Merge "All architectures have AT_SYSINFO_EHDR now."
diff --git a/linker/linker_config.cpp b/linker/linker_config.cpp
index 2bdde1e..f6d5072 100644
--- a/linker/linker_config.cpp
+++ b/linker/linker_config.cpp
@@ -320,7 +320,7 @@
     return (it == properties_.end()) ? "" : it->second.value();
   }
 
-  std::vector<std::string> get_paths(const std::string& name, size_t* lineno = nullptr) {
+  std::vector<std::string> get_paths(const std::string& name, bool resolve, size_t* lineno = nullptr) {
     std::string paths_str = get_string(name, lineno);
 
     std::vector<std::string> paths;
@@ -338,12 +338,16 @@
       format_string(&path, params);
     }
 
-    std::vector<std::string> resolved_paths;
+    if (resolve) {
+      std::vector<std::string> resolved_paths;
 
-    // do not remove paths that do not exist
-    resolve_paths(paths, &resolved_paths);
+      // do not remove paths that do not exist
+      resolve_paths(paths, &resolved_paths);
 
-    return resolved_paths;
+      return resolved_paths;
+    } else {
+      return paths;
+    }
   }
 
   void set_target_sdk_version(int target_sdk_version) {
@@ -474,8 +478,18 @@
       property_name_prefix += ".asan";
     }
 
-    ns_config->set_search_paths(properties.get_paths(property_name_prefix + ".search.paths"));
-    ns_config->set_permitted_paths(properties.get_paths(property_name_prefix + ".permitted.paths"));
+    // search paths are resolved (canonicalized). This is required mainly for
+    // the case when /vendor is a symlink to /system/vendor, which is true for
+    // non Treble-ized legacy devices.
+    ns_config->set_search_paths(properties.get_paths(property_name_prefix + ".search.paths", true));
+
+    // However, for permitted paths, we are not required to resolve the paths
+    // since they are only set for isolated namespaces, which implies the device
+    // is Treble-ized (= /vendor is not a symlink to /system/vendor).
+    // In fact, the resolving is causing an unexpected side effect of selinux
+    // denials on some executables which are not allowed to access some of the
+    // permitted paths.
+    ns_config->set_permitted_paths(properties.get_paths(property_name_prefix + ".permitted.paths", false));
   }
 
   failure_guard.Disable();