Change permitted_packages check to be per-jar rather than per-apex
(cherry-pick of ag/17524387 into aosp)
Summary:
- updates the Q and R maps, the new keys are the bcp jars and not the
apexes. neverallow build rules ensure that these bcp jars have a
restricted set of permitted_packages
- remove BootclasspathJar from the neverallow rule. This is no longer
necessary since the keys in the maps are the bootjars themselves, and
not apexes
Bug: 205289292
Test: In build/soong, go test ./apex
Change-Id: Icb91de934181a8b6f085e03a0ce8c5e08504ff94
Merged-In: Icb91de934181a8b6f085e03a0ce8c5e08504ff94
(cherry picked from commit 440ff96728)
This commit is contained in:
Spandan Das
parent
e1b1836939
commit
f14e254a28
3 changed files with 74 additions and 56 deletions
|
|
@ -261,10 +261,6 @@ func neverallowMutator(ctx BottomUpMutatorContext) {
|
|||
continue
|
||||
}
|
||||
|
||||
if !n.appliesToBootclasspathJar(ctx) {
|
||||
continue
|
||||
}
|
||||
|
||||
ctx.ModuleErrorf("violates " + n.String())
|
||||
}
|
||||
}
|
||||
|
|
@ -380,8 +376,6 @@ type Rule interface {
|
|||
|
||||
NotModuleType(types ...string) Rule
|
||||
|
||||
BootclasspathJar() Rule
|
||||
|
||||
With(properties, value string) Rule
|
||||
|
||||
WithMatcher(properties string, matcher ValueMatcher) Rule
|
||||
|
|
@ -497,12 +491,6 @@ func (r *rule) Because(reason string) Rule {
|
|||
return r
|
||||
}
|
||||
|
||||
// BootclasspathJar whether this rule only applies to Jars in the Bootclasspath
|
||||
func (r *rule) BootclasspathJar() Rule {
|
||||
r.onlyBootclasspathJar = true
|
||||
return r
|
||||
}
|
||||
|
||||
func (r *rule) String() string {
|
||||
s := []string{"neverallow requirements. Not allowed:"}
|
||||
if len(r.paths) > 0 {
|
||||
|
|
@ -520,9 +508,6 @@ func (r *rule) String() string {
|
|||
if len(r.osClasses) > 0 {
|
||||
s = append(s, fmt.Sprintf("os class(es): %q", r.osClasses))
|
||||
}
|
||||
if r.onlyBootclasspathJar {
|
||||
s = append(s, "in bootclasspath jar")
|
||||
}
|
||||
if len(r.unlessPaths) > 0 {
|
||||
s = append(s, fmt.Sprintf("EXCEPT in dirs: %q", r.unlessPaths))
|
||||
}
|
||||
|
|
@ -563,14 +548,6 @@ func (r *rule) appliesToDirectDeps(ctx BottomUpMutatorContext) bool {
|
|||
return matches
|
||||
}
|
||||
|
||||
func (r *rule) appliesToBootclasspathJar(ctx BottomUpMutatorContext) bool {
|
||||
if !r.onlyBootclasspathJar {
|
||||
return true
|
||||
}
|
||||
|
||||
return InList(ctx.ModuleName(), ctx.Config().BootJars())
|
||||
}
|
||||
|
||||
func (r *rule) appliesToOsClass(osClass OsClass) bool {
|
||||
if len(r.osClasses) == 0 {
|
||||
return true
|
||||
|
|
|
|||
40
apex/apex.go
40
apex/apex.go
|
|
@ -3278,19 +3278,18 @@ func makeApexAvailableBaseline() map[string][]string {
|
|||
}
|
||||
|
||||
func init() {
|
||||
android.AddNeverAllowRules(createApexPermittedPackagesRules(qModulesPackages())...)
|
||||
android.AddNeverAllowRules(createApexPermittedPackagesRules(rModulesPackages())...)
|
||||
android.AddNeverAllowRules(createBcpPermittedPackagesRules(qBcpPackages())...)
|
||||
android.AddNeverAllowRules(createBcpPermittedPackagesRules(rBcpPackages())...)
