From 23b2d2e5312dbe5b361c848766ba8af62649d2f5 Mon Sep 17 00:00:00 2001 From: Vishwath Mohan Date: Tue, 31 Oct 2017 02:25:16 -0700 Subject: [PATCH] CFI include/exclude path support (Make) This CL adds the ability to centrally enable or disable CFI for components using either an environment or product config variable. This is a better, nore manageable option that enabling CFI across each component individually. Bug: 67507323 Test: CFI_INCLUDE_PATHS= system/nfc m -j40 Test: CFI_EXCLUDE_PATHS = frameworks/av m -j40 Change-Id: I02fe1960a822c124fd101ab5419aa81e2dd51adf --- core/config_sanitizers.mk | 24 ++++++++++++++++++++++++ core/product.mk | 4 ++-- core/product_config.mk | 8 ++++++++ core/soong_config.mk | 2 ++ 4 files changed, 36 insertions(+), 2 deletions(-) diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk index fce0b5a8b5..8bd92486e0 100644 --- a/core/config_sanitizers.mk +++ b/core/config_sanitizers.mk @@ -34,6 +34,18 @@ ifneq ($(filter integer_overflow, $(my_global_sanitize)),) endif endif +# Disable global CFI in excluded paths +ifneq ($(filter cfi, $(my_global_sanitize)),) + combined_exclude_paths := $(CFI_EXCLUDE_PATHS) \ + $(PRODUCT_CFI_EXCLUDE_PATHS) + + ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_exclude_paths)),\ + $(filter $(dir)%,$(LOCAL_PATH)))),) + my_global_sanitize := $(filter-out cfi,$(my_global_sanitize)) + my_global_sanitize_diag := $(filter-out cfi,$(my_global_sanitize_diag)) + endif +endif + ifneq ($(my_global_sanitize),) my_sanitize := $(my_global_sanitize) $(my_sanitize) endif @@ -84,6 +96,18 @@ ifeq ($(LOCAL_SANITIZE),never) my_sanitize_diag := endif +# Enable CFI in included paths. +ifeq ($(filter cfi, $(my_sanitize)),) + combined_include_paths := $(CFI_INCLUDE_PATHS) \ + $(PRODUCT_CFI_INCLUDE_PATHS) + + ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\ + $(filter $(dir)%,$(LOCAL_PATH)))),) + my_sanitize := cfi $(my_sanitize) + my_sanitize_diag := cfi $(my_sanitize_diag) + endif +endif + # If CFI is disabled globally, remove it from my_sanitize. ifeq ($(strip $(ENABLE_CFI)),false) my_sanitize := $(filter-out cfi,$(my_sanitize)) diff --git a/core/product.mk b/core/product.mk index 03098b7f2f..c01a856f73 100644 --- a/core/product.mk +++ b/core/product.mk @@ -146,8 +146,8 @@ _product_var_list := \ PRODUCT_MINIMIZE_JAVA_DEBUG_INFO \ PRODUCT_INTEGER_OVERFLOW_EXCLUDE_PATHS \ PRODUCT_ADB_KEYS \ - - + PRODUCT_CFI_INCLUDE_PATHS \ + PRODUCT_CFI_EXCLUDE_PATHS \ define dump-product $(info ==== $(1) ====)\ diff --git a/core/product_config.mk b/core/product_config.mk index 3879036363..4e2d5aefbf 100644 --- a/core/product_config.mk +++ b/core/product_config.mk @@ -472,3 +472,11 @@ ifneq ($(filter-out 0 1,$(words $(PRODUCT_ADB_KEYS))),) $(error Only one file may be in PRODUCT_ADB_KEYS: $(PRODUCT_ADB_KEYS)) endif .KATI_READONLY := PRODUCT_ADB_KEYS + +# Whether any paths are excluded from sanitization when SANITIZE_TARGET=cfi +PRODUCT_CFI_EXCLUDE_PATHS := \ + $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_CFI_EXCLUDE_PATHS)) + +# Whether any paths should have CFI enabled for components +PRODUCT_CFI_INCLUDE_PATHS := \ + $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_CFI_INCLUDE_PATHS)) diff --git a/core/soong_config.mk b/core/soong_config.mk index 41e2382d8e..5ebd12311e 100644 --- a/core/soong_config.mk +++ b/core/soong_config.mk @@ -90,6 +90,8 @@ $(call add_json_list, SanitizeDeviceArch, $(SANITIZE_TARGET_ARCH) $(call add_json_bool, Safestack, $(filter true,$(USE_SAFESTACK))) $(call add_json_bool, EnableCFI, $(call invert_bool,$(filter false,$(ENABLE_CFI)))) +$(call add_json_list, CFIExcludePaths, $(CFI_EXCLUDE_PATHS) $(PRODUCT_CFI_EXCLUDE_PATHS)) +$(call add_json_list, CFIIncludePaths, $(CFI_INCLUDE_PATHS) $(PRODUCT_CFI_INCLUDE_PATHS)) $(call add_json_list, IntegerOverflowExcludePaths, $(INTEGER_OVERFLOW_EXCLUDE_PATHS) $(PRODUCT_INTEGER_OVERFLOW_EXCLUDE_PATHS)) $(call add_json_bool, ClangTidy, $(filter 1 true,$(WITH_TIDY)))