Don't include the data dir in zygote library paths.

When creating a LoadedApk in a zygote context (app zygote or WebView zygote), don't add the app's data dir to the list of paths the dynamic linker is allowed to load libraries from, because the linker's attempt to canonicalize the path causes SELinux access denials. The process can't access the data directory at all, so cannot load libraries from there in any case. Fixes: 149481620 Test: check for avc denials from webview_zygote Change-Id: I9aceecaf6067e748cc2251782b0f41661cbb35d8 (cherry picked from commit e1579d4d14119e688fa3952d6bbc44ef81f942fe)
2020-03-24 17:57:50 -04:00 · 2020-03-24 17:57:50 -04:00 · 465c5fb2a3
commit 465c5fb2a3
parent 040c89290b
1 changed files with 5 additions and 0 deletions
--- a/core/java/android/app/LoadedApk.java
+++ b/core/java/android/app/LoadedApk.java
@ -801,6 +801,11 @@ public final class LoadedApk {
        makePaths(mActivityThread, isBundledApp, mApplicationInfo, zipPaths, libPaths);

        String libraryPermittedPath = mDataDir;
+        if (mActivityThread == null) {
+            // In a zygote context where mActivityThread is null we can't access the app data dir
+            // and including this in libraryPermittedPath would cause SELinux denials.
+            libraryPermittedPath = "";
+        }

        if (isBundledApp) {
            // For bundled apps, add the base directory of the app (e.g.,