Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / c3ae5fd1825d7a9958b5cfbd91444246af3767a0^! / .
commitc3ae5fd1825d7a9958b5cfbd91444246af3767a0[log] [tgz]
authorInseob Kim <inseob@google.com>Wed Nov 30 18:26:56 2022 +0900
committerInseob Kim <inseob@google.com>Wed Nov 30 18:28:22 2022 +0900
tree5702688d5f9cb8863eb0f5e1be1ee565377b4fdc
parent5a896f525dbadbae3ce8d7e071466e650506049f [diff]
Restrict libraires from VM payload libraries

... so only the select libraries can be linked against. It includes
libc, libm, libdl, liblog, libvm_payload, etc.

Bug: 259311868
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: I5cbdaa8195a04a904a766f34a0def4b00ccfc904

diff --git a/launcher/main.cpp b/launcher/main.cpp
index 18a768d..ae55be9 100644
--- a/launcher/main.cpp
+++ b/launcher/main.cpp

@@ -34,12 +34,21 @@
         const char* name, const char* ld_library_path, const char* default_library_path,
         uint64_t type, const char* permitted_when_isolated_path,
         struct android_namespace_t* parent);
+
+extern bool android_link_namespaces(struct android_namespace_t* from,
+                                    struct android_namespace_t* to,
+                                    const char* shared_libs_sonames);
 } // extern "C"
 
 static void* load(const std::string& libname);
 
 constexpr char entrypoint_name[] = "AVmPayload_main";
 
+static constexpr const char* kAllowedLibs[] = {
+        "libc.so",   "libm.so",          "libdl.so",         "libdl_android.so",
+        "liblog.so", "libvm_payload.so", "libbinder_ndk.so", "libbinder_rpc_unstable.so",
+};
+
 int main(int argc, char* argv[]) {
     if (argc != 2) {
         std::cout << "Usage:\n";
@@ -69,8 +78,8 @@
 void* load(const std::string& libname) {
     // Parent as nullptr means the default namespace
     android_namespace_t* parent = nullptr;
-    // The search paths of the new namespace are inherited from the parent namespace.
-    const uint64_t type = ANDROID_NAMESPACE_TYPE_SHARED;
+    // The search paths of the new namespace are isolated to restrict system private libraries.
+    const uint64_t type = ANDROID_NAMESPACE_TYPE_ISOLATED;
     // The directory of the library is appended to the search paths
     const std::string libdir = libname.substr(0, libname.find_last_of("/"));
     const char* ld_library_path = libdir.c_str();
@@ -84,6 +93,13 @@
         return nullptr;
     }
 
+    std::string libs;
+    for (const char* lib : kAllowedLibs) {
+        if (!libs.empty()) libs += ':';
+        libs += lib;
+    }
+    android_link_namespaces(new_ns, nullptr, libs.c_str());
+
     const android_dlextinfo info = {
             .flags = ANDROID_DLEXT_USE_NAMESPACE,
             .library_namespace = new_ns,