From 67a09e57915de6ba2562ea4a5e16ee0ad4870e27 Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Fri, 18 Jan 2019 14:08:03 +0000 Subject: [PATCH] Introduce conscrypt linker namespace. And have the linker translate a java library path from an apex to a linker namespace. Bug: 122874359 Test: m, boots, gtest, run-test, CtsJdwpTests Change-Id: I216c3509c45589d28acdac068aec53877aeb104a Exempt-From-Owner-Approval: Carrying Jiyong's +2 --- libnativeloader/native_loader.cpp | 45 ++++++++++++++++++++++++++++- rootdir/etc/ld.config.txt | 16 +++++++++- rootdir/etc/ld.config.vndk_lite.txt | 16 +++++++++- 3 files changed, 74 insertions(+), 3 deletions(-) diff --git a/libnativeloader/native_loader.cpp b/libnativeloader/native_loader.cpp index 0a808ce42..ab17b29d4 100644 --- a/libnativeloader/native_loader.cpp +++ b/libnativeloader/native_loader.cpp @@ -43,6 +43,10 @@ #include #endif +extern "C" { +struct android_namespace_t* android_get_exported_namespace(const char*); +} + #define CHECK(predicate) LOG_ALWAYS_FATAL_IF(!(predicate),\ "%s:%d: %s CHECK '" #predicate "' failed.",\ __FILE__, __LINE__, __FUNCTION__) @@ -119,6 +123,8 @@ static constexpr const char* kVendorClassloaderNamespaceName = "vendor-classload // This list includes all directories app is allowed to access this way. static constexpr const char* kWhitelistedDirectories = "/data:/mnt/expand"; +static constexpr const char* kApexPath = "/apex/"; + static bool is_debuggable() { char debuggable[PROP_VALUE_MAX]; property_get("ro.debuggable", debuggable, "0"); @@ -623,14 +629,51 @@ jstring CreateClassLoaderNamespace(JNIEnv* env, return nullptr; } +#if defined(__ANDROID__) +static android_namespace_t* FindExportedNamespace(const char* caller_location) { + std::string location = caller_location; + // Lots of implicit assumptions here: we expect `caller_location` to be of the form: + // /apex/com.android...modulename/... + // + // And we extract from it 'modulename', which is the name of the linker namespace. + if (android::base::StartsWith(location, kApexPath)) { + size_t slash_index = location.find_first_of('/', strlen(kApexPath)); + LOG_ALWAYS_FATAL_IF((slash_index == std::string::npos), + "Error finding namespace of apex: no slash in path %s", caller_location); + size_t dot_index = location.find_last_of('.', slash_index); + LOG_ALWAYS_FATAL_IF((dot_index == std::string::npos), + "Error finding namespace of apex: no dot in apex name %s", caller_location); + std::string name = location.substr(dot_index + 1, slash_index - dot_index - 1); + android_namespace_t* boot_namespace = android_get_exported_namespace(name.c_str()); + LOG_ALWAYS_FATAL_IF((boot_namespace == nullptr), + "Error finding namespace of apex: no namespace called %s", name.c_str()); + return boot_namespace; + } + return nullptr; +} +#endif + void* OpenNativeLibrary(JNIEnv* env, int32_t target_sdk_version, const char* path, jobject class_loader, const char* caller_location, jstring library_path, bool* needs_native_bridge, char** error_msg) { #if defined(__ANDROID__) UNUSED(target_sdk_version); - UNUSED(caller_location); if (class_loader == nullptr) { *needs_native_bridge = false; + if (caller_location != nullptr) { + android_namespace_t* boot_namespace = FindExportedNamespace(caller_location); + if (boot_namespace != nullptr) { + const android_dlextinfo dlextinfo = { + .flags = ANDROID_DLEXT_USE_NAMESPACE, + .library_namespace = boot_namespace, + }; + void* handle = android_dlopen_ext(path, RTLD_NOW, &dlextinfo); + if (handle == nullptr) { + *error_msg = strdup(dlerror()); + } + return handle; + } + } void* handle = dlopen(path, RTLD_NOW); if (handle == nullptr) { *error_msg = strdup(dlerror()); diff --git a/rootdir/etc/ld.config.txt b/rootdir/etc/ld.config.txt index 2dda648fe..e660b9379 100644 --- a/rootdir/etc/ld.config.txt +++ b/rootdir/etc/ld.config.txt @@ -28,7 +28,7 @@ dir.system = /data/benchmarktest64 dir.postinstall = /postinstall [system] -additional.namespaces = runtime,sphal,vndk,rs +additional.namespaces = runtime,conscrypt,sphal,vndk,rs ############################################################################### # "default" namespace @@ -128,6 +128,20 @@ namespace.runtime.links = default # when it exists. namespace.runtime.link.default.allow_all_shared_libs = true +############################################################################### +# "conscrypt" APEX namespace +# +# This namespace is for libraries within the conscrypt APEX. +############################################################################### +namespace.conscrypt.isolated = true +namespace.conscrypt.visible = true + +namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} +namespace.conscrypt.links = default +# TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library +# when it exists. +namespace.conscrypt.link.default.allow_all_shared_libs = true + ############################################################################### # "sphal" namespace # diff --git a/rootdir/etc/ld.config.vndk_lite.txt b/rootdir/etc/ld.config.vndk_lite.txt index 33b469852..d9a2eaa28 100644 --- a/rootdir/etc/ld.config.vndk_lite.txt +++ b/rootdir/etc/ld.config.vndk_lite.txt @@ -28,7 +28,7 @@ dir.system = /data/benchmarktest64 dir.postinstall = /postinstall [system] -additional.namespaces = runtime,sphal,vndk,rs +additional.namespaces = runtime,conscrypt,sphal,vndk,rs ############################################################################### # "default" namespace @@ -75,6 +75,20 @@ namespace.runtime.links = default # when it exists. namespace.runtime.link.default.allow_all_shared_libs = true +############################################################################### +# "conscrypt" APEX namespace +# +# This namespace is for libraries within the conscrypt APEX. +############################################################################### +namespace.conscrypt.isolated = true +namespace.conscrypt.visible = true + +namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} +namespace.conscrypt.links = default +# TODO(b/119867084): Restrict to Bionic dlopen dependencies and PALette library +# when it exists. +namespace.conscrypt.link.default.allow_all_shared_libs = true + ############################################################################### # "sphal" namespace #