diff --git a/android/neverallow.go b/android/neverallow.go index 6f9ae58d0..f87cebbc9 100644 --- a/android/neverallow.go +++ b/android/neverallow.go @@ -249,7 +249,7 @@ func neverallowMutator(ctx BottomUpMutatorContext) { continue } - if !n.appliesToProperties(ctx, properties) { + if !n.appliesToProperties(properties) { continue } @@ -261,20 +261,12 @@ func neverallowMutator(ctx BottomUpMutatorContext) { continue } - if !n.appliesToBootclasspathJar(ctx) { - continue - } - ctx.ModuleErrorf("violates " + n.String()) } } -type ValueMatcherContext interface { - Config() Config -} - type ValueMatcher interface { - Test(ValueMatcherContext, string) bool + Test(string) bool String() string } @@ -282,7 +274,7 @@ type equalMatcher struct { expected string } -func (m *equalMatcher) Test(ctx ValueMatcherContext, value string) bool { +func (m *equalMatcher) Test(value string) bool { return m.expected == value } @@ -293,7 +285,7 @@ func (m *equalMatcher) String() string { type anyMatcher struct { } -func (m *anyMatcher) Test(ctx ValueMatcherContext, value string) bool { +func (m *anyMatcher) Test(value string) bool { return true } @@ -307,7 +299,7 @@ type startsWithMatcher struct { prefix string } -func (m *startsWithMatcher) Test(ctx ValueMatcherContext, value string) bool { +func (m *startsWithMatcher) Test(value string) bool { return strings.HasPrefix(value, m.prefix) } @@ -319,7 +311,7 @@ type regexMatcher struct { re *regexp.Regexp } -func (m *regexMatcher) Test(ctx ValueMatcherContext, value string) bool { +func (m *regexMatcher) Test(value string) bool { return m.re.MatchString(value) } @@ -331,7 +323,7 @@ type notInListMatcher struct { allowed []string } -func (m *notInListMatcher) Test(ctx ValueMatcherContext, value string) bool { +func (m *notInListMatcher) Test(value string) bool { return !InList(value, m.allowed) } @@ -341,7 +333,7 @@ func (m *notInListMatcher) String() string { type isSetMatcher struct{} -func (m *isSetMatcher) Test(ctx ValueMatcherContext, value string) bool { +func (m *isSetMatcher) Test(value string) bool { return value != "" } @@ -351,19 +343,6 @@ func (m *isSetMatcher) String() string { var isSetMatcherInstance = &isSetMatcher{} -type sdkVersionMatcher struct { - condition func(ctx ValueMatcherContext, spec SdkSpec) bool - description string -} - -func (m *sdkVersionMatcher) Test(ctx ValueMatcherContext, value string) bool { - return m.condition(ctx, SdkSpecFromWithConfig(ctx.Config(), value)) -} - -func (m *sdkVersionMatcher) String() string { - return ".sdk-version(" + m.description + ")" -} - type ruleProperty struct { fields []string // e.x.: Vndk.Enabled matcher ValueMatcher @@ -397,8 +376,6 @@ type Rule interface { NotModuleType(types ...string) Rule - BootclasspathJar() Rule - With(properties, value string) Rule WithMatcher(properties string, matcher ValueMatcher) Rule @@ -514,12 +491,6 @@ func (r *rule) Because(reason string) Rule { return r } -// BootclasspathJar whether this rule only applies to Jars in the Bootclasspath -func (r *rule) BootclasspathJar() Rule { - r.onlyBootclasspathJar = true - return r -} - func (r *rule) String() string { s := []string{"neverallow requirements. Not allowed:"} if len(r.paths) > 0 { @@ -537,9 +508,6 @@ func (r *rule) String() string { if len(r.osClasses) > 0 { s = append(s, fmt.Sprintf("os class(es): %q", r.osClasses)) } - if r.onlyBootclasspathJar { - s = append(s, "in bootclasspath jar") - } if len(r.unlessPaths) > 0 { s = append(s, fmt.Sprintf("EXCEPT in dirs: %q", r.unlessPaths)) } @@ -580,14 +548,6 @@ func (r *rule) appliesToDirectDeps(ctx BottomUpMutatorContext) bool { return matches } -func (r *rule) appliesToBootclasspathJar(ctx BottomUpMutatorContext) bool { - if !r.onlyBootclasspathJar { - return true - } - - return InList(ctx.ModuleName(), ctx.Config().BootJars()) -} - func (r *rule) appliesToOsClass(osClass OsClass) bool { if len(r.osClasses) == 0 { return true @@ -606,10 +566,9 @@ func (r *rule) appliesToModuleType(moduleType string) bool { return (len(r.moduleTypes) == 0 || InList(moduleType, r.moduleTypes)) && !InList(moduleType, r.unlessModuleTypes) } -func (r *rule) appliesToProperties(ctx ValueMatcherContext, - properties []interface{}) bool { - includeProps := hasAllProperties(ctx, properties, r.props) - excludeProps := hasAnyProperty(ctx, properties, r.unlessProps) +func (r *rule) appliesToProperties(properties []interface{}) bool { + includeProps := hasAllProperties(properties, r.props) + excludeProps := hasAnyProperty(properties, r.unlessProps) return includeProps && !excludeProps } @@ -629,16 +588,6 @@ func NotInList(allowed []string) ValueMatcher { return ¬InListMatcher{allowed} } -func LessThanSdkVersion(sdk string) ValueMatcher { - return &sdkVersionMatcher{ - condition: func(ctx ValueMatcherContext, spec SdkSpec) bool { - return spec.ApiLevel.LessThan( - SdkSpecFromWithConfig(ctx.Config(), sdk).ApiLevel) - }, - description: "lessThan=" + sdk, - } -} - // assorted utils func cleanPaths(paths []string) []string { @@ -657,28 +606,25 @@ func fieldNamesForProperties(propertyNames string) []string { return names } -func hasAnyProperty(ctx ValueMatcherContext, properties []interface{}, - props []ruleProperty) bool { +func hasAnyProperty(properties []interface{}, props []ruleProperty) bool { for _, v := range props { - if hasProperty(ctx, properties, v) { + if hasProperty(properties, v) { return true } } return false } -func hasAllProperties(ctx ValueMatcherContext, properties []interface{}, - props []ruleProperty) bool { +func hasAllProperties(properties []interface{}, props []ruleProperty) bool { for _, v := range props { - if !hasProperty(ctx, properties, v) { + if !hasProperty(properties, v) { return false } } return true } -func hasProperty(ctx ValueMatcherContext, properties []interface{}, - prop ruleProperty) bool { +func hasProperty(properties []interface{}, prop ruleProperty) bool { for _, propertyStruct := range properties { propertiesValue := reflect.ValueOf(propertyStruct).Elem() for _, v := range prop.fields { @@ -692,7 +638,7 @@ func hasProperty(ctx ValueMatcherContext, properties []interface{}, } check := func(value string) bool { - return prop.matcher.Test(ctx, value) + return prop.matcher.Test(value) } if matchValue(propertiesValue, check) { diff --git a/android/neverallow_test.go b/android/neverallow_test.go index 59016d407..8afe9e046 100644 --- a/android/neverallow_test.go +++ b/android/neverallow_test.go @@ -327,48 +327,6 @@ var neverallowTests = []struct { "Only boot images may be imported as a makefile goal.", }, }, - { - name: "min_sdk too low", - fs: map[string][]byte{ - "Android.bp": []byte(` - java_library { - name: "min_sdk_too_low", - min_sdk_version: "30", - }`), - }, - rules: []Rule{ - NeverAllow().WithMatcher("min_sdk_version", LessThanSdkVersion("31")), - }, - expectedErrors: []string{ - "module \"min_sdk_too_low\": violates neverallow", - }, - }, - { - name: "min_sdk high enough", - fs: map[string][]byte{ - "Android.bp": []byte(` - java_library { - name: "min_sdk_high_enough", - min_sdk_version: "31", - }`), - }, - rules: []Rule{ - NeverAllow().WithMatcher("min_sdk_version", LessThanSdkVersion("31")), - }, - }, - { - name: "current min_sdk high enough", - fs: map[string][]byte{ - "Android.bp": []byte(` - java_library { - name: "current_min_sdk_high_enough", - min_sdk_version: "current", - }`), - }, - rules: []Rule{ - NeverAllow().WithMatcher("min_sdk_version", LessThanSdkVersion("31")), - }, - }, } var prepareForNeverAllowTest = GroupFixturePreparers( @@ -452,10 +410,9 @@ func (p *mockCcLibraryModule) GenerateAndroidBuildActions(ModuleContext) { } type mockJavaLibraryProperties struct { - Libs []string - Min_sdk_version *string - Sdk_version *string - Uncompress_dex *bool + Libs []string + Sdk_version *string + Uncompress_dex *bool } type mockJavaLibraryModule struct { diff --git a/apex/apex.go b/apex/apex.go index cb88f02f5..2fe17da59 100644 --- a/apex/apex.go +++ b/apex/apex.go @@ -3278,21 +3278,19 @@ func makeApexAvailableBaseline() map[string][]string { } func init() { - android.AddNeverAllowRules(createApexPermittedPackagesRules(qModulesPackages())...) - android.AddNeverAllowRules(createApexPermittedPackagesRules(rModulesPackages())...) + android.AddNeverAllowRules(createBcpPermittedPackagesRules(qBcpPackages())...) + android.AddNeverAllowRules(createBcpPermittedPackagesRules(rBcpPackages())...) } -func createApexPermittedPackagesRules(modules_packages map[string][]string) []android.Rule { - rules := make([]android.Rule, 0, len(modules_packages)) - for module_name, module_packages := range modules_packages { +func createBcpPermittedPackagesRules(bcpPermittedPackages