|
||||
}
|
||||
|
||||
func createApexPermittedPackagesRules(modules_packages map[string][]string) []android.Rule {
|
||||
rules := make([]android.Rule, 0, len(modules_packages))
|
||||
for module_name, module_packages := range modules_packages {
|
||||
func createBcpPermittedPackagesRules(bcpPermittedPackages map[string][]string) []android.Rule {
|
||||
rules := make([]android.Rule, 0, len(bcpPermittedPackages))
|
||||
for jar, permittedPackages := range bcpPermittedPackages {
|
||||
permittedPackagesRule := android.NeverAllow().
|
||||
BootclasspathJar().
|
||||
With("apex_available", module_name).
|
||||
WithMatcher("permitted_packages", android.NotInList(module_packages)).
|
||||
Because("jars that are part of the " + module_name +
|
||||
" module may only use these package prefixes: " + strings.Join(module_packages, ",") +
|
||||
With("name", jar).
|
||||
WithMatcher("permitted_packages", android.NotInList(permittedPackages)).
|
||||
Because(jar +
|
||||
" bootjar may only use these package prefixes: " + strings.Join(permittedPackages, ",") +
|
||||
". Please consider the following alternatives:\n" +
|
||||
" 1. If the offending code is from a statically linked library, consider " +
|
||||
"removing that dependency and using an alternative already in the " +
|
||||
|
|
@ -3299,6 +3298,7 @@ func createApexPermittedPackagesRules(modules_packages map[string][]string) []an
|
|||
" 3. Jarjar the offending code. Please be mindful of the potential system " +
|
||||
"health implications of bundling that code, particularly if the offending jar " +
|
||||
"is part of the bootclasspath.")
|
||||
|
||||
rules = append(rules, permittedPackagesRule)
|
||||
}
|
||||
return rules
|
||||
|
|
@ -3306,13 +3306,13 @@ func createApexPermittedPackagesRules(modules_packages map[string][]string) []an
|
|||
|
||||
// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART.
|
||||
// Adding code to the bootclasspath in new packages will cause issues on module update.
|
||||
func qModulesPackages() map[string][]string {
|
||||
func qBcpPackages() map[string][]string {
|
||||
return map[string][]string{
|
||||
"com.android.conscrypt": []string{
|
||||
"conscrypt": []string{
|
||||
"android.net.ssl",
|
||||
"com.android.org.conscrypt",
|
||||
},
|
||||
"com.android.media": []string{
|
||||
"updatable-media": []string{
|
||||
"android.media",
|
||||
},
|
||||
}
|
||||
|
|
@ -3320,34 +3320,34 @@ func qModulesPackages() map[string][]string {
|
|||
|
||||
// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART.
|
||||
// Adding code to the bootclasspath in new packages will cause issues on module update.
|
||||
func rModulesPackages() map[string][]string {
|
||||
func rBcpPackages() map[string][]string {
|
||||
return map[string][]string{
|
||||
"com.android.mediaprovider": []string{
|
||||
"framework-mediaprovider": []string{
|
||||
"android.provider",
|
||||
},
|
||||
"com.android.permission": []string{
|
||||
"framework-permission": []string{
|
||||
"android.permission",
|
||||
"android.app.role",
|
||||
"com.android.permission",
|
||||
"com.android.role",
|
||||
},
|
||||
"com.android.sdkext": []string{
|
||||
"framework-sdkextensions": []string{
|
||||
"android.os.ext",
|
||||
},
|
||||
"com.android.os.statsd": []string{
|
||||
"framework-statsd": []string{
|
||||
"android.app",
|
||||
"android.os",
|
||||
"android.util",
|
||||
"com.android.internal.statsd",
|
||||
"com.android.server.stats",
|
||||
},
|
||||
"com.android.wifi": []string{
|
||||
"framework-wifi": []string{
|
||||
"com.android.server.wifi",
|
||||
"com.android.wifi.x",
|
||||
"android.hardware.wifi",
|
||||
"android.net.wifi",
|
||||
},
|
||||
"com.android.tethering": []string{
|
||||
"framework-tethering": []string{
|
||||
"android.net",
