diff options
| author | Martin Stjernholm <mast@google.com> | 2020-11-05 22:21:30 +0000 |
|---|---|---|
| committer | Martin Stjernholm <mast@google.com> | 2020-11-06 01:11:00 +0000 |
| commit | 11a661359e17063a47da80a83dee2c8b683e879b (patch) | |
| tree | eb59626ba5687972f9c259dec288fc80cff35eba /core/jni/fd_utils.cpp | |
| parent | cce157aaeeeb22a9201d44a395a765401fcc817c (diff) | |
Avoid hardcoded paths to specific APEX jars in the fd allow list.
Cherry-picked from http://ag/12996359.
Test: build & boot
Bug: 148517954
Change-Id: I2cbe75381c3032e56dd0cd2934bda3f027cb65bf
Merged-In: I2cbe75381c3032e56dd0cd2934bda3f027cb65bf
Diffstat (limited to 'core/jni/fd_utils.cpp')
| -rw-r--r-- | core/jni/fd_utils.cpp | 21 |
1 files changed, 6 insertions, 15 deletions
diff --git a/core/jni/fd_utils.cpp b/core/jni/fd_utils.cpp index 38981b0caaf7..c73aae58fe7f 100644 --- a/core/jni/fd_utils.cpp +++ b/core/jni/fd_utils.cpp @@ -33,16 +33,6 @@ // Static whitelist of open paths that the zygote is allowed to keep open. static const char* kPathWhitelist[] = { - "/apex/com.android.conscrypt/javalib/conscrypt.jar", - "/apex/com.android.ipsec/javalib/ike.jar", - "/apex/com.android.i18n/javalib/core-icu4j.jar", - "/apex/com.android.media/javalib/updatable-media.jar", - "/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar", - "/apex/com.android.os.statsd/javalib/framework-statsd.jar", - "/apex/com.android.permission/javalib/framework-permission.jar", - "/apex/com.android.sdkext/javalib/framework-sdkextensions.jar", - "/apex/com.android.wifi/javalib/framework-wifi.jar", - "/apex/com.android.tethering/javalib/framework-tethering.jar", "/dev/null", "/dev/socket/zygote", "/dev/socket/zygote_secondary", @@ -100,11 +90,12 @@ bool FileDescriptorWhitelist::IsAllowed(const std::string& path) const { } } - // Jars from the ART APEX are allowed. - static const char* kArtApexPrefix = "/apex/com.android.art/javalib/"; - if (android::base::StartsWith(path, kArtApexPrefix) - && android::base::EndsWith(path, kJarSuffix)) { - return true; + // Jars from APEXes are allowed. This matches /apex/**/javalib/*.jar. + static const char* kApexPrefix = "/apex/"; + static const char* kApexJavalibPathSuffix = "/javalib"; + if (android::base::StartsWith(path, kApexPrefix) && android::base::EndsWith(path, kJarSuffix) && + android::base::EndsWith(android::base::Dirname(path), kApexJavalibPathSuffix)) { + return true; } // the in-memory file created by ART through memfd_create is allowed. |