions aren't mounted in
+ // GSI tests.
auto libs =
filter_public_libraries(target_sdk_version, uses_libraries, extended_public_libraries());
if (!libs.empty()) {
diff --git a/libnativeloader/test/Android.bp b/libnativeloader/test/Android.bp
index 1d3a07a..b43a02c 100644
--- a/libnativeloader/test/Android.bp
+++ b/libnativeloader/test/Android.bp
@@ -55,13 +55,6 @@
srcs: ["src/android/test/systemsharedlib/SystemSharedLib.java"],
}
-// Test fixture that represents a shared library in /system_ext/framework.
-java_library {
- name: "libnativeloader_system_ext_shared_lib",
- installable: true,
- srcs: ["src/android/test/systemextsharedlib/SystemExtSharedLib.java"],
-}
-
java_defaults {
name: "loadlibrarytest_app_defaults",
defaults: ["art_module_source_build_java_defaults"],
@@ -70,10 +63,7 @@
"androidx.test.rules",
"loadlibrarytest_test_utils",
],
- libs: [
- "libnativeloader_system_shared_lib",
- "libnativeloader_system_ext_shared_lib",
- ],
+ libs: ["libnativeloader_system_shared_lib"],
}
android_test_helper_app {
@@ -135,7 +125,6 @@
data: [
":library_container_app",
":libnativeloader_system_shared_lib",
- ":libnativeloader_system_ext_shared_lib",
":loadlibrarytest_system_priv_app",
":loadlibrarytest_system_app",
":loadlibrarytest_system_ext_app",
diff --git a/libnativeloader/test/loadlibrarytest_data_app_manifest.xml b/libnativeloader/test/loadlibrarytest_data_app_manifest.xml
index 2af0af4..9b663e6 100644
--- a/libnativeloader/test/loadlibrarytest_data_app_manifest.xml
+++ b/libnativeloader/test/loadlibrarytest_data_app_manifest.xml
@@ -21,7 +21,6 @@
android:targetPackage="android.test.app.data" />
<application>
<uses-library android:name="android.test.systemsharedlib" />
- <uses-library android:name="android.test.systemextsharedlib" />
<uses-native-library android:required="false" android:name="libfoo.oem1.so" />
<uses-native-library android:required="false" android:name="libbar.oem1.so" />
<uses-native-library android:required="false" android:name="libfoo.oem2.so" />
diff --git a/libnativeloader/test/loadlibrarytest_product_app_manifest.xml b/libnativeloader/test/loadlibrarytest_product_app_manifest.xml
index 614f33f..c1d997a 100644
--- a/libnativeloader/test/loadlibrarytest_product_app_manifest.xml
+++ b/libnativeloader/test/loadlibrarytest_product_app_manifest.xml
@@ -21,7 +21,6 @@
android:targetPackage="android.test.app.product" />
<application>
<uses-library android:name="android.test.systemsharedlib" />
- <uses-library android:name="android.test.systemextsharedlib" />
<uses-native-library android:required="false" android:name="libfoo.oem1.so" />
<uses-native-library android:required="false" android:name="libbar.oem1.so" />
<uses-native-library android:required="false" android:name="libfoo.oem2.so" />
diff --git a/libnativeloader/test/loadlibrarytest_system_app_manifest.xml b/libnativeloader/test/loadlibrarytest_system_app_manifest.xml
index 5711f65..5c6af09 100644
--- a/libnativeloader/test/loadlibrarytest_system_app_manifest.xml
+++ b/libnativeloader/test/loadlibrarytest_system_app_manifest.xml
@@ -21,7 +21,6 @@
android:targetPackage="android.test.app.system" />
<application>
<uses-library android:name="android.test.systemsharedlib" />
- <uses-library android:name="android.test.systemextsharedlib" />
<!-- System apps get a shared classloader namespace, so they don't need
uses-native-library entries for anything in /system. -->
<uses-native-library android:required="false" android:name="libfoo.product1.so" />
diff --git a/libnativeloader/test/loadlibrarytest_system_ext_app_manifest.xml b/libnativeloader/test/loadlibrarytest_system_ext_app_manifest.xml
index 8aa3fa9..961f9ba 100644
--- a/libnativeloader/test/loadlibrarytest_system_ext_app_manifest.xml
+++ b/libnativeloader/test/loadlibrarytest_system_ext_app_manifest.xml
@@ -21,7 +21,6 @@
android:targetPackage="android.test.app.system_ext" />
<application>
<uses-library android:name="android.test.systemsharedlib" />
- <uses-library android:name="android.test.systemextsharedlib" />
<!-- System apps get a shared classloader namespace, so they don't need
uses-native-library entries for anything in /system. -->
<uses-native-library android:required="false" android:name="libfoo.product1.so" />
diff --git a/libnativeloader/test/loadlibrarytest_system_priv_app_manifest.xml b/libnativeloader/test/loadlibrarytest_system_priv_app_manifest.xml