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7580,7 +7580,7 @@ func TestDexpreoptAccessDexFilesFromPrebuiltApex(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func testApexPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) {
|
||||
func testBootJarPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) {
|
||||
t.Helper()
|
||||
bp += `
|
||||
apex_key {
|
||||
|
|
@ -7619,11 +7619,11 @@ func testApexPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []
|
|||
|
||||
func TestApexPermittedPackagesRules(t *testing.T) {
|
||||
testcases := []struct {
|
||||
name string
|
||||
expectedError string
|
||||
bp string
|
||||
bootJars []string
|
||||
modulesPackages map[string][]string
|
||||
name string
|
||||
expectedError string
|
||||
bp string
|
||||
bootJars []string
|
||||
bcpPermittedPackages map[string][]string
|
||||
}{
|
||||
|
||||
{
|
||||
|
|
@ -7653,15 +7653,15 @@ func TestApexPermittedPackagesRules(t *testing.T) {
|
|||
updatable: false,
|
||||
}`,
|
||||
bootJars: []string{"bcp_lib1"},
|
||||
modulesPackages: map[string][]string{
|
||||
"myapex": []string{
|
||||
bcpPermittedPackages: map[string][]string{
|
||||
"bcp_lib1": []string{
|
||||
"foo.bar",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Bootclasspath apex jar not satisfying allowed module packages.",
|
||||
expectedError: `(?s)module "bcp_lib2" .* which is restricted because jars that are part of the myapex module may only use these package prefixes: foo.bar. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`,
|
||||
expectedError: `(?s)module "bcp_lib2" .* which is restricted because bcp_lib2 bootjar may only use these package prefixes: foo.bar. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`,
|
||||
bp: `
|
||||
java_library {
|
||||
name: "bcp_lib1",
|
||||
|
|
@ -7687,17 +7687,58 @@ func TestApexPermittedPackagesRules(t *testing.T) {
|
|||
}
|
||||
`,
|
||||
bootJars: []string{"bcp_lib1", "bcp_lib2"},
|
||||
modulesPackages: map[string][]string{
|
||||
"myapex": []string{
|
||||
bcpPermittedPackages: map[string][]string{
|
||||
"bcp_lib1": []string{
|
||||
"foo.bar",
|
||||
},
|
||||
"bcp_lib2": []string{
|
||||
"foo.bar",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Updateable Bootclasspath apex jar not satisfying allowed module packages.",
|
||||
expectedError: "",
|
||||
bp: `
|
||||
java_library {
|
||||
name: "bcp_lib_restricted",
|
||||
srcs: ["lib1/src/*.java"],
|
||||
apex_available: ["myapex"],
|
||||
permitted_packages: ["foo.bar"],
|
||||
sdk_version: "none",
|
||||
min_sdk_version: "29",
|
||||
system_modules: "none",
|
||||
}
|
||||
java_library {
|
||||
name: "bcp_lib_unrestricted",
|
||||
srcs: ["lib2/src/*.java"],
|
||||
apex_available: ["myapex"],
|
||||
permitted_packages: ["foo.bar", "bar.baz"],
|
||||
sdk_version: "none",
|
||||
min_sdk_version: "29",
|
||||
system_modules: "none",
|
||||
}
|
||||
apex {
|
||||
name: "myapex",
|
||||
key: "myapex.key",
|
||||
java_libs: ["bcp_lib_restricted", "bcp_lib_unrestricted"],
|
||||
updatable: true,
|
||||
min_sdk_version: "29",
|
||||
}
|
||||
`,
|
||||
bootJars: []string{"bcp_lib1", "bcp_lib2"},
|
||||
bcpPermittedPackages: map[string][]string{
|
||||
"bcp_lib1_non_updateable": []string{
|
||||
"foo.bar",
|
||||
},
|
||||
// bcp_lib2_updateable has no entry here since updateable bcp can contain new packages - tracking via an allowlist is not necessary
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tc := range testcases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
rules := createApexPermittedPackagesRules(tc.modulesPackages)
|
||||
testApexPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules)
|
||||
rules := createBcpPermittedPackagesRules(tc.bcpPermittedPackages)
|
||||
testBootJarPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue