Undo giving full access to system libs from other system libs.

Directly extending the search path to /system/${LIB} for system APKs
may result in system libs being loaded in an app classloader namespace
rather than the system namespace. If those libs then depend on other
non-public libraries, e.g. in APEXes, that are only accessible through
links from the system namespace, then those dependencies will fail to
load because the app classloader namespace doesn't have the same links.

This CL functionally undoes https://r.android.com/2211602, but only
disables tests that break, and adds some tests to exercise the
situation above.

Also change native libs in the test to use `min_sdk_version` rather
than `sdk_version`, because now when they contain code they need an
NDK, and one with exactly version 31 is normally not available in the
build. (Otoh, the java libraries with `product_specific: true` or
`vendor: true` aren't allowed to use `min_sdk_version`.)

Test: atest -a libnativeloader_test libnativeloader_lazy_test \
        libnativeloader_e2e_tests
Bug: 258340826
Bug: 237577392
Change-Id: I95a3fbc6c8021c037fffda1423aa90c62973ec89

1 files changed, 1 insertions, 19 deletions

diff --git a/libnativeloader/library_namespaces.cpp b/libnativeloader/library_namespaces.cpp
index 2a6febdd80..9aeebf38ad 100644
--- a/libnativeloader/library_namespaces.cpp
+++ b/libnativeloader/library_namespaces.cpp
@@ -88,18 +88,15 @@ constexpr const char* kVendorLibPath = "/vendor/" LIB;
 // below, because they can't be two separate directories - either one has to be
 // a symlink to the other.
 constexpr const char* kProductLibPath = "/product/" LIB ":/system/product/" LIB;
-constexpr const char* kSystemLibPath = "/system/" LIB ":/system_ext/" LIB;
 
 const std::regex kVendorDexPathRegex("(^|:)(/system)?/vendor/");
 const std::regex kProductDexPathRegex("(^|:)(/system)?/product/");
-const std::regex kSystemDexPathRegex("(^|:)/system(_ext)?/");  // MUST be tested last.
 
 // Define origin partition of APK
 using ApkOrigin = enum {
   APK_ORIGIN_DEFAULT = 0,
   APK_ORIGIN_VENDOR = 1,   // Includes both /vendor and /system/vendor
   APK_ORIGIN_PRODUCT = 2,  // Includes both /product and /system/product
-  APK_ORIGIN_SYSTEM = 3,   // Includes both /system and /system_ext but not /system/{vendor,product}
 };
 
 jobject GetParentClassLoader(JNIEnv* env, jobject class_loader) {
@@ -122,9 +119,6 @@ ApkOrigin GetApkOriginFromDexPath(const std::string& dex_path) {
 
     apk_origin = APK_ORIGIN_PRODUCT;
   }
-  if (apk_origin == APK_ORIGIN_DEFAULT && std::regex_search(dex_path, kSystemDexPathRegex)) {
-    apk_origin = APK_ORIGIN_SYSTEM;
-  }
   return apk_origin;
 }
 
@@ -246,19 +240,7 @@ Result<NativeLoaderNamespace*> LibraryNamespaces::Create(JNIEnv* env, uint32_t t
   const char* apk_origin_msg = "other apk";  // Only for debug logging.
 
   if (!is_shared) {
-    if (apk_origin == APK_ORIGIN_SYSTEM) {
-      // System apps commonly get access to system libs from the system
-      // namespace through shared namespaces (i.e. is_shared is true) and hence
-      // don't need this. In practice it's necessary for shared system libraries
-      // (i.e. JARs rather than actual APKs) that are loaded by ordinary apps
-      // which don't get shared namespaces.
-      apk_origin_msg = "system apk";
-
-      // Give access to all libraries in the system and system_ext partitions
-      // (they can freely access each other's private APIs).
-      library_path = library_path + ":" + kSystemLibPath;
-      permitted_path = permitted_path + ":" + kSystemLibPath;
-    } else if (apk_origin == APK_ORIGIN_VENDOR) {
+    if (apk_origin == APK_ORIGIN_VENDOR) {
       unbundled_app_origin = APK_ORIGIN_VENDOR;
       apk_origin_msg = "unbundled vendor apk";