index 126453c..f4bf3c0 100644
--- a/libnativeloader/test/loadlibrarytest_system_priv_app_manifest.xml
+++ b/libnativeloader/test/loadlibrarytest_system_priv_app_manifest.xml
@@ -21,7 +21,6 @@
android:targetPackage="android.test.app.system_priv" />
<application>
<uses-library android:name="android.test.systemsharedlib" />
- <uses-library android:name="android.test.systemextsharedlib" />
<!-- System apps get a shared classloader namespace, so they don't need
uses-native-library entries for anything in /system. -->
<uses-native-library android:required="false" android:name="libfoo.product1.so" />
diff --git a/libnativeloader/test/loadlibrarytest_vendor_app_manifest.xml b/libnativeloader/test/loadlibrarytest_vendor_app_manifest.xml
index a2a9f64..1a8cbcc 100644
--- a/libnativeloader/test/loadlibrarytest_vendor_app_manifest.xml
+++ b/libnativeloader/test/loadlibrarytest_vendor_app_manifest.xml
@@ -21,7 +21,6 @@
android:targetPackage="android.test.app.vendor" />
<application>
<uses-library android:name="android.test.systemsharedlib" />
- <uses-library android:name="android.test.systemextsharedlib" />
<uses-native-library android:required="false" android:name="libfoo.oem1.so" />
<uses-native-library android:required="false" android:name="libbar.oem1.so" />
<uses-native-library android:required="false" android:name="libfoo.oem2.so" />
diff --git a/libnativeloader/test/src/android/test/app/DataAppTest.java b/libnativeloader/test/src/android/test/app/DataAppTest.java
index 767a7b1..db97e8d 100644
--- a/libnativeloader/test/src/android/test/app/DataAppTest.java
+++ b/libnativeloader/test/src/android/test/app/DataAppTest.java
@@ -17,7 +17,6 @@
package android.test.app;
import android.test.lib.TestUtils;
-import android.test.systemextsharedlib.SystemExtSharedLib;
import android.test.systemsharedlib.SystemSharedLib;
import androidx.test.filters.SmallTest;
import androidx.test.runner.AndroidJUnit4;
@@ -41,24 +40,16 @@
@Test
public void testLoadPrivateLibraries() {
TestUtils.assertLinkerNamespaceError(() -> System.loadLibrary("system_private1"));
- TestUtils.assertLinkerNamespaceError(() -> System.loadLibrary("systemext_private1"));
TestUtils.assertLibraryNotFound(() -> System.loadLibrary("product_private1"));
TestUtils.assertLibraryNotFound(() -> System.loadLibrary("vendor_private1"));
}
@Test
public void testLoadPrivateLibrariesViaSystemSharedLib() {
- SystemSharedLib.loadLibrary("system_private2");
- SystemSharedLib.loadLibrary("systemext_private2");
+ // TODO(b/237577392): Fix this use case.
+ TestUtils.assertLinkerNamespaceError(() -> SystemSharedLib.loadLibrary("system_private2"));
+
TestUtils.assertLibraryNotFound(() -> SystemSharedLib.loadLibrary("product_private2"));
TestUtils.assertLibraryNotFound(() -> SystemSharedLib.loadLibrary("vendor_private2"));
}
-
- @Test
- public void testLoadPrivateLibrariesViaSystemExtSharedLib() {
- SystemExtSharedLib.loadLibrary("system_private3");
- SystemExtSharedLib.loadLibrary("systemext_private3");
- TestUtils.assertLibraryNotFound(() -> SystemExtSharedLib.loadLibrary("product_private3"));
- TestUtils.assertLibraryNotFound(() -> SystemExtSharedLib.loadLibrary("vendor_private3"));
- }
}
diff --git a/libnativeloader/test/src/android/test/app/ProductAppTest.java b/libnativeloader/test/src/android/test/app/ProductAppTest.java
index 1f36798..a9b8697 100644
--- a/libnativeloader/test/src/android/test/app/ProductAppTest.java
+++ b/libnativeloader/test/src/android/test/app/ProductAppTest.java
@@ -17,7 +17,6 @@
package android.test.app;
import android.test.lib.TestUtils;
-import android.test.systemextsharedlib.SystemExtSharedLib;
import android.test.systemsharedlib.SystemSharedLib;
import androidx.test.filters.SmallTest;
import androidx.test.runner.AndroidJUnit4;
@@ -41,24 +40,16 @@
@Test
public void testLoadPrivateLibraries() {
TestUtils.assertLinkerNamespaceError(() -> System.loadLibrary("system_private1"));
- TestUtils.assertLinkerNamespaceError(() -> System.loadLibrary("systemext_private1"));
System.loadLibrary("product_private1");
TestUtils.assertLibraryNotFound(() -> System.loadLibrary("vendor_private1"));
}
@Test
public void testLoadPrivateLibrariesViaSystemSharedLib() {
- SystemSharedLib.loadLibrary("system_private2");
- SystemSharedLib.loadLibrary("systemext_private2");
+ // TODO(b/237577392): Fix this use case.
