1 files changed, 15 insertions, 4 deletions

diff --git a/core/jni/fd_utils.cpp b/core/jni/fd_utils.cpp
index c72668f84fb1..68e01f6da99d 100644
--- a/core/jni/fd_utils.cpp
+++ b/core/jni/fd_utils.cpp
@@ -33,8 +33,10 @@
 
 // Static whitelist of open paths that the zygote is allowed to keep open.
 static const char* kPathWhitelist[] = {
+        "/apex/com.android.appsearch/javalib/framework-appsearch.jar",
         "/apex/com.android.conscrypt/javalib/conscrypt.jar",
         "/apex/com.android.ipsec/javalib/ike.jar",
+        "/apex/com.android.i18n/javalib/core-icu4j.jar",
         "/apex/com.android.media/javalib/updatable-media.jar",
         "/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar",
         "/apex/com.android.os.statsd/javalib/framework-statsd.jar",
@@ -55,6 +57,8 @@ static const char* kPathWhitelist[] = {
         "/dev/urandom",
         "/dev/ion",
         "/dev/dri/renderD129", // Fixes b/31172436
+        "/dev/stune/foreground/tasks",
+        "/dev/blkio/tasks",
 };
 
 static const char kFdPath[] = "/proc/self/fd";
@@ -85,11 +89,18 @@ bool FileDescriptorWhitelist::IsAllowed(const std::string& path) const {
   }
 
   // Framework jars are allowed.
-  static const char* kFrameworksPrefix = "/system/framework/";
+  static const char* kFrameworksPrefix[] = {
+          "/system/framework/",
+          "/system_ext/framework/",
+  };
+
   static const char* kJarSuffix = ".jar";
-  if (android::base::StartsWith(path, kFrameworksPrefix)
-      && android::base::EndsWith(path, kJarSuffix)) {
-    return true;
+
+  for (const auto& frameworks_prefix : kFrameworksPrefix) {
+    if (android::base::StartsWith(path, frameworks_prefix)
+        && android::base::EndsWith(path, kJarSuffix)) {
+      return true;
+    }
   }
 
   // Jars from the ART APEX are allowed.