From 4ca0ca67bf466381e59865137e6811e863002984 Mon Sep 17 00:00:00 2001 From: Martin Stjernholm Date: Thu, 25 Apr 2019 16:20:32 +0100 Subject: [PATCH] Fix libnativeloader to correctly link to the platform namespace. This affected binaries in the Runtime APEX, where the platform namespace is "platform" rather than "default". Also extend ANDROID_ADDITIONAL_PUBLIC_LIBRARIES to create links to both to platform and runtime namespaces, so that it can be used to open up access to internal libraries in the Runtime APEX as well, which is used by ART gtests and run tests. Also update some comments in the ld.config*.txt files to accurately explain why some namespaces need to be visible, and some other minor changes for consistency. There are no semantically significant changes in those files. Test: Flash and boot Test: Run an ART run test with the internal libarttest.so library Bug: 130293232 Bug: 121117762 Change-Id: I7ebaf5370dd0f533b1bb5f0e67e7c3c1df48e512 --- libnativeloader/native_loader.cpp | 45 +++++++++++++++++++---------- rootdir/etc/ld.config.legacy.txt | 14 +++++---- rootdir/etc/ld.config.txt | 34 ++++++++++++++-------- rootdir/etc/ld.config.vndk_lite.txt | 36 ++++++++++++++--------- 4 files changed, 82 insertions(+), 47 deletions(-) diff --git a/libnativeloader/native_loader.cpp b/libnativeloader/native_loader.cpp index 5cc0857f6..6666937b4 100644 --- a/libnativeloader/native_loader.cpp +++ b/libnativeloader/native_loader.cpp @@ -126,7 +126,7 @@ static constexpr const char* kRuntimeNamespaceName = "runtime"; // classloader, the classloader-namespace namespace associated with that // classloader is selected for dlopen. The namespace is configured so that its // search path is set to the app-local JNI directory and it is linked to the -// default namespace with the names of libs listed in the public.libraries.txt. +// platform namespace with the names of libs listed in the public.libraries.txt. // This way an app can only load its own JNI libraries along with the public libs. static constexpr const char* kClassloaderNamespaceName = "classloader-namespace"; // Same thing for vendor APKs. @@ -307,21 +307,24 @@ class LibraryNamespaces { } } - std::string runtime_exposed_libraries = base::Join(kRuntimePublicLibraries, ":"); + std::string runtime_exposed_libraries = runtime_public_libraries_; NativeLoaderNamespace native_loader_ns; if (!is_native_bridge) { + // The platform namespace is called "default" for binaries in /system and + // "platform" for those in the Runtime APEX. Try "platform" first since + // "default" always exists. + android_namespace_t* platform_ns = android_get_exported_namespace(kPlatformNamespaceName); + if (platform_ns == nullptr) { + platform_ns = android_get_exported_namespace(kDefaultNamespaceName); + } + android_namespace_t* android_parent_ns; if (parent_ns != nullptr) { android_parent_ns = parent_ns->get_android_ns(); } else { - // Fall back to the platform namespace if no parent is found. It is - // called "default" for binaries in /system and "platform" for those in - // the Runtime APEX. Try "platform" first since "default" always exists. - android_parent_ns = android_get_exported_namespace(kPlatformNamespaceName); - if (android_parent_ns == nullptr) { - android_parent_ns = android_get_exported_namespace(kDefaultNamespaceName); - } + // Fall back to the platform namespace if no parent is found. + android_parent_ns = platform_ns; } android_namespace_t* ns = android_create_namespace(namespace_name, @@ -342,7 +345,7 @@ class LibraryNamespaces { android_namespace_t* runtime_ns = android_get_exported_namespace(kRuntimeNamespaceName); - if (!android_link_namespaces(ns, nullptr, system_exposed_libraries.c_str())) { + if (!android_link_namespaces(ns, platform_ns, system_exposed_libraries.c_str())) { *error_msg = dlerror(); return nullptr; } @@ -372,14 +375,19 @@ class LibraryNamespaces { native_loader_ns = NativeLoaderNamespace(ns); } else { + // Same functionality as in the branch above, but calling through native bridge. + + native_bridge_namespace_t* platform_ns = + NativeBridgeGetExportedNamespace(kPlatformNamespaceName); + if (platform_ns == nullptr) { + platform_ns = NativeBridgeGetExportedNamespace(kDefaultNamespaceName); + } + native_bridge_namespace_t* native_bridge_parent_namespace; if (parent_ns != nullptr) { native_bridge_parent_namespace = parent_ns->get_native_bridge_ns(); } else { - native_bridge_parent_namespace = NativeBridgeGetExportedNamespace(kPlatformNamespaceName); - if (native_bridge_parent_namespace == nullptr) { - native_bridge_parent_namespace = NativeBridgeGetExportedNamespace(kDefaultNamespaceName); - } + native_bridge_parent_namespace = platform_ns; } native_bridge_namespace_t* ns = NativeBridgeCreateNamespace(namespace_name, @@ -397,7 +405,7 @@ class LibraryNamespaces { native_bridge_namespace_t* runtime_ns = NativeBridgeGetExportedNamespace(kRuntimeNamespaceName); - if (!NativeBridgeLinkNamespaces(ns, nullptr, system_exposed_libraries.c_str())) { + if (!NativeBridgeLinkNamespaces(ns, platform_ns, system_exposed_libraries.c_str())) { *error_msg = NativeBridgeGetError(); return nullptr; } @@ -449,6 +457,7 @@ class LibraryNamespaces { std::string root_dir = android_root_env != nullptr ? android_root_env : "/system"; std::string public_native_libraries_system_config = root_dir + kPublicNativeLibrariesSystemConfigPathFromRoot; + std::string runtime_public_libraries = base::Join(kRuntimePublicLibraries, ":"); std::string llndk_native_libraries_system_config = root_dir + kLlndkNativeLibrariesSystemConfigPathFromRoot; std::string vndksp_native_libraries_system_config = @@ -470,6 +479,10 @@ class LibraryNamespaces { std::vector additional_libs_vector = base::Split(additional_libs, ":"); std::copy(additional_libs_vector.begin(), additional_libs_vector.end(), std::back_inserter(sonames)); + // Apply the same list to the runtime namespace, since some libraries + // might reside there. + CHECK(sizeof(kRuntimePublicLibraries) > 0); + runtime_public_libraries = runtime_public_libraries + ':' + additional_libs; } } @@ -495,6 +508,7 @@ class LibraryNamespaces { } system_public_libraries_ = base::Join(sonames, ':'); + runtime_public_libraries_ = runtime_public_libraries; // read /system/etc/public.libraries-.txt which contain partner defined // system libs that are exposed to apps. The libs in the txt files must be @@ -722,6 +736,7 @@ class LibraryNamespaces { bool initialized_; std::list> namespaces_; std::string system_public_libraries_; + std::string runtime_public_libraries_; std::string vendor_public_libraries_; std::string oem_public_libraries_; std::string product_public_libraries_; diff --git a/rootdir/etc/ld.config.legacy.txt b/rootdir/etc/ld.config.legacy.txt index aa392ce3f..85b8cdc29 100644 --- a/rootdir/etc/ld.config.legacy.txt +++ b/rootdir/etc/ld.config.legacy.txt @@ -20,6 +20,9 @@ dir.legacy = /data [legacy] namespace.default.isolated = false +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. +namespace.default.visible = true namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /product/${LIB} @@ -41,7 +44,7 @@ namespace.default.asan.search.paths += /odm/${LIB} additional.namespaces = runtime,conscrypt,media,resolv -# Keep in sync with ld.config.txt in the com.android.runtime APEX. +# Keep in sync with the "platform" namespace in art/build/apex/ld.config.txt. # If a shared library or an executable requests a shared library that # cannot be loaded into the default namespace, the dynamic linker tries # to load the shared library from the runtime namespace. And then, if the @@ -50,9 +53,6 @@ additional.namespaces = runtime,conscrypt,media,resolv # Finally, if all attempts fail, the dynamic linker returns an error. namespace.default.links = runtime,resolv namespace.default.asan.links = runtime,resolv -# Visible because some libraries are dlopen'ed, e.g. libopenjdk is dlopen'ed by -# libart. -namespace.default.visible = true namespace.default.link.runtime.shared_libs = libdexfile_external.so namespace.default.link.runtime.shared_libs += libnativebridge.so namespace.default.link.runtime.shared_libs += libnativehelper.so @@ -71,11 +71,13 @@ namespace.default.link.resolv.shared_libs = libnetd_resolv.so # "runtime" APEX namespace # # This namespace exposes externally accessible libraries from the Runtime APEX. +# Keep in sync with the "runtime" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.runtime.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.runtime.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default @@ -119,11 +121,11 @@ namespace.media.link.default.shared_libs += libclang_rt.hwasan-aarch64-android.s # "conscrypt" APEX namespace # # This namespace is for libraries within the conscrypt APEX. +# Keep in sync with the "conscrypt" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.conscrypt.isolated = true namespace.conscrypt.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.asan.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.links = runtime,default diff --git a/rootdir/etc/ld.config.txt b/rootdir/etc/ld.config.txt index 3f9882a72..b37a55177 100644 --- a/rootdir/etc/ld.config.txt +++ b/rootdir/etc/ld.config.txt @@ -43,6 +43,9 @@ additional.namespaces = runtime,conscrypt,media,resolv,sphal,vndk,rs # can't be loaded in this namespace. ############################################################################### namespace.default.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. +namespace.default.visible = true namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /%PRODUCT%/${LIB} @@ -121,7 +124,7 @@ namespace.default.asan.permitted.paths += /mnt/expand namespace.default.asan.permitted.paths += /apex/com.android.runtime/${LIB}/bionic namespace.default.asan.permitted.paths += /system/${LIB}/bootstrap -# Keep in sync with ld.config.txt in the com.android.runtime APEX. +# Keep in sync with the "platform" namespace in art/build/apex/ld.config.txt. # If a shared library or an executable requests a shared library that # cannot be loaded into the default namespace, the dynamic linker tries # to load the shared library from the runtime namespace. And then, if the @@ -129,9 +132,6 @@ namespace.default.asan.permitted.paths += /system/${LIB}/bootstrap # dynamic linker tries to load the shared library from the resolv namespace. # Finally, if all attempts fail, the dynamic linker returns an error. namespace.default.links = runtime,resolv -# Visible because some libraries are dlopen'ed, e.g. libopenjdk is dlopen'ed by -# libart. -namespace.default.visible = true namespace.default.link.runtime.shared_libs = libdexfile_external.so namespace.default.link.runtime.shared_libs += libnativebridge.so namespace.default.link.runtime.shared_libs += libnativehelper.so @@ -150,11 +150,13 @@ namespace.default.link.resolv.shared_libs = libnetd_resolv.so # "runtime" APEX namespace # # This namespace exposes externally accessible libraries from the Runtime APEX. +# Keep in sync with the "runtime" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.runtime.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.runtime.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default @@ -187,11 +189,11 @@ namespace.media.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% # "conscrypt" APEX namespace # # This namespace is for libraries within the conscrypt APEX. +# Keep in sync with the "conscrypt" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.conscrypt.isolated = true namespace.conscrypt.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.asan.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.links = runtime,default @@ -234,6 +236,8 @@ namespace.resolv.link.default.shared_libs += libvndksupport.so # Note that there is no link from the default namespace to this namespace. ############################################################################### namespace.sphal.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.sphal.visible = true namespace.sphal.search.paths = /odm/${LIB} @@ -323,6 +327,8 @@ namespace.rs.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% # This namespace is exclusively for vndk-sp libs. ############################################################################### namespace.vndk.