+ TestUtils.assertLinkerNamespaceError(() -> SystemSharedLib.loadLibrary("system_private2"));
+
TestUtils.assertLibraryNotFound(() -> SystemSharedLib.loadLibrary("product_private2"));
TestUtils.assertLibraryNotFound(() -> SystemSharedLib.loadLibrary("vendor_private2"));
}
-
- @Test
- public void testLoadPrivateLibrariesViaSystemExtSharedLib() {
- SystemExtSharedLib.loadLibrary("system_private3");
- SystemExtSharedLib.loadLibrary("systemext_private3");
- TestUtils.assertLibraryNotFound(() -> SystemExtSharedLib.loadLibrary("product_private3"));
- TestUtils.assertLibraryNotFound(() -> SystemExtSharedLib.loadLibrary("vendor_private3"));
- }
}
diff --git a/libnativeloader/test/src/android/test/app/SystemAppTest.java b/libnativeloader/test/src/android/test/app/SystemAppTest.java
index 197a40c..6644478 100644
--- a/libnativeloader/test/src/android/test/app/SystemAppTest.java
+++ b/libnativeloader/test/src/android/test/app/SystemAppTest.java
@@ -17,7 +17,6 @@
package android.test.app;
import android.test.lib.TestUtils;
-import android.test.systemextsharedlib.SystemExtSharedLib;
import android.test.systemsharedlib.SystemSharedLib;
import androidx.test.filters.SmallTest;
import androidx.test.runner.AndroidJUnit4;
@@ -41,7 +40,6 @@
@Test
public void testLoadPrivateLibraries() {
System.loadLibrary("system_private1");
- System.loadLibrary("systemext_private1");
TestUtils.assertLibraryNotFound(() -> System.loadLibrary("product_private1"));
TestUtils.assertLibraryNotFound(() -> System.loadLibrary("vendor_private1"));
}
@@ -49,16 +47,7 @@
@Test
public void testLoadPrivateLibrariesViaSystemSharedLib() {
SystemSharedLib.loadLibrary("system_private2");
- SystemSharedLib.loadLibrary("systemext_private2");
TestUtils.assertLibraryNotFound(() -> SystemSharedLib.loadLibrary("product_private2"));
TestUtils.assertLibraryNotFound(() -> SystemSharedLib.loadLibrary("vendor_private2"));
}
-
- @Test
- public void testLoadPrivateLibrariesViaSystemExtSharedLib() {
- SystemExtSharedLib.loadLibrary("system_private3");
- SystemExtSharedLib.loadLibrary("systemext_private3");
- TestUtils.assertLibraryNotFound(() -> SystemExtSharedLib.loadLibrary("product_private3"));
- TestUtils.assertLibraryNotFound(() -> SystemExtSharedLib.loadLibrary("vendor_private3"));
- }
}
diff --git a/libnativeloader/test/src/android/test/app/VendorAppTest.java b/libnativeloader/test/src/android/test/app/VendorAppTest.java
index c9ce8db..5187ac8 100644
--- a/libnativeloader/test/src/android/test/app/VendorAppTest.java
+++ b/libnativeloader/test/src/android/test/app/VendorAppTest.java
@@ -17,7 +17,6 @@
package android.test.app;
import android.test.lib.TestUtils;
-import android.test.systemextsharedlib.SystemExtSharedLib;
import android.test.systemsharedlib.SystemSharedLib;
import androidx.test.filters.SmallTest;
import androidx.test.runner.AndroidJUnit4;
@@ -40,7 +39,6 @@
@Test
public void testLoadPrivateLibraries() {
TestUtils.assertLinkerNamespaceError(() -> System.loadLibrary("system_private1"));
- TestUtils.assertLinkerNamespaceError(() -> System.loadLibrary("systemext_private1"));
TestUtils.assertLibraryNotFound(() -> System.loadLibrary("product_private1"));
// TODO(mast): The vendor app fails to load a private vendor library because it gets
// classified as untrusted_app in SELinux, which doesn't have access to vendor_file. Even an
@@ -51,17 +49,10 @@
@Test
public void testLoadPrivateLibrariesViaSystemSharedLib() {
- SystemSharedLib.loadLibrary("system_private2");
- SystemSharedLib.loadLibrary("systemext_private2");
+ // TODO(b/237577392): Fix this use case.
