diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk index d837c6ebb4..252e812b19 100644 --- a/core/config_sanitizers.mk +++ b/core/config_sanitizers.mk @@ -140,6 +140,10 @@ ifeq ($(filter memtag_heap, $(my_sanitize)),) $(PRODUCT_MEMTAG_HEAP_ASYNC_INCLUDE_PATHS) combined_exclude_paths := $(MEMTAG_HEAP_EXCLUDE_PATHS) \ $(PRODUCT_MEMTAG_HEAP_EXCLUDE_PATHS) + ifneq ($(PRODUCT_MEMTAG_HEAP_SKIP_DEFAULT_PATHS),true) + combined_sync_include_paths += $(PRODUCT_MEMTAG_HEAP_SYNC_DEFAULT_INCLUDE_PATHS) + combined_async_include_paths += $(PRODUCT_MEMTAG_HEAP_ASYNC_DEFAULT_INCLUDE_PATHS) + endif ifeq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_exclude_paths)),\ $(filter $(dir)%,$(LOCAL_PATH)))),) diff --git a/core/product.mk b/core/product.mk index 6f54b78914..7e67dcdf7e 100644 --- a/core/product.mk +++ b/core/product.mk @@ -247,6 +247,16 @@ _product_list_vars += PRODUCT_CFI_EXCLUDE_PATHS # Whether any paths should have HWASan enabled for components _product_list_vars += PRODUCT_HWASAN_INCLUDE_PATHS +# Whether any paths should have Memtag_heap enabled for components +_product_list_vars += PRODUCT_MEMTAG_HEAP_ASYNC_INCLUDE_PATHS +_product_list_vars += PRODUCT_MEMTAG_HEAP_ASYNC_DEFAULT_INCLUDE_PATHS +_product_list_vars += PRODUCT_MEMTAG_HEAP_SYNC_INCLUDE_PATHS +_product_list_vars += PRODUCT_MEMTAG_HEAP_SYNC_DEFAULT_INCLUDE_PATHS +_product_list_vars += PRODUCT_MEMTAG_HEAP_EXCLUDE_PATHS + +# Whether this product wants to start with an empty list of default memtag_heap include paths +_product_single_value_vars += PRODUCT_MEMTAG_HEAP_SKIP_DEFAULT_PATHS + # Whether the Scudo hardened allocator is disabled platform-wide _product_single_value_vars += PRODUCT_DISABLE_SCUDO diff --git a/core/soong_config.mk b/core/soong_config.mk index 6383393db6..6c613d69b6 100644 --- a/core/soong_config.mk +++ b/core/soong_config.mk @@ -116,8 +116,8 @@ $(call add_json_list, IntegerOverflowExcludePaths, $(INTEGER_OVERFLOW_EXCL $(call add_json_list, HWASanIncludePaths, $(HWASAN_INCLUDE_PATHS) $(PRODUCT_HWASAN_INCLUDE_PATHS)) $(call add_json_list, MemtagHeapExcludePaths, $(MEMTAG_HEAP_EXCLUDE_PATHS) $(PRODUCT_MEMTAG_HEAP_EXCLUDE_PATHS)) -$(call add_json_list, MemtagHeapAsyncIncludePaths, $(MEMTAG_HEAP_ASYNC_INCLUDE_PATHS) $(PRODUCT_MEMTAG_HEAP_ASYNC_INCLUDE_PATHS)) -$(call add_json_list, MemtagHeapSyncIncludePaths, $(MEMTAG_HEAP_SYNC_INCLUDE_PATHS) $(PRODUCT_MEMTAG_HEAP_SYNC_INCLUDE_PATHS)) +$(call add_json_list, MemtagHeapAsyncIncludePaths, $(MEMTAG_HEAP_ASYNC_INCLUDE_PATHS) $(PRODUCT_MEMTAG_HEAP_ASYNC_INCLUDE_PATHS) $(if $(filter true,$(PRODUCT_MEMTAG_HEAP_SKIP_DEFAULT_PATHS)),,$(PRODUCT_MEMTAG_HEAP_ASYNC_DEFAULT_INCLUDE_PATHS))) +$(call add_json_list, MemtagHeapSyncIncludePaths, $(MEMTAG_HEAP_SYNC_INCLUDE_PATHS) $(PRODUCT_MEMTAG_HEAP_SYNC_INCLUDE_PATHS) $(if $(filter true,$(PRODUCT_MEMTAG_HEAP_SKIP_DEFAULT_PATHS)),,$(PRODUCT_MEMTAG_HEAP_SYNC_DEFAULT_INCLUDE_PATHS))) $(call add_json_bool, DisableScudo, $(filter true,$(PRODUCT_DISABLE_SCUDO))) diff --git a/target/product/media_system.mk b/target/product/media_system.mk index 79bd74a01c..38ba21989d 100644 --- a/target/product/media_system.mk +++ b/target/product/media_system.mk @@ -76,3 +76,7 @@ PRODUCT_VENDOR_PROPERTIES += \ # Enable CFI for security-sensitive components $(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk) $(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk) + +# Enable MTE for security-sensitive components +$(call inherit-product, $(SRC_TARGET_DIR)/product/memtag-common.mk) +$(call inherit-product-if-exists, vendor/google/products/memtag-vendor.mk) diff --git a/target/product/memtag-common.mk b/target/product/memtag-common.mk new file mode 100644 index 0000000000..829cb41c93 --- /dev/null +++ b/target/product/memtag-common.mk @@ -0,0 +1,30 @@ +# Copyright (C) 2023 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# This is a recommended set of common components to enable MTE for. + +PRODUCT_MEMTAG_HEAP_ASYNC_DEFAULT_INCLUDE_PATHS := \ + external/android-clat \ + external/iproute2 \ + external/iptables \ + external/mtpd \ + external/ppp \ + hardware/st/nfc \ + hardware/st/secure_element \ + hardware/st/secure_element2 \ + packages/modules/StatsD \ + system/bpf \ + system/netd/netutil_wrappers \ + system/netd/server diff --git a/target/product/module_common.mk b/target/product/module_common.mk index 84bd799570..53b2ca6703 100644 --- a/target/product/module_common.mk +++ b/target/product/module_common.mk @@ -17,6 +17,7 @@ $(call inherit-product, $(SRC_TARGET_DIR)/product/default_art_config.mk) $(call inherit-product, $(SRC_TARGET_DIR)/product/languages_default.mk) $(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk) +$(call inherit-product, $(SRC_TARGET_DIR)/product/memtag-common.mk) # Enables treble, which enabled certain -D compilation flags. In particular, libhidlbase # uses -DENFORCE_VINTF_MANIFEST. See b/185759877