map[string][]string) []android.Rule { + rules := make([]android.Rule, 0, len(bcpPermittedPackages)) + for jar, permittedPackages := range bcpPermittedPackages { permittedPackagesRule := android.NeverAllow(). - BootclasspathJar(). - With("apex_available", module_name). - WithMatcher("permitted_packages", android.NotInList(module_packages)). - WithMatcher("min_sdk_version", android.LessThanSdkVersion("Tiramisu")). - Because("jars that are part of the " + module_name + - " module may only use these package prefixes: " + strings.Join(module_packages, ",") + - " with min_sdk < T. Please consider the following alternatives:\n" + + With("name", jar). + WithMatcher("permitted_packages", android.NotInList(permittedPackages)). + Because(jar + + " bootjar may only use these package prefixes: " + strings.Join(permittedPackages, ",") + + ". Please consider the following alternatives:\n" + " 1. If the offending code is from a statically linked library, consider " + "removing that dependency and using an alternative already in the " + "bootclasspath, or perhaps a shared library." + @@ -3300,55 +3298,56 @@ func createApexPermittedPackagesRules(modules_packages map[string][]string) []an " 3. Jarjar the offending code. Please be mindful of the potential system " + "health implications of bundling that code, particularly if the offending jar " + "is part of the bootclasspath.") + rules = append(rules, permittedPackagesRule) } return rules } -// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART on Q/R/S. +// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART. // Adding code to the bootclasspath in new packages will cause issues on module update. -func qModulesPackages() map[string][]string { +func qBcpPackages() map[string][]string { return map[string][]string{ - "com.android.conscrypt": []string{ + "conscrypt": []string{ "android.net.ssl", "com.android.org.conscrypt", }, - "com.android.media": []string{ + "updatable-media": []string{ "android.media", }, } } -// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART on R/S. +// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART. // Adding code to the bootclasspath in new packages will cause issues on module update. -func rModulesPackages() map[string][]string { +func rBcpPackages() map[string][]string { return map[string][]string{ - "com.android.mediaprovider": []string{ + "framework-mediaprovider": []string{ "android.provider", }, - "com.android.permission": []string{ + "framework-permission": []string{ "android.permission", "android.app.role", "com.android.permission", "com.android.role", }, - "com.android.sdkext": []string{ + "framework-sdkextensions": []string{ "android.os.ext", }, - "com.android.os.statsd": []string{ + "framework-statsd": []string{ "android.app", "android.os", "android.util", "com.android.internal.statsd", "com.android.server.stats", }, - "com.android.wifi": []string{ + "framework-wifi": []string{ "com.android.server.wifi", "com.android.wifi.x", "android.hardware.wifi", "android.net.wifi", }, - "com.android.tethering": []string{ + "framework-tethering": []string{ "android.net", }, } diff --git a/apex/apex_test.go b/apex/apex_test.go index ec815c4c7..5706a2c76 100644 --- a/apex/apex_test.go +++ b/apex/apex_test.go @@ -7580,7 +7580,7 @@ func TestDexpreoptAccessDexFilesFromPrebuiltApex(t *testing.T) { }) } -func testApexPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) { +func testBootJarPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) { t.Helper() bp += ` apex_key { @@ -7619,11 +7619,11 @@ func testApexPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars [] func TestApexPermittedPackagesRules(t *testing.T) { testcases := []struct { - name string - expectedError string - bp string - bootJars []string - modulesPackages map[string][]string + name string + expectedError string + bp string + bootJars []string + bcpPermittedPackages map[string][]string }{ { @@ -7637,7 +7637,6 @@ func TestApexPermittedPackagesRules(t *testing.T) { apex_available: ["myapex"], sdk_version: "none", system_modules: "none", - min_sdk_version: "30", } java_library { name: "nonbcp_lib2", @@ -7646,25 +7645,23 @@ func TestApexPermittedPackagesRules(t *testing.T) { permitted_packages: ["a.b"], sdk_version: "none", system_modules: "none", - min_sdk_version: "30", } apex { name: "myapex", - min_sdk_version: "30", key: "myapex.key", java_libs: ["bcp_lib1", "nonbcp_lib2"], updatable: false, }`, bootJars: []string{"bcp_lib1"}, - modulesPackages: map[string][]string{ - "myapex": []string{ + bcpPermittedPackages: map[string][]string{ + "bcp_lib1": []string{ "foo.bar", }, }, }, { - name: "Bootclasspath apex jar not satisfying allowed module packages on Q.", - expectedError: `(?s)module "bcp_lib2" .