+ TestUtils.assertLinkerNamespaceError(() -> SystemSharedLib.loadLibrary("system_private2"));
+
TestUtils.assertLibraryNotFound(() -> SystemSharedLib.loadLibrary("product_private2"));
TestUtils.assertLibraryNotFound(() -> SystemSharedLib.loadLibrary("vendor_private2"));
}
-
- @Test
- public void testLoadPrivateLibrariesViaSystemExtSharedLib() {
- SystemExtSharedLib.loadLibrary("system_private3");
- SystemExtSharedLib.loadLibrary("systemext_private3");
- TestUtils.assertLibraryNotFound(() -> SystemExtSharedLib.loadLibrary("product_private3"));
- TestUtils.assertLibraryNotFound(() -> SystemExtSharedLib.loadLibrary("vendor_private3"));
- }
}
diff --git a/libnativeloader/test/src/android/test/hostside/LibnativeloaderTest.java b/libnativeloader/test/src/android/test/hostside/LibnativeloaderTest.java
index c929037..c908a49 100644
--- a/libnativeloader/test/src/android/test/hostside/LibnativeloaderTest.java
+++ b/libnativeloader/test/src/android/test/hostside/LibnativeloaderTest.java
@@ -69,10 +69,7 @@
ctx.pushExtendedPublicProductLibs(libApk);
ctx.pushPrivateLibs(libApk);
}
- ctx.pushSystemSharedLib("/system/framework", "android.test.systemsharedlib",
- "libnativeloader_system_shared_lib.jar");
- ctx.pushSystemSharedLib("/system_ext/framework", "android.test.systemextsharedlib",
- "libnativeloader_system_ext_shared_lib.jar");
+ ctx.pushSystemSharedLib();
// "Install" apps in various partitions through plain adb push followed by a soft reboot. We
// need them in these locations to test library loading restrictions, so for all except
@@ -233,18 +230,17 @@
void pushPrivateLibs(ZipFile libApk) throws Exception {
// Push the libraries once for each test. Since we cannot unload them, we need a fresh
// never-before-loaded library in each loadLibrary call.
- for (int i = 1; i <= 3; ++i) {
+ for (int i = 1; i <= 2; ++i) {
pushNativeTestLib(libApk, "/system/${LIB}/libsystem_private" + i + ".so");
- pushNativeTestLib(libApk, "/system_ext/${LIB}/libsystemext_private" + i + ".so");
pushNativeTestLib(libApk, "/product/${LIB}/libproduct_private" + i + ".so");
pushNativeTestLib(libApk, "/vendor/${LIB}/libvendor_private" + i + ".so");
}
}
- void pushSystemSharedLib(String packageDir, String packageName, String buildJarName)
- throws Exception {
- String path = packageDir + "/" + packageName + ".jar";
- pushFile(buildJarName, path);
+ void pushSystemSharedLib() throws Exception {
+ String packageName = "android.test.systemsharedlib";
+ String path = "/system/framework/" + packageName + ".jar";
+ pushFile("libnativeloader_system_shared_lib.jar", path);
pushString("<permissions>\n"
+ "<library name=\"" + packageName + "\" file=\"" + path + "\" />\n"
+ "</permissions>\n",
diff --git a/libnativeloader/test/src/android/test/systemextsharedlib/SystemExtSharedLib.java b/libnativeloader/test/src/android/test/systemextsharedlib/SystemExtSharedLib.java
deleted file mode 100644
index 1240e12..0000000
--- a/libnativeloader/test/src/android/test/systemextsharedlib/SystemExtSharedLib.java
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Copyright (C) 2022 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.test.systemextsharedlib;
-
-public final class SystemExtSharedLib {
- public static void loadLibrary(String name) { System.loadLibrary(name); }
-}