This page describes the directory layout for devices running Android 8.0 and higher, VNDK rules, and associated sepolicy.
Directory layout
The Degenerated Directory Layout consists of the following directories:
/system/lib[64]contains all framework shared libraries, including LL-NDK, VNDK, and framework-only libraries (including LL-NDK-Private and some libraries with the same names as the ones in VNDK-SP)./system/lib[64]/vndk-spcontains VNDK-SP libraries for same-process HALs./vendor/lib[64]contains the extended VNDK libraries (either DXUA or DXUX VNDK libraries), same-process HAL implementations, and other vendor shared libraries./vendor/lib[64]/vndk-spmay contain extra libraries that are used by VNDK-SP libraries.
Vendor modules load the VNDK libraries from /system/lib[64].
VNDK rules
This section provides a comprehensive list of VNDK rules:
- Framework processes must not load non-SP-HAL shared libraries from vendor partitions (not strictly enforced in Android O but will be in a future release).
- Vendor processes must not load non-LL-NDK, non-VNDK-SP, and non-VNDK libraries from the system partition. (not strictly enforced in Android O but will be in a future release).
- Installed VNDK libraries must be a subset of Google-defined eligible VNDK libraries.
- The outer dependencies of SP-HAL and SP-HAL-Dep must be restricted to
LL-NDK or Google-defined VNDK-SP libraries.
- The dependencies of an SP-HAL shared library must be restricted to LL-NDK libraries, Google-defined VNDK-SP libraries, other SP-HAL libraries, and/or other vendor shared libraries that can be labeled as SP-HAL-Dep libraries.
- A vendor shared library can be labeled as a SP-HAL-Dep library only if it is not an AOSP library and its dependencies are restricted to LL-NDK libraries, Google-defined VNDK-SP libraries, SP-HAL libraries, and/or other SP-HAL-Dep libraries.
- VNDK-SP must be self-contained.
libRS_internal.sogets special treatment in Android 8.0, but will be revisited in a future release. - No framework-vendor communication through non-HIDL interfaces, including (but not limited to) binder, sockets, shared memories, files, etc.
- The size of the system partition must be large enough to contain two copies of all eligible VNDK libraries and a copy of ineligible framework shared libraries.
sepolicy
Framework processes described in this section correspond to
coredomain in sepolicies while vendor processes correspond to
non-coredomain. For example, /dev/binder can be
accessed only in coredomain and /dev/vndbinder can be
accessed only in non-coredomain.
Similar policies restrict the access to the shared libraries on system and vendor partitions. The following table shows the rights to access shared libraries of different categories:
| Category | Partition | Accessible from coredomain |
Accessible from non-coredomain |
|---|---|---|---|
| LL-NDK | System | Y | Y |
| LL-NDK-Private | System | Y | Y |
| VNDK-SP/VNDK-SP-Private | System | Y | Y |
| VNDK-SP-Ext | Vendor | Y | Y |
| VNDK | System | Y | Y |
| VNDK-Ext | Vendor | N | Y |
| FWK-ONLY | System | Y | N |
| FWK-ONLY-RS | System | Y | N |
| SP-HAL | Vendor | Y | Y |
| SP-HAL-Dep | Vendor | Y | Y |
| VND-ONLY | Vendor | N | Y |
LL-NDK-Private and VNDK-SP-Private must be
accessible from both domains because non-coredomain will
indirectly access them. Similarly, SP-HAL-Dep must be accessible from
coredomain because SP-HAL relies on it.