Merge "Avoid hardcoded paths to specific APEX jars in the fd allow list."

core/jni/fd_utils.cpp

@@ -33,16 +33,6 @@
 
 // Static whitelist of open paths that the zygote is allowed to keep open.
 static const char* kPathWhitelist[] = {
-        "/apex/com.android.conscrypt/javalib/conscrypt.jar",
-        "/apex/com.android.ipsec/javalib/ike.jar",
-        "/apex/com.android.i18n/javalib/core-icu4j.jar",
-        "/apex/com.android.media/javalib/updatable-media.jar",
-        "/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar",
-        "/apex/com.android.os.statsd/javalib/framework-statsd.jar",
-        "/apex/com.android.permission/javalib/framework-permission.jar",
-        "/apex/com.android.sdkext/javalib/framework-sdkextensions.jar",
-        "/apex/com.android.wifi/javalib/framework-wifi.jar",
-        "/apex/com.android.tethering/javalib/framework-tethering.jar",
         "/dev/null",
         "/dev/socket/zygote",
         "/dev/socket/zygote_secondary",
@@ -100,11 +90,12 @@ bool FileDescriptorWhitelist::IsAllowed(const std::string& path) const {
     }
   }
 
-  // Jars from the ART APEX are allowed.
-  static const char* kArtApexPrefix = "/apex/com.android.art/javalib/";
-  if (android::base::StartsWith(path, kArtApexPrefix)
-      && android::base::EndsWith(path, kJarSuffix)) {
-    return true;
+  // Jars from APEXes are allowed. This matches /apex/**/javalib/*.jar.
+  static const char* kApexPrefix = "/apex/";
+  static const char* kApexJavalibPathSuffix = "/javalib";
+  if (android::base::StartsWith(path, kApexPrefix) && android::base::EndsWith(path, kJarSuffix) &&
+      android::base::EndsWith(android::base::Dirname(path), kApexJavalibPathSuffix)) {
+      return true;
   }
 
   // the in-memory file created by ART through memfd_create is allowed.