Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Don't include inaccessible data dirs in library paths." into rvc-qpr-dev

Browse Source
This commit is contained in:
Alan Stokes
2020-08-04 07:56:42 +00:00
committed by Android (Google) Code Review
parent b20a507711 f654371d53
commit 56dc3f4122
1 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
core/java/android/app/LoadedApk.java
View File

@@ -802,12 +802,9 @@ public final class LoadedApk {
makePaths(mActivityThread, isBundledApp, mApplicationInfo, zipPaths, libPaths);
String libraryPermittedPath = mDataDir;
if (mActivityThread == null) {
// In a zygote context where mActivityThread is null we can't access the app data dir
// and including this in libraryPermittedPath would cause SELinux denials.
libraryPermittedPath = "";
}
// Including an inaccessible dir in libraryPermittedPath would cause SELinux denials
// when the loader attempts to canonicalise the path. so we don't.
String libraryPermittedPath = canAccessDataDir() ? mDataDir : "";
if (isBundledApp) {
// For bundled apps, add the base directory of the app (e.g.,
@@ -951,6 +948,33 @@ public final class LoadedApk {
}
}
/**
* Return whether we can access the package's private data directory in order to be able to
* load code from it.
*/
private boolean canAccessDataDir() {
// In a zygote context where mActivityThread is null we can't access the app data dir.
if (mActivityThread == null) {
return false;
}
// A package can access its own data directory (the common case, so short-circuit it).
if (Objects.equals(mPackageName, ActivityThread.currentPackageName())) {
return true;
}
// Temporarily disable logging of disk reads on the Looper thread as this is necessary -
// and the loader will access the directory anyway if we don't check it.
StrictMode.ThreadPolicy oldPolicy = allowThreadDiskReads();
try {
// We are constructing a classloader for a different package. It is likely,
// but not certain, that we can't acccess its app data dir - so check.
return new File(mDataDir).canExecute();
} finally {
setThreadPolicy(oldPolicy);
}
}
@UnsupportedAppUsage
public ClassLoader getClassLoader() {
synchronized (this) {