From 465c5fb2a308348b5f962b41275f69b18241a6c5 Mon Sep 17 00:00:00 2001
From: "Torne (Richard Coles)" <torne@google.com>
Date: Tue, 24 Mar 2020 17:57:50 -0400
Subject: [PATCH] Don't include the data dir in zygote library paths.

When creating a LoadedApk in a zygote context (app zygote or WebView
zygote), don't add the app's data dir to the list of paths the dynamic
linker is allowed to load libraries from, because the linker's attempt
to canonicalize the path causes SELinux access denials. The process
can't access the data directory at all, so cannot load libraries from
there in any case.

Fixes: 149481620
Test: check for avc denials from webview_zygote
Change-Id: I9aceecaf6067e748cc2251782b0f41661cbb35d8
(cherry picked from commit e1579d4d14119e688fa3952d6bbc44ef81f942fe)
---
 core/java/android/app/LoadedApk.java | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/java/android/app/LoadedApk.java b/core/java/android/app/LoadedApk.java
index d650801f39ea..10f7835b3d69 100644
--- a/core/java/android/app/LoadedApk.java
+++ b/core/java/android/app/LoadedApk.java
@@ -801,6 +801,11 @@ public final class LoadedApk {
         makePaths(mActivityThread, isBundledApp, mApplicationInfo, zipPaths, libPaths);
 
         String libraryPermittedPath = mDataDir;
+        if (mActivityThread == null) {
+            // In a zygote context where mActivityThread is null we can't access the app data dir
+            // and including this in libraryPermittedPath would cause SELinux denials.
+            libraryPermittedPath = "";
+        }
 
         if (isBundledApp) {
             // For bundled apps, add the base directory of the app (e.g.,