From d9a8ee7598288112f6518f94d1b948d334d0d20a Mon Sep 17 00:00:00 2001 From: Narayan Kamath Date: Fri, 23 Sep 2016 09:07:11 +0100 Subject: [PATCH] Zygote: Additional whitelists for runtime overlay / other static resources. Partially cherry picked from commit 1c15c635785c64a. These files are safe to reopen for the same reason that files in /system/framework are. They're regular files and will not change after the first zygote fork. Bug: 32618130 Change-Id: I119e0bfcbf397cb331064adf148d92a5cd3ea92f (cherry picked from commit 25cd01cc69fcad34756b00e52a79c0c54178f2e6) (cherry picked from commit 9087f331a85790d49d1095e1eaf0305b7863e0ba) --- core/jni/fd_utils-inl.h | 45 ++++++++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/core/jni/fd_utils-inl.h b/core/jni/fd_utils-inl.h index 1739abf3516e..e1ed5416e012 100644 --- a/core/jni/fd_utils-inl.h +++ b/core/jni/fd_utils-inl.h @@ -240,6 +240,18 @@ class FileDescriptorInfo { is_sock(false) { } + static bool StartsWith(const std::string& str, const std::string& prefix) { + return str.compare(0, prefix.size(), prefix) == 0; + } + + static bool EndsWith(const std::string& str, const std::string& suffix) { + if (suffix.size() > str.size()) { + return false; + } + + return str.compare(str.size() - suffix.size(), suffix.size(), suffix) == 0; + } + // Returns true iff. a given path is whitelisted. A path is whitelisted // if it belongs to the whitelist (see kPathWhitelist) or if it's a path // under /system/framework that ends with ".jar" or if it is a system @@ -251,31 +263,34 @@ class FileDescriptorInfo { } } - static const char* kFrameworksPrefix = "/system/framework/"; - static const char* kJarSuffix = ".jar"; - if (android::base::StartsWith(path, kFrameworksPrefix) - && android::base::EndsWith(path, kJarSuffix)) { + static const std::string kFrameworksPrefix = "/system/framework/"; + static const std::string kJarSuffix = ".jar"; + if (StartsWith(path, kFrameworksPrefix) && EndsWith(path, kJarSuffix)) { return true; } // Whitelist files needed for Runtime Resource Overlay, like these: // /system/vendor/overlay/framework-res.apk - // /system/vendor/overlay/PG/android-framework-runtime-resource-overlay.apk + // /system/vendor/overlay-subdir/pg/framework-res.apk // /data/resource-cache/system@vendor@overlay@framework-res.apk@idmap - // /data/resource-cache/system@vendor@overlay@PG@framework-res.apk@idmap - static const char* kOverlayDir = "/system/vendor/overlay/"; - static const char* kApkSuffix = ".apk"; - - if (android::base::StartsWith(path, kOverlayDir) - && android::base::EndsWith(path, kApkSuffix) + // /data/resource-cache/system@vendor@overlay-subdir@pg@framework-res.apk@idmap + // See AssetManager.cpp for more details on overlay-subdir. + static const std::string kOverlayDir = "/system/vendor/overlay/"; + static const std::string kVendorOverlayDir = "/vendor/overlay"; + static const std::string kOverlaySubdir = "/system/vendor/overlay-subdir/"; + static const std::string kApkSuffix = ".apk"; + + if ((StartsWith(path, kOverlayDir) || StartsWith(path, kOverlaySubdir) + || StartsWith(path, kVendorOverlayDir)) + && EndsWith(path, kApkSuffix) && path.find("/../") == std::string::npos) { return true; } - static const char* kOverlayIdmapPrefix = "/data/resource-cache/"; - static const char* kOverlayIdmapSuffix = ".apk@idmap"; - if (android::base::StartsWith(path, kOverlayIdmapPrefix) - && android::base::EndsWith(path, kOverlayIdmapSuffix)) { + static const std::string kOverlayIdmapPrefix = "/data/resource-cache/"; + static const std::string kOverlayIdmapSuffix = ".apk@idmap"; + if (StartsWith(path, kOverlayIdmapPrefix) && EndsWith(path, kOverlayIdmapSuffix) + && path.find("/../") == std::string::npos) { return true; } -- 2.11.0