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.vndk.visible = true namespace.vndk.search.paths = /odm/${LIB}/vndk-sp @@ -430,10 +436,10 @@ namespace.default.link.vndk.shared_libs += %VNDK_CORE_LIBRARIES% # "runtime" APEX namespace # # This namespace exposes externally accessible libraries from the Runtime APEX. +# Keep in sync with the "runtime" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.runtime.isolated = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = system @@ -564,6 +570,10 @@ namespace.vndk_in_system.link.vndk.allow_all_shared_libs = true [unrestricted] additional.namespaces = runtime,media,conscrypt,resolv +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. +namespace.default.visible = true + namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /odm/${LIB} namespace.default.search.paths += /vendor/${LIB} @@ -575,10 +585,8 @@ namespace.default.asan.search.paths += /odm/${LIB} namespace.default.asan.search.paths += /data/asan/vendor/${LIB} namespace.default.asan.search.paths += /vendor/${LIB} -# Keep in sync with ld.config.txt in the com.android.runtime APEX. +# Keep in sync with the "platform" namespace in art/build/apex/ld.config.txt. namespace.default.links = runtime,resolv -namespace.default.visible = true - namespace.default.link.runtime.shared_libs = libdexfile_external.so namespace.default.link.runtime.shared_libs += libnativebridge.so namespace.default.link.runtime.shared_libs += libnativehelper.so @@ -594,11 +602,13 @@ namespace.default.link.resolv.shared_libs = libnetd_resolv.so # "runtime" APEX namespace # # This namespace exposes externally accessible libraries from the Runtime APEX. +# Keep in sync with the "runtime" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.runtime.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.runtime.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default @@ -629,11 +639,11 @@ namespace.media.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% # "conscrypt" APEX namespace # # This namespace is for libraries within the conscrypt APEX. +# Keep in sync with the "conscrypt" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.conscrypt.isolated = true namespace.conscrypt.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.asan.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.links = runtime,default diff --git a/rootdir/etc/ld.config.vndk_lite.txt b/rootdir/etc/ld.config.vndk_lite.txt index 6d898863a..04fbd8271 100644 --- a/rootdir/etc/ld.config.vndk_lite.txt +++ b/rootdir/etc/ld.config.vndk_lite.txt @@ -43,6 +43,9 @@ additional.namespaces = runtime,conscrypt,media,resolv,sphal,vndk,rs # partitions are also allowed temporarily. ############################################################################### namespace.default.isolated = false +# Visible because some libraries are dlopen'ed, e.g. libopenjdk is dlopen'ed by +# libart. +namespace.default.visible = true namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /odm/${LIB} @@ -61,8 +64,7 @@ namespace.default.asan.search.paths += /%PRODUCT%/${LIB} namespace.default.asan.search.paths += /data/asan/%PRODUCT_SERVICES%/${LIB} namespace.default.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} -# Keep in sync with the platform namespace in the com.android.runtime APEX -# ld.config.txt. +# Keep in sync with the "platform" namespace in art/build/apex/ld.config.txt. # If a shared library or an executable requests a shared library that # cannot be loaded into the default namespace, the dynamic linker tries # to load the shared library from the runtime namespace. And then, if the @@ -70,9 +72,6 @@ namespace.default.asan.search.paths += /%PRODUCT_SERVICES%/${LIB} # dynamic linker tries to load the shared library from the resolv namespace. # Finally, if all attempts fail, the dynamic linker returns an error. namespace.default.links = runtime,resolv -# Visible because some libraries are dlopen'ed, e.g. libopenjdk is dlopen'ed by -# libart. -namespace.default.visible = true namespace.default.link.runtime.shared_libs = libdexfile_external.so namespace.default.link.runtime.shared_libs += libnativebridge.so namespace.default.link.runtime.shared_libs += libnativehelper.so @@ -91,12 +90,13 @@ namespace.default.link.resolv.shared_libs = libnetd_resolv.so # "runtime" APEX namespace # # This namespace pulls in externally accessible libs from the Runtime APEX. +# Keep in sync with the "runtime" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.runtime.