* which is restricted because jars that are part of the myapex module may only use these package prefixes: foo.bar with min_sdk < T. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`, + name: "Bootclasspath apex jar not satisfying allowed module packages.", + expectedError: `(?s)module "bcp_lib2" .* which is restricted because bcp_lib2 bootjar may only use these package prefixes: foo.bar. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`, bp: ` java_library { name: "bcp_lib1", @@ -7673,7 +7670,6 @@ func TestApexPermittedPackagesRules(t *testing.T) { permitted_packages: ["foo.bar"], sdk_version: "none", system_modules: "none", - min_sdk_version: "29", } java_library { name: "bcp_lib2", @@ -7682,102 +7678,67 @@ func TestApexPermittedPackagesRules(t *testing.T) { permitted_packages: ["foo.bar", "bar.baz"], sdk_version: "none", system_modules: "none", - min_sdk_version: "29", } apex { name: "myapex", - min_sdk_version: "29", key: "myapex.key", java_libs: ["bcp_lib1", "bcp_lib2"], updatable: false, } `, bootJars: []string{"bcp_lib1", "bcp_lib2"}, - modulesPackages: map[string][]string{ - "myapex": []string{ + bcpPermittedPackages: map[string][]string{ + "bcp_lib1": []string{ + "foo.bar", + }, + "bcp_lib2": []string{ "foo.bar", }, }, }, { - name: "Bootclasspath apex jar not satisfying allowed module packages on R.", - expectedError: `(?s)module "bcp_lib2" .* which is restricted because jars that are part of the myapex module may only use these package prefixes: foo.bar with min_sdk < T. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`, - bp: ` - java_library { - name: "bcp_lib1", - srcs: ["lib1/src/*.java"], - apex_available: ["myapex"], - permitted_packages: ["foo.bar"], - sdk_version: "none", - system_modules: "none", - min_sdk_version: "30", - } - java_library { - name: "bcp_lib2", - srcs: ["lib2/src/*.java"], - apex_available: ["myapex"], - permitted_packages: ["foo.bar", "bar.baz"], - sdk_version: "none", - system_modules: "none", - min_sdk_version: "30", - } - apex { - name: "myapex", - min_sdk_version: "30", - key: "myapex.key", - java_libs: ["bcp_lib1", "bcp_lib2"], - updatable: false, - } - `, - bootJars: []string{"bcp_lib1", "bcp_lib2"}, - modulesPackages: map[string][]string{ - "myapex": []string{ - "foo.bar", - }, - }, - }, - { - name: "Bootclasspath apex jar >= T not satisfying Q/R/S allowed module packages.", + name: "Updateable Bootclasspath apex jar not satisfying allowed module packages.", expectedError: "", bp: ` java_library { - name: "bcp_lib1", + name: "bcp_lib_restricted", srcs: ["lib1/src/*.java"], apex_available: ["myapex"], permitted_packages: ["foo.bar"], sdk_version: "none", + min_sdk_version: "29", system_modules: "none", - min_sdk_version: "current", } java_library { - name: "bcp_lib2", + name: "bcp_lib_unrestricted", srcs: ["lib2/src/*.java"], apex_available: ["myapex"], permitted_packages: ["foo.bar", "bar.baz"], sdk_version: "none", + min_sdk_version: "29", system_modules: "none", - min_sdk_version: "current", } apex { name: "myapex", - min_sdk_version: "current", key: "myapex.key", - java_libs: ["bcp_lib1", "bcp_lib2"], - updatable: false, + java_libs: ["bcp_lib_restricted", "bcp_lib_unrestricted"], + updatable: true, + min_sdk_version: "29", } `, bootJars: []string{"bcp_lib1", "bcp_lib2"}, - modulesPackages: map[string][]string{ - "myapex": []string{ + bcpPermittedPackages: map[string][]string{ + "bcp_lib1_non_updateable": []string{ "foo.bar", }, + // bcp_lib2_updateable has no entry here since updateable bcp can contain new packages - tracking via an allowlist is not necessary }, }, } for _, tc := range testcases { t.Run(tc.name, func(t *testing.T) { - rules := createApexPermittedPackagesRules(tc.modulesPackages) - testApexPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules) + rules := createBcpPermittedPackagesRules(tc.bcpPermittedPackages) + testBootJarPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules) }) } }