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.runtime.visible = true -# Keep in sync with the default namespace in the com.android.runtime APEX -# ld.config.txt. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default @@ -129,11 +129,11 @@ namespace.media.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% # "conscrypt" APEX namespace # # This namespace is for libraries within the conscrypt APEX. +# Keep in sync with the "conscrypt" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.conscrypt.isolated = true namespace.conscrypt.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.asan.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.links = runtime,default @@ -176,6 +176,8 @@ namespace.resolv.link.default.shared_libs += libvndksupport.so # Note that there is no link from the default namespace to this namespace. ############################################################################### namespace.sphal.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.sphal.visible = true namespace.sphal.search.paths = /odm/${LIB} @@ -265,6 +267,8 @@ namespace.rs.link.vndk.shared_libs = %VNDK_SAMEPROCESS_LIBRARIES% # This namespace is exclusively for vndk-sp libs. ############################################################################### namespace.vndk.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.vndk.visible = true namespace.vndk.search.paths = /odm/${LIB}/vndk-sp @@ -367,10 +371,10 @@ namespace.default.link.runtime.shared_libs += libandroidicu.so # "runtime" APEX namespace # # This namespace exposes externally accessible libraries from the Runtime APEX. +# Keep in sync with the "runtime" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.runtime.isolated = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default @@ -387,6 +391,10 @@ namespace.runtime.link.default.allow_all_shared_libs = true [unrestricted] additional.namespaces = runtime,media,conscrypt,resolv +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. +namespace.default.visible = true + namespace.default.search.paths = /system/${LIB} namespace.default.search.paths += /odm/${LIB} namespace.default.search.paths += /vendor/${LIB} @@ -398,10 +406,8 @@ namespace.default.asan.search.paths += /odm/${LIB} namespace.default.asan.search.paths += /data/asan/vendor/${LIB} namespace.default.asan.search.paths += /vendor/${LIB} -# Keep in sync with ld.config.txt in the com.android.runtime APEX. +# Keep in sync with the "platform" namespace in art/build/apex/ld.config.txt. namespace.default.links = runtime,resolv -namespace.default.visible = true - namespace.default.link.runtime.shared_libs = libdexfile_external.so namespace.default.link.runtime.shared_libs += libnativebridge.so namespace.default.link.runtime.shared_libs += libnativehelper.so @@ -417,11 +423,13 @@ namespace.default.link.resolv.shared_libs = libnetd_resolv.so # "runtime" APEX namespace # # This namespace exposes externally accessible libraries from the Runtime APEX. +# Keep in sync with the "runtime" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.runtime.isolated = true +# Visible to allow links to be created at runtime, e.g. through +# android_link_namespaces in libnativeloader. namespace.runtime.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.runtime.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.asan.search.paths = /apex/com.android.runtime/${LIB} namespace.runtime.links = default @@ -452,11 +460,11 @@ namespace.media.link.default.shared_libs += %SANITIZER_RUNTIME_LIBRARIES% # "conscrypt" APEX namespace # # This namespace is for libraries within the conscrypt APEX. +# Keep in sync with the "conscrypt" namespace in art/build/apex/ld.config.txt. ############################################################################### namespace.conscrypt.isolated = true namespace.conscrypt.visible = true -# Keep in sync with ld.config.txt in the com.android.runtime APEX. namespace.conscrypt.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.asan.search.paths = /apex/com.android.conscrypt/${LIB} namespace.conscrypt